cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos Workflow Authentication

Former Member
0 Kudos
94

Hello @ll,

I am interested in workflow authentication using the Kerberos ticket, the Identity Centre supports this method. I have thus far not found any implementation guides. Is there anybody is who is more familar with this system, who can assist me.

BR

Chris

View Entire Topic
tim_alsop
Active Contributor
0 Kudos

Chris,

My specialist area with SAP products is related to Kerberos, but I am not familiar with what you are describing. Can you provide more details to explain what you are looking to acheive ?

Regards,

Tim

Former Member
0 Kudos

Hello,

when you open the properties of the Identity Store in the Identity Center you see the workflow-register. Here you can choose a lot of authentication methods.Here and in some whitepaers we saw that the Workflow of SAP NW Identity Center supports Kerberos Authentication. We want to replace the WORKFLOW LOGIN with username/pw(Authentication method: Identity Store) by the kerberos authentication ticket from our domain controller (authentication method: Kerberos). But I dont know were to reference to our ad domain controller where a user has a kerberos ticket after windows login.

BR

Chris

tim_alsop
Active Contributor
0 Kudos

Chris,

Thankyou - this helps a lot.

I know this might sound like a silly question, but can you confirm what platform the Identity Center is running on ? e.g. is it installed on NetWeaver, or running on a standalone web server, or something else ?

Also, can you provide me with links to some of the white papers you mentioned ?

Regards,

Tim

Former Member
0 Kudos

Hello,

we run SAP NW Identity Center 7.0 SP2 (former MaXware) on a MS Server 2003 OS with MS SQL 2005 for the Idnetity Store. The Workflow Engine is running on a MS Server 2003 Webserver (IIS).

BR Chris

Former Member
0 Kudos

here is the link to the Security Guide:

https://www.sdn.sap.com/irj/sdn/nw-identitymanagement

("product information")

tim_alsop
Active Contributor
0 Kudos

Chris,

ok, I thought this might be the case. The Kerberos authentication into any application running on IIS is setup by enabling Integrated Windows Authentication on IIS website and also in browser. Have you done this ? If you have, when user logs onto workstation and then opens a page on the IIS server they will be authenticated using the domain account they logged onto their workstation with.

Regards,

Tim

tim_alsop
Active Contributor
0 Kudos

Chris,

Thankyou for the document link. As you said, it appears there is very limited information about the different authentication methods supported. However, as I said in my last post, when using IIS the IIS web server is handling the authentication of users, so this is where I suggest you enable IWA to allow you to get Kerberos authentication to work. I cannot think how the product could authenticate in any other way unless there is an ISAPI filter installed in the IIS webserver, just to handle workflow authentication - I doubt this is the case.

Thanks,

Tim

Former Member
0 Kudos

Thanks for your reply,

I did this yesterday:

1. enabled IWA in ISS

2. enabled IWA in IE

3. Kerberos as authentication method in the Identiy Center

missing:

But I think the networkuser has to be in the Identity Center as unique id (but I am not sure)

I will test this later...

Edited by: Christoph Reckers on Jun 25, 2008 11:32 AM

Edited by: Christoph Reckers on Jun 25, 2008 11:37 AM

tim_alsop
Active Contributor
0 Kudos

Chris,

The domain user you are logged onto Windows workstation as will be used to log you onto the IIS application when IWA is used, so you need to make sure that this user exists in the application. If it doesn't you might get a popup signon screen from browser, which will likely not work unless you have also enabled other forms of authentication in IIS.

Regards,

Tim