SPNEGO SINGLE SIGN-ON USING
SECURE LOGIN SERVER X.509
CLIENT CERTIFICATES
TABLE OF CONTENTS
SCENARIO ................................................................................................................................... 2
IMPLEMENTATION STEPS .......................................................................................................... 2
PREREQUISITES .......................................................................................................................... 3
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN ADMINISTRATION CONSOLE ...... 4
2. SECURE LOGIN SERVER INITIALIZATION ............................................................................. 6
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN SERVER ........................ 9
3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE DIRECTORY .... 9
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE LOGIN SERVER ................. 12
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY SECURE LOGIN SERVER ..... 14
3.4 SECURE LOGIN CLIENT CONFIGURATION...................................................................... 19
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
SCENARIO
Your company is using Secure Login Server for issuing short lived X.509 client certificates for authentication to
the SAP and non-SAP business systems across your landscape. Your company is also using Microsoft Active
Directory and now you want to re-use Kerberos tokens, issued by the MS Domain Controller (KDC), for the
Single Sign-On with Secure Login Server X.509 client certificates.
After implementing this scenario, your domain users will have to authenticate only once, using their Microsoft
Active Directory credentials, and they will be authenticated automatically to any SAP and non-SAP system, that
requires short lived X.509 client certificates, where these users have been granted authorizations.
IMPLEMENTATION STEPS
2
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
PREREQUISITES
1. You have your SAP Application Server JAVA installed and configured with running SSL.
For more details how to install SAP Application Server JAVA, see:
INSTALLATION & IMPLEMENTATION SAP NETW EAVER 7.5
For more details how to configure SSL see:
CONFIGURING THE USE OF SSL ON THE AS JAVA
2. Secure Login Server (SLS) installed. For more details how to install Secure Login Server see:
SECURE LOGIN SERVER INSTALLATION
Note: Always refer to the PRODUCT AVAILABILITY MATRIX FOR SAP SSO 3.0 for more information about currently
supported components and platforms.
3. Secure Login Client (SLC) installed on the user machine. For more details how to install Secure Login Client
see:
SECURE LOGIN CLIENT INSTALLATION
3
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
1. CONFIGURE ADMINISTRATOR FOR THE SECURE LOGIN
ADMINISTRATION CONSOLE
Explanation Screenshot
1. Log on to SAP
NetWeaver Administrator
at https://<host>:<port>/nwa.
2. Navigate to Configuration >
Identity Management > Click
“Create User”.
3. Provide a Logon ID (for example
“SLAC_ADMIN”), password and
Last Name for the user.
4
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
4. Navigate to tab “Assigned Roles”
and search in the “Available
Roles” (on the left side) for the role
“SLAC_SUPERADMIN”.
5. Select the role and click “Add” to
assign this role to the
SLAC_ADMIN user.
6. Click “Save” to save the info about
“SLAC_ADMIN” UserID.
7. As a result you will have a new
administrative user with access to
the Secure Login Administration
Console (SLAC).
5
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
2. SECURE LOGIN SERVER INITIALIZATION
Explanation Screenshot
8. Log on to Secure Login
Administration Console (SLAC)
at https://<host>:<port>/slac
using the new administrative
account “SLAC_ADMIN”.
Note: The system will require a
reset of the initial password if this
is the first time you are logging in
with this user.
9. Start the “Initialization” with option
“Manual”.
Note: If the default option for your
Secure Login Server installation is
“Automatic”, you will get a
confirmation message. Click
“Yes” to confirm that you want to
proceed with this change.
10. On the “Root CA” step provide the
Country Name (in our example
“DE”) and the Organizational
Name (in our example “ABC”).
11. Click “Next”.
6
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
12. On the step “User CA” click
“Next”.
13. On the step “SAP CA” click “Next”.
14. On the step “SSL CA” click “Next”.
7
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
15. On the step “User Certificate
Configuration” provide the
“Country Name” (in our example
“DE”).
16. Click “Finish”.
17. After finishing the configuration
the initialization will start and
when it is completed you will
receive the following message:
“Secure Login Server has been
initialized”.
18. Click “Go” button.
8
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
3. ENABLE SPNEGO BASED SINGLE SIGN-ON USING SECURE LOGIN
SERVER
3.1. CONFIGURE A SERVICE USER FOR SPNEGO IN THE MICROSOFT ACTIVE
DIRECTORY
Explanation Screenshot
Step 1: Create a Service User for SPNEGO in the Microsoft Active Directory
19. Open the tool “Active Directory
Users and Computers” on the
Active Directory Server (ADS) and
go to the “Users” branch.
20. Click the right mouse button to
create “New” > “User”.
9
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
21. Provide for the new user “First
Name” (example “Kerberos”),
“Last Name” (example “A01”) and
“User logon name” (example
“KerberosA01”, where A01 is
your Application Server SID).
22. Click “Next”.
23. Provide a password for the new
user.
24. Select “User cannot change
password” and “Password never
expires”.
25. Click “Next”.
26. To complete the creation of the
new user click “Finish”.
10
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Step 2: Setup servicePrincipalName for the New Service User
27. Find your new user (example
“Kerberos A01”) in the list with
users and double click to open
the user properties.
28. Go to the tab “Attribute Editor”
Note: If you don’t see the
“Attribute Editor” tab, alternatively
you may start adsiedit.msc in the
start menu of Microsoft Windows.
29. Search for the attribute with
name “servicePrincipalName”,
select it and click “Edit”.
30. Add as new value “HTTP/<fully
qualified name of the Application
Server Java>” (example
HTTP/mo-
1339aa6dc.mo.sap.corp). Click
“Add” and the value will appear in
the list with “Values”.
31. Click “OK” to save the new
setting.
11
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
3.2 CONFIGURE SPNEGO AUTHENTICATION FOR THE SECURE
LOGIN SERVER
Explanation Screenshot
32. Log on to SAP
NetWeaver Administrator
at https://<host>:<port>/nwa
33. Navigate to “Configuration” >
“Authentication and Single Sign-
On” > tab “SPNEGO”.
34. Click “Add” and select “Manually”
to add a new KeyTab.
Enter the realm name of your
Microsoft Active Directory
domain (example
CI1.SAPSSO.DEV).
35. Click “Next”.
36. Provide the “Principal Name” and
the password of the service user,
created previously in the
Microsoft Active Directory domain
(in our example “KerberosA01”).
12
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
37. Click “Next”.
38. Choose from the drop-down list
of the “Mapping Mode” the value
“Principal@REALM” and select
“virtual user” as a “Source” value.
39. Click “Finish”.
40. Click “Enable” for your new
Service User KeyTab.
41. Your Service User KeyTab is
now activated.
13
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
3.3 SSL CONFIGURATION BASED ON CERTIFICATE SIGNED BY
SECURE LOGIN SERVER
Explanation Screenshot
Step 1: Check the Host Name of the Client Authentication Profile
42. Log on to Secure Login
Administration Console (SLAC)
at https://<host>:<port>/slac
using the administrative account
(“SLAC_ADMIN”).
43. Navigate to “ Authentication
Profiles”.
44. Select Authentication Profile
“Windows Authentication
(SPNEGO)”
45. Go to tab “Secure Login Client
Settings” and make sure that the
host name of the “Enrollment
URL” is the fully qualified name
(example mo-
1339aa6dc.mo.sap.corp) and
that the “Port” is correct (in our
example 443).
14
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Step 2: Generate SSL Server Certificate
46. Navigate to “Certificate
Management” tab and make sure
that the status of your “Root CA”
is green.
47. Expand “Root CA” and select
“SSL Sub CA”
48. Click on “Issue Entry” button.
49. Provide as an “Entry Name” the
fully qualified name of the
Application Server Java.
(for example mo-
1339aa6dc.mo.sap.corp)
50. Set this fully qualified name of
the Application Server Java also
as “DNS Name” (for example mo-
1339aa6dc.mo.sap.corp) in the
“Subject Alternative Names”.
51. Click “Next”.
52. On the step with “Subject
Properties” setup provide
“Country Name” (for example
”DE”) and “Common Name” – the
fully qualified name of the
Application Server Java
(for example mo-
1339aa6dc.mo.sap.corp).
53. Click “Next.
15
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
54. Click “Finish” to complete the
certificate generation.
55. Your certificate will appear under
the “SSL Sub CA” and it will be of
type “SSL SERVER”.
16
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Step 3: Import Secure Login Server Certificate to the SSL Configuration
56. Log on again to SAP
NetWeaver Administrator
at https://<host>:<port>/nwa
57. Navigate to Configuration>SSL
Configuration. Click “Edit”
58. Go to the “Details of port xxxx”.
59. Click “Copy Entry”.
60. Select from the drop-down list of
the “Form View” the value
“SecureLoginServer”.
61. Select from the drop-down list of
the “From Entry” the respective
certificate created in the SLAC
under “SSL Sub CA” (in our
example mo-
1339aa6dc.mo.sap.corp).
62. Make sure that the “To Entry” will
be the one from the selected
SAP Java Instance.
63. Click “Import”.
64. Select and delete the default
identity “ssl-credentials”.
65. Click “OK” to confirm the
deletion.
17
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
66. Click “Save” to confirm the
configuration.
67. A restart is required. Click
“Restart Now” (You can also
select “Restart Later” if it is
necessary but your configuration
will be completed only after the
restart).
68. You have to wait for the restart to
finish and afterwards your SSL
configuration will be ready.
18
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
3.4 SECURE LOGIN CLIENT CONFIGURATION
Explanation Screenshot
Step 1: Export Root CA certificate from the Secure Logon Server
69. Log on to Secure Login
Administration Console (SLAC)
at https://<host>:<port>/slac
using the administrative account
(“SLAC_ADMIN”).
70. Navigate to “Certificate
Management”. Select “Root CA”
and click “Export Entry”.
71. Choose the export format “X.509
Certificate”. The dialog box
displays the file name, type, size,
and the download link.
72. Choose “Download” button and
save it in a location of your
choice (for example in a folder on
your Domain Controller).
(Optional: Rename the file so
that it indicates the origin of the
root CA certificate).
19
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Step 2: Installing Root CA Certificates on a Windows Client
To ensure secure communication and a trust relationship, you should install root CA certificates on Windows
clients. There are three options how to perform this step:
Option 1: Distribute the Secure
Login Server root CA certificates on
Microsoft Domain Server:
73. Log on as an administrator to
your Domain Controller and start
command prompt in Microsoft
Windows.
74. Use the following command:
certutil –dsPublish –f
<root_CA_file> RootCA
75. You will get as a result:
“CertUtil: -dsPublish command
completed successfully.”
76. Restart your client. (After a
restart the group policies are
updated. This pushes the
certificates to the client. To do so,
you can also use the command
gpupdate/force.)
As an alternative of this installation (Option 1) you can perform also these two types of installations:
Option 2: Distribute Secure Login Server Root CA Certificates Using Microsoft Group Policies. For more
details see:
DISTRIBUTE SECURE LOGIN SERVER ROOT CA CERTIFICATES USING MICROSOFT GROUP POLICIES
Option 3: Installing Root CA Certificates on a Windows Client. For more details see:
INSTALLING ROOT CA CERTIFICATES ON A WINDOWS CLIENT
Step 3: Setup Policy Update Interval
If there are any changes in the profiles, the most recent configuration is automatically updated in the Secure
Login Client after a defined time – “Policy Update Interval” configurable in minutes. The default value for the
Policy Update Interval is 0. You can change it for example to 480 minutes (8 hours) and this setting will force
the profile to be refreshed (downloaded) on your Secure Login Clients at intervals of 8 hours.
77. Log on to Secure Login
Administration Console (SLAC)
at https://<host>:<port>/slac
using the administrative account
(“SLAC_ADMIN”).
20
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
78. Navigate to the List of Profile
Groups. Select the respective
profile group and click “Edit” to
change the details of the group.
79. Change the “Policy Update
Interval (minutes)” value to the
number of minutes you need (in
our example 480 minutes).
80. Check the “IP Address/Host
Name” field – it must contain the
correct fully-qualified name of the
server (in our example mo-
1339aa6dc.mo.sap.corp). Click
“Save”.
Step 4: Download Profile Group Policy
81. Log on to Secure Login
Administration Console (SLAC)
at https://<host>:<port>/slac
using the administrative account
(“SLAC_ADMIN”).
21
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
82. Navigate to Profile Management
>User Profile Groups.
83. Select the Profile Group that you
want to distribute to Secure Login
Clients. Click “Download Policy”
84. Download the Registry File with
the Policy URL that specifies the
resource file, which includes the
latest configuration of all client
authentication profiles in the
group (in our example
ProfileDownloadPolicy_SecureLo
ginDefaultGroup.reg). Save the
file in a location of your choice on
the client machine.
Step 5: Import Profile Group Policy on the client machine
85. Make sure that the registry file,
downloaded on the previous
step, is available on the client
machine, where Secure Login
Client is installed.
86. Double click on the registry file.
87. Click “Yes” to the message in
order to confirm the change on
the computer.
88. Click “Yes” to confirm again and
to add the policy to the registry.
89. Click “OK” to the confirmation
message, informing that the *.reg
file has been successfully
imported to the registry.
Note: Alternatively, a
companywide group policy can
be use to deploy the profile
groups.
22
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
Step 6: Restart the Secure Login Service
90. On the client machine navigate to
“Computer Management” >
“Services and
Applications”>”Services”.
91. Search for “Secure Login
Service”. Double click on this
service to display the service
properties.
92. Click “Stop” to stop the service.
93. Wait for Windows to stop the
service.
94. Click “Start” to start the service
again.
23
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
95. Wait for Windows to start the
service.
96. Now when you open the Secure
Login Client you will have the
certificate issued by the Secure
Login Server.
Note: Alternatively a machine
restart or workstation re-login
may be needed to upload the
profile group.
24
�SPNEGO based Single Sign-On using Secure Login Server X.509 Client Certificates
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by
SAP SE and its distributors contain proprietary software components of other software vendors. National
product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without
representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined
in this document or any related presentation, or to develop or release any functionality mentioned therein. This
document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be
changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in
this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to
differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-
looking statements, and they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks
or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other
product and service names mentioned are the trademarks of their respective companies.
See http://global.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and
notices.
25
