Showing results for 
Search instead for 
Did you mean: 

Cross-domain authentication using SPNEGO

0 Kudos

Hi Experts,

Consider this scenario.

Case 1:

There are 2 domains (forests), Domain A and Domain B.

SAP users are located in Domain A, while AS-JAVA server is located in Domain B.

There is a One Way Forest Trust (OWFT) between Domain A and Domain B, in which Domain A is the trusted domain, while Domain B is the trusting domain.

AS-JAVA is using Active Directory (Domain B) as the UME data source.

We run ‘setspn’ in Domain B for the AS-JAVA resource.

We create the Kerberos Realm in AS-JAVA for Domain B.

Would this SSO configuration work?

On this scenario, what would be the KPN (principal@REALM) of the user? Is it principal@DomainA or principal@DomainB?

Another side question I have:

when configuring SPNEGO authentication, is there a step where we need to connect from AS-JAVA to the LDAP (AD) server?

Can this connection be secured using LDAPS on port 636/tcp?

Thanks in advance.

Best Regards.

Accepted Solutions (0)

Answers (1)

Answers (1)

Active Contributor
0 Kudos

The principal name of the user would be <user>@DOMAINA since you said that users are in Domain A. If a user is in Domain C then their principal name would be <user>@DOMAINC ...

The server doesn't connect to AD, since it just receives a token from browser and decrypts it, so no need for any server to connect to AD.

0 Kudos

Hi Tim,

thanks for answering the KPN part.

But will the SSO work in that scenario (Case 1), considering that we run 'setspn' on Domain B and there is only One Way Forest Trust?

There's another thing I'm not very familiar with, it's about the ktab file.

Do we need to generate it in the Domain Controller (KDC)?

Thanks in advance for the answer.

Best Regards.

Active Contributor
0 Kudos

Regarding trust, the domain used by SAP system needs to trust the domain that users are using to authenticate and so trust is not required in the other direction.

I can't answer your question about the ktab file. I am not very familiar with the SAP SPNEGO login module, since we have our own implementation of the same protocol which our customers use on Java or ABAP, and our key table management is not same as that offered by SAP. Maybe somebody from SAP will answer your ktab question.



0 Kudos

Thanks, Tim.

I hope this scenario will really work in our implementation later, since we do not have any control over Domain A, We definitely can't run 'setspn' in Domain A.

Does anyone have answer about the ktab?

I'm confused, as SAP document says that ktab is used to encrypt/decrypt the Kerberos ticket.

Is the ktab produced using the Domain Controller certificate or something like that?


Best Regards.

Former Member
0 Kudos


the keytab is generated out of the service user name and his domain password.

best regrads

Alexander Gimbel