Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos TDS (Tivoli Directory Server) SAPGUI nonpassword

renfeproyectoau
Participant
0 Kudos
128

Hi colleagues,

is it posible to use Kerberos authentication method with TDS (Tivoli directory server) in all UNIX platforms ¿? (For login VIA SAPGUI with nonpasswordmethod in client desktops)

AIX, HP, Solaris, Linux

Or are there any kind of restriction?

Thanks in advance I have been looking for a documentation/link with this info but without sucess.

Best Regards

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos
88

Yes, this is possible, but using a third-party product. Please check https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient. The product described at this URL on SAP EcoHub will work with, and is supported with Kerberos servers other than Active Directory.

Thanks,

Tim

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos
89

Yes, this is possible, but using a third-party product. Please check https://ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokersecureclient. The product described at this URL on SAP EcoHub will work with, and is supported with Kerberos servers other than Active Directory.

Thanks,

Tim

0 Kudos
88

Hello Tim,

I think my post was confusing, I don´t need to use sso in several platforms at the same time but only one of them.

It is not posible to use Kerberos library / Tivoli directory Server without third party software for any platform?

Best Regards and thanks in advance!!

tim_alsop
Active Contributor
0 Kudos
88

Luis,

There is a Kerberos library for SNC available from SAP, but only available for Windows platform. To use this you must have SAP Server on Windows, and SAP GUI on Windows. Also, the SAP library is only supported if the KDC is Active Directory.

So, if you have SAP running on UNIX or Linux, and/or you have a KDC other than Active Directory you need to use a third party product.

Thanks,

Tim

0 Kudos
88

Hello,

it is definitely not necessary to use third party tools for SSO if the SAP server is not running on Windows. You can also use the MIT Kerberos implementation. But you will not get any support from SAP.

A lot of SAP systems are running on Unix machines and SSO is configured with the MIT Kerberos (delivered with nearly every unix system).

Only if you need support from SAP, you have to use a third party tool.

Regards

Rainer

0 Kudos
88

Hello Rainer,

Do you know where i can find documentation such as type of configuration "MIT Kerberos implementation" with Tivoli directory server.

Best Regards and thanks in advance

tim_alsop
Active Contributor
0 Kudos
88

Luis,

As Rainer has mentioned, you can use open source MIT Kerberos code if you like, but this is not supported by SAP. It will also only give you the basic functionality, and no added features which you might find useful in the future. It also means you would need development skills in order to compile the MIT code on your systems, and make changes to the code yourself, if you require any.

I suspect you will not find any documentation which explains specifically how to configure MIT code to work with TDS, unless you get such documentation from IBM.

Thanks,

Tim

0 Kudos
88

Hello Luis,

I am sorry, but I don't know the Tivoli directory server.

Do you use the Microsoft AD for your network/PC logon?

MS AD is also a KDC. The MS AD and Tivoli should know and trust each other.

You have to configure your SAP system as described in SAP note 352295, especially define a service principal name. On Unix systems you have to maintain the krb5.conf and store the credentials with command kinit.

For unix systems you can find a good description here:

http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html

Hope this helps.

Kind regards

Rainer

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos
88

>

> I am sorry, but I don't know the Tivoli directory server.

>

> Do you use the Microsoft AD for your network/PC logon?

> MS AD is also a KDC. The MS AD and Tivoli should know and trust each other.

Well, ... - in that case it looks like tough times (trial-and-error).

"it (actually) should work" is a very common sentence.

So, counting the hours you might spend in finding out how things really work might lead to the conclusion that your "do or buy" decision might have been wrong.

O.k. finally you might manage to make it work.

But what happens if you are on leave and it fails to work ...?

Do you have a substitute person? What if you plan to quit?

Finally it's your decision (actually: the one of your employer) ...