Usage
SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP supports Kerberos with the Simple and Protected GSS API Negotiation Mechanism (SPNego) enabling authentication with web clients, such as web browsers.
Restrictions
SPNego does not provide transport layer security. We recommend that you use transport layer security mechanisms, such as Secure Socket Layer (SSL), Transport Layer Security (TLS), to ensure confidentiality and integrity of the communication with SAP NetWeaver AS ABAP.
Integration
Kerberos authentication requires several systems in your landscape, which negotiate the outcome transparently for the user:
- Web client
- The web client requests a service or a resource from SAP NetWeaver AS ABAP and authenticates against the Kerberos Key Distribution Center. For example, users use a web browser as a web client to access web applications running on SAP NetWeaver AS ABAP. The user’s browser must support SPNego.
- Kerberos Key Distribution Center (KDC)
- SAP NetWeaver AS ABAP uses the single sign-on authentication mechanism, integrated, for example, into Microsoft Windows 2003 and higher. The Microsoft Windows Domain Controller (DC) acts as a KDC enabling Microsoft Windows integrated authentication in a Microsoft Windows domain. It authenticates the user and grants a token that is used for the communication between the user’s web client and the AS ABAP.
- SAP NetWeaver AS ABAP
Prerequisites
The following prerequisites must be fulfilled for the configuration of SPNego for ABAP:
- You have an administration account in Active Directory.
- You have a license for SAP Single Sign-On 2.0 or higher.
- You have installed the Secure Login Library or you are using the SAP Cryptographic Library (see SAP Note 1848999).
- You have configured SNC to enable the mapping of SNC names in the SNC tab of User Maintenance (SU01 transaction).
- You are using a browser that supports SPNego.
- (Optional) You use SSL/TLS for transport layer security.
