[51915] in SAPr3-news
Re: SAP SLES8 Kerberos and MS ADS (W2K3)
daemon@ATHENA.MIT.EDU (Sebastian Fuchs)
Fri Oct 22 09:18:10 2004
To: sapr3-news@mit.edu
Date: Fri, 22 Oct 2004 15:17:58 +0200
From: Sebastian Fuchs <sebastian.fuchs@nospam.prodata-rz.com>
Message-ID: <41790888$1@e-post.inode.at>
ostparktux schrieb:
> since SSO is very modern also the SAP universe is looking for simplyfing
> logon process. A common IT landscape does have SAP systemes running on LINUX
> (SuSE SLES8), MS (W2K, XP)clients running SAPgui (6.x) and MS ADS (W2K3).
> We are still looking for a solution which is working with MS, SAP and open
> soure tools only.
We have a working ADS-Kerberos-SSO configuration here. R/3 application
servers are on Win2k and Linux and SSO authenticates users against ADS.
Getting Kerberos-SSO to work with a Windows-only configuration is easy,
you only need to install the gsskrb5.dll available from SAP on the
application servers and frontends and add SNC-names like
"p:<user>@<ADS-DOMAIN>" in SU01 and "p:SAPService<SID>@<ADS-DOMAIN>" in
SAPLogon.
If you want to integrate Unix app servers it's a bit more tricky. You
need to configure the R/3 app servers as MIT-Kerberos app servers (no
need to install Kerberos KDC as the ADS works as KDC). Then you should
be able to use kinit to get tickets from the ADS. The problem is that
the Microsoft Kerberos implementation does not support service
principals. So you have to create a pseudo user in the ADS
(SAPService<SID>) and map this user to a service with the tool
ktpass.exe. Then you can create a keytab file and transfer it to the
Unix server.
HTH,
Sebastian Fuchs
