Configure Kerberos Authentication for Identity Aut...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
The purpose of this blog is to show you step by step guide to enable Kerberos authentication in IAS to enable SPNEGO feature to allow users to log in to Cloud platform application(service) without entering username and password when they are in the corporate network.
User logs in to the corporate network using Active Directory or network credentials, the same credentials are used to login to Cloud Platform application or services such as Portal or Fiori launchpad site.
The diagram below is taken from SAP help, for more information about different system involved please refer to help link
Perform the below steps to enable Kerberos authentication
Generate the keytab file, use the below syntax. Go to your Java bin folder and run the below command
ktab -a service.username@DOMAINNAME.COM -k c:\Temp\file.ktab
Service.username is the service user created in Active directory
Make sure to use the service username password while generating keytab file
realm is the DOMAINNAME in capital letters
Register a service principal name (SPN) for the IAS tenant
setspn -A HTTP/<tenantID>.accounts.ondemand.com service.username@DOMAINNAME.COM
tenantID is your IAS tenant name
service.username@DOMAINNAME.COM is active directory service user used in step#1
setspn -A HTTP/us-east.accounts.ondemand.com.cloud.sap.akadns.net service.username@DOMAINNAME.COM
For IAS tenant in Europe run the above command
setspn -A HTTP/accounts.ondemand.com.cloud.sap.akadns.net service.username@DOMAINNAME.COM
For tenant in US run the above command
Configure Kerberos in SAP Cloud Platform Identity Authentication Service
After running the above commands, extract the Key from the keytab file by navigating into Java bin directory and execute the following command
klist -e -f -k -K <path>\<keytab filename>.ktab
Copy the key according to the number of the provided key type: 23 corresponds to RC4, 17 corresponds to AES128, and 18 corresponds to AES256
Login to IAS tenant and enable SPNEGO option
Navigate to tenant settings and select SPNEGO and enter the following details
Make sure to add *.ondemand.hana.com as trusted sites under Internet Explorer security zone and also enable Integrated Windows authentication
Now launch Cloud portal application url within the corporate network, since Kerberos is enabled, a user is automatically logged in to the portal without asking username & password.
This concludes the blog, feel free to leave comment or suggestions.