cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos(SSO): throw RC4 away, adopt AES !

Former Member
0 Kudos
3,907

Hello,

We can find on "SAP Community" site many nice tutorials explaining how to configure "Windows AD" authentication + SSO.

Some of them are quite old or are recent copies from parts of old ones.

In Kerberos configuration "krb5.ini" file, they all give RC4 algorithm for encryption type to be used. That was true with "Windows Server 2003"...

/!\ But be careful, in 2015 and soon 2016, RC4 is no more considered as a secured encryption algorithm /!\

Assuming nobody uses" Windows Server 2003" anymore, I would strongly suggest you to modify "krb5.ini" sample files like this :

Replace:

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

with:

default_tgs_enctypes = aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes128-cts-hmac-sha1-96

or even better (requires Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 7 or 😎

default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96

In fact, it's Microsoft's recommandation for "Windows Server 2008 R2" and above.

I've tested SAP/BO BI4.1 SP7 + AES-128 and AES-256 for Kerberos on Windows 2008 R2 and 2012 R2: it works great !

In fact, it would be nice if the authors of tutorials could modify them and add this security update.

Don't joke with security ! ;o)

Regards,

Stephane.

View Entire Topic
Former Member
0 Kudos

Petit,

Thank you providing this information. I have implemented this in my test environment and no issues so far.

My environment details: AP/BO BI4.1 SP6 + AES-256 for Kerberos on 2012 R2:

If you are okay, I will create a Blog post or document with information you provided for other to take advantage. let me know.

Former Member
0 Kudos

Hello,

Yes, good idea since it is not actually a question but a best pratice and even a strong recommendation.

Please quote this message in the Blog post and put here a link to the Blog post .

Thanks.

Regards,

Stéphane (my first name)

Former Member
0 Kudos

Hi Stéphane

I have included the link to this discussion and mentioned any credits about this topic should be awarded to you.

It is still waiting for moderators approval.

Former Member
0 Kudos

Hi,

Thanks for credits.

Did you write a full tutorial explaining what options to tick or untick in the properties of the service account used to run BO & Tomcat ?

Example:

Thanks for your work !

I will read it with pleasure when it is published.

Regards,

Stéphane.

Former Member
0 Kudos

I din't include this information. I havn't heared anything for moderators yet, if you have time try submitting new blog post of document with detail instructions.

I will let you know if there is any update on my post.

0 Kudos

Hi Bharath,

Could you please inform whether the blog you mentioned has been approved and published yet? It would be interesting to know whether AES is the way to go, going ahead and what changes are required to make it work. My assumption would be as Stephane mentioned, the user properties, krb5.ini file and likely the ktpass command for SSO/silent login. Is that correct?

Regards,

Tejaswini

0 Kudos

Hi,

basically this is absolutley true and BI 4.1 is working with AES. You have to know that the Windows AD of a customer is a grown Application. Most of these (nearly all) where once based on Windows 2000 coming from Windows NT. Then update to 2003...to 2008 and so on.

So the RC4 algorithm is a legacy one from Windows 2000. After the move from NT (and NTLM) to 2000 (Kerberos) nobody touched that anymore as RC4 was the standard back in those days..

To leverage AES your Windows AD needs to be configured properly. Speak migrating from RC4 to AES. Loads of applicaitons will be effected by that and the Impact is Close to impossible to estimate.

The reason why in our documentation RC4 is mentioned is that this is the most legacy algorithm and working on nearly all Environments (Assumption by me that this is the reason).

BI 4.2 SP01 Admin Guide still Shows RC4 in the configuration steps. Maybe it would be great if they could mention that other, stronger, algorithms are supported. At the end of the day you can go with "-crypto ALL" and your keytab file will Support all crypto types that your Windows AD provides.

Regards

-Seb.

0 Kudos

Hi Seb,

Thanks a lot for the confirmation. So we shall indeed proceed with AES as a best-practice in the future.

Regards,

Tejaswini

Matt_Fraser
Active Contributor
0 Kudos

Stéphane,


Why not write the blog yourself? You practically did so with this post.


Cheers,

Matt