Scribd
Upload
226 views

SIM301 Integrating Microsoft Active Directory With The SAP J2EE Engine

LDAP

Uploaded by

planetshacker
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
226 views

SIM301 Integrating Microsoft Active Directory With The SAP J2EE Engine

LDAP

Uploaded by

planetshacker
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 106

SIM301

Integrating Microsoft
Active Directory With
the SAP J2EE Engine
Disclaimer

This presentation outlines our general product direction and should


not be relied on in making a purchase decision. This presentation is
not subject to your license agreement or any other agreement with
SAP. SAP has no obligation to pursue any course of business
outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and
SAP’s strategy and possible future developments are subject to
change and may be changed by SAP at any time for any reason
without notice. This document is provided without a warranty of any
kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular
purpose, or non-infringement. SAP assumes no responsibility for
errors or omissions in this document, except if such damages were
caused by SAP intentionally or grossly negligent.

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 2


Contributing Speakers

Dong Pan
SAP America

Michael Sambeth
SAP AG

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 3


Learning Objectives

As a result of this workshop, you will be able to:


„ Learn how to use ADS as the user persistence store of the J2EE
engine
„ Understand how to achieve Single Sign-On in a multi-domain
environment
„ Learn how to maintain a secure and highly-available LDAP
connection to ADS
„ Understand how SAP J2EE engine supports Kerberos
authentication in different scenarios, including a multi-domain
environment

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 4


Introduction

J2EE User Persistence With ADS

SPNego Authentication With ADS

Wrap-Up
What End Users Want …

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 6


What Administrators Want …

Central User Management


„ Single point of administration
„ Assign user rights in various applications with one keystroke
„ Central user repository

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 7


What Are the Prerequisites …

Integrated cross-application user management


„ Central storage of user information
„ Group assignment
„ Basic user data
„ Application specific user data
„ Standard Access & Authentication protocol

Solution: Microsoft Active Directory


„ Active Directory (AD) serves as central repository for user master data
„ Access to the directory service is provided by the standardized
Lightweight Directory Access Protocol (LDAP)
„ Active Directory provides Kerberos authentication service to facilitate
Single Sign-On (SSO)

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 8


The Big Picture

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 9


Introduction

J2EE User Persistence With ADS

SPNego Authentication With ADS

Wrap-Up
Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Determine Your LDAP Structure – Deep Hierarchy

Main characteristic
Users are entries below the group of which they are a member

Disadvantage
Users can only appear at one point in the directory tree and can
therefore only be members of one group and its super groups

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 12


Determine Your LDAP Structure – Flat Hierarchy

„ DIT has separate branches for user and group data. There are
2 possibilities:
– Each group has an attribute that lists the members of that group
– Each user has an attribute listing the groups of which the user is
a member

„ Advantage: A user can be a member of more than one group.

„ Disadvantage: New users are not assigned to any groups


automatically

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 13


Connect J2EE Engine to a Single ADS Domain/Forest

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 14


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Connect J2EE Engine to Multiple ADS Domains

Configuration Steps
„ Define LDAP Connection Properties in UME Data Source Configuration
XML File
„ Maintain service user password in UME property
ume.ldap.access.additional_password.n (n=1-5)

Limitations
„ Can connect only up to 5 domains due to performance concerns
„ LDAP groups cannot span across multiple domains

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 16


Connect J2EE Engine to Global Catalog

Pros
„ Single connection to the whole Active Directory
forest – no limitation on the number of domains
„ Better search performance, esp. in multi-domain environment

Cons
„ Global Catalog is always read-only, i.e.,
– No creation of users/groups by J2EE engine
– No password modification by J2EE engine
„ Only Universal and Global groups are visible

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 17


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
LDAP Group Visibility

Blocked Groups
Group Administrators, Guests in the LDAP server are not visible by
default: Ume.ldap.blocked_groups=Administrators, Guests

When connecting to Global Catalog


Pro: LDAP groups can span across multiple domains
Con: Only Universal and Global Groups are visible

When connecting to Domain Controller

Pro: All groups are visible


Con: Groups can only contain users from the same domain

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 19


Large LDAP Groups

„ Do NOT use built-in group ”Domain User”


– All users in Active Directory are automatically assigned to Domain User
group by its PrimaryGroupID, instead of its memberof attribute/Domain User
group’s members attribute

„ Search users in large LDAP groups


– ADS default maximum result page size = 1000
– UME does not support paged result
– Role-Group-User assignment still works.

„ No significant performance degradation with large LDAP groups


– Unlike some other LDAP products, users in ADS have memberof attribute by
default

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 20


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
User ID Resolution

samAccountName can be duplicated in a multi-domain environment


– what can be used to identify a unique user account?

Any unique LDAP attribute of the user account, if it does not exceed 240 characters:
„ User Principal Name, e.g.. [email protected]
„ Custom-defined unique attribute, e.g., sapusername

Modify the data source configuration XML file to change the user id resolution method

„ Map the j_user attribute of the User object to User Principal Name (UPN)
<attribute name="j_user">
<physicalAttribute name="userprincipalname"/>
</attribute>

„ Map the uniquename attribute of Account object to User Principal Name


<attribute name="uniquename">
<physicalAttribute name="userprincipalname"/>
</attribute>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 22


Single Sign On with UPN to ABAP Backend

Problem

SSO with SAP Logon Ticket based on UPN is not accepted by SAP
ABAP backend systems

Solution

The SAP Logon Ticket can carry an additional R/3 user ID

„ Define SAP Reference System, and then define User Mapping for
the SAP Reference System

„ If you have an SAP-centric environment, you can use Central User


Administration (CUA)/LDAP tools to maintain the sapusername
LDAP attribute:
– Make sure the UME datasource configuration file defines
REFERENCE_SYSTEM_USER
– Set ume.usermapping.refsys.mapping.type = attribute

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 23


Single Sign On with UPN to J2EE Backend

Problem

SSO with SAP Logon Ticket based on UPN is not accepted by J2EE
backend system whose user store is an SAP ABAP system

Solution

„ Define an SAP Reference System

„ Maintain User Mapping for the SAP Reference System

„ Set login.ticket_portalid = no on the target J2EE backend system

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 24


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Introduction to Active Directory Application Mode (ADAM)

Application-Specific Directory Service


„ Ease of deployment
„ Reduced infrastructure costs
„ Increased security
„ Increased flexibility
„ Reliability and scalability

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 26


Adapting UME Data Source Config for ADAM

<attribute name="j_user">
<physicalAttribute name=“uid"/>

</attribute>

<attribute name="uniquename">
<physicalAttribute name=“uid"/>

</attribute>

...

<privateSection>

<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.auxiliary_naming_at
tribute.uacc>

<ume.ldap.access.naming_attribute.uacc>cn</ume.ldap.access.auxiliary_naming_at
tribute.uacc>

</privateSection>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 27


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Why Use LDAP Over SSL?

Why use LDAPS?


„ ADS requires LDAPS protocol to create users
„ To secure LDAP communication between J2EE and Domain
Controllers/Global Catalog

Prerequisite
„ Administrator, Guest and service users should not be stored in LDAP

Restrictions
„ SSL with Client Certificate Authentication is not supported

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 29


Obtain Root Certificate of Domain Controller

SSL ports used by ADS


„ Domain Controller: 636
„ Global Catalog: 3269

Test if your ADS is SSL-enabled (ldp.exe)


„ Import Root Certificate to Trusted Root Certification Authorities store of
local computer
„ Test with ldp.exe should display the following:
ld = ldap_sslinit("philadelphia.pennsylvania.com", 636, 1);
...
Host supports SSL, SSL cipher strength = 128 bits
Established connection to domaincontroller1.mycompany.com.

Verify the Common Name of the Server Certificate


„ Test https://<FQDN_DC>:636 or https://<FQDN_GC>:3269 with Web
Browser
„ Download the root certificate

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 30


Steps to Connect J2EE to ADS With LDAPS

„ Download and install Java Cryptography Extension (JCE) Unlimited


Strength Jurisdiction Policy Files from Sun/IBM

„ Download and deploy the full SAP Java Cryptographic Toolkit

„ Import LDAP Root Certificate into the J2EE engine’s TrustedCAs store

„ Change the UME configuration to enable LDAP over SSL


– Make sure the LDAP server name exactly matches the Common Name!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 31


Connecting to ADS With LDAPS

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 32


Connect J2EE Engine to ADS
Connect J2EE Engine to Multiple ADS Domains
LDAP Groups
User ID Resolution and Single Sign-On
Connect J2EE Engine to ADAM
Connect J2EE Engine to ADS via SSL
Maintain a Highly Available LDAP Connection
Highly Available LDAP Connection to Single Domain/Forest

„ Sample UME configuration:


ume.ldap.access.server_name= p66192,p66193,p66194,p66195, p66196
ume.ldap.access.server_port=389,389,389,389,389
ume.ldap.access.default_switch=30
ume.ldap.access.action_retrial = 2

„ Special consideration for ADS:


ume.ldap.connection_pool.connect_timeout=5000
ume.ldap.connection_pool.connector_enabled=true

„ In High Load scenarios, keep the value of ume.ldap.access.action_retrial


and ume.ldap.connection_pool.connect_timeout low to avoid J2EE
application thread outage situation!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 34


Highly Available Connection to Multiple Domains/Forests

„ Sample snippet of the XML configuration file:


<dataSource id="CORP_LDAP1"…….. >
<ume.ldap.access.server_name>ldapserver1_1,ldapserver1_2</ume.ldap.acce
ss.server_name>
<ume.ldap.access.server_port>389,389</ume.ldap.access.server_port>
<ume.ldap.connection_pool.connect_timeout>5000
</ume.ldap.connection_pool.connect_timeout>
...
<dataSource id="CORP_LDAP2"……..>
<ume.ldap.access.server_name>ldapserver2_1,ldapserver2_2</ume.ldap.acce
ss.server_name>
<ume.ldap.access.server_port>389,389</ume.ldap.access.server_port>
<ume.ldap.connection_pool.connect_timeout>3000
</ume.ldap.connection_pool.connect_timeout>
<ume.ldap.connection_pool.connector_enabled>true</ume.ldap.connection_pool.connec
tor_enabled>
…….

„ Maintain higher connect_timeout value for domain controllers off-site

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 35


Introduction

J2EE User Persistence With ADS

SPNego Authentication With ADS

Wrap-Up
SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
Kerberos Authentication

„ Kerberos authentication is based on a shared secret between the client


and server

„ Fundamental principle of Kerberos authentication:


– If a secret is known by only two parties, either party can verify the
identity of the other by confirming that the other party knows the
secret.

„ Kerberos authentication is a mutual authentication

„ The two parties show the knowledge of the secret by


encrypting/decrypting authenticators with a symmetric cryptographic
key

„ Key Distribution Center (KDC) distributes the secret (session key) to


clients

„ Kerberos is a three-headed dog in Greek mythology who kept living


intruders from entering the underworld

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 38


Kerberos Authentication

„ Kerberos authentication is based on a shared secret between the client


and server

„ Fundamental principle of Kerberos authentication:


– If a secret is known by only two parties, either party can verify the
identity of the other by confirming that the other party knows the
secret.

„ Kerberos authentication is a mutual authentication

„ The two parties show the knowledge of the secret by


encrypting/decrypting authenticators with a symmetric cryptographic
key

„ Key Distribution Center (KDC) distributes the secret (session key) to


clients

„ Kerberos is a three-headed dog in Greek mythology who kept living


intruders from entering the underworld

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 39


Kerberos Authentication

Key Distribution

Mutual Authentication

„ Kerberos relies on synchronized clocks between KDC,


client and server!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 40


Simple and Protected GSSAPI Negotiation Mechanism
(SPNego) – How Does it Work

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 41


SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
Java Generic Security Service (JGSS) Authentication
Template – Multiple Domains/Forests

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 45


Krb5LoginModule Options

Option Description
useKeyTab=true The login module will get the principal's key from
the keyTab. If keyTab is not set then the module
will locate the keyTab from the krb5 config file
keyTab=/usr/sap/.../ke Path to the keyTab file
ytab
doNotPrompt=true Do not prompt for password if credentials cannot
be obtained from ticketCache or keyTab
storeKey=true Store the principal's key in the Subject's private
credentials.
principal=j2e_f38_pen The name of the principal that should be used
[email protected] when there are credentials for multiple principals
OM in the keyTab
useTicketCache=true Obtain the TGT from the ticket cache
debug = true Output debug messages

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 46


Java Virtual Machine (JVM) Parameters

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 47


Krb5.conf File

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 48


Key Table File – Multiple Domains/Forests

Inspect keyTab file with klist tool:


%java_home%\bin\klist -e -f -k -K keytab

Key tab: keytab, 2 entries found.

[1] Service principal: [email protected]

KVNO: 1

Key type: 3

Key: 0x3725dcb5b1a139d

[2] Service principal: [email protected]

KVNO: 1

Key type: 3

Key: 0xa7a268a23d32515d

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 49


Krb5LoginModule Options

The yield of Kerberos authentication is the user’s KPN—how should UME


resolve the KPN to the user account?

„ User Resolution Mode ”None”

Applicable If the user’s uniquename attribute and account’s j_user


attribute are mapped to the User Principal Name

„ User Resolution Mode ”simple”

Applicable if the UPN is identical to KPN (by default)

„ User Resolution Mode ”prefixbased”

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 50


User ID Resolution – Prefix-Based

Prefix-based Resolution Process


1. Kerberos authentication yields Kerberos principal name
[email protected].

2. SPNegoLoginModule splits the KPN into the parts johndoe and


IT.CUSTOMER.DE and performs a search in UME after a user with
kpnprefix=johndoe. If result is unique, we’re done

3. If result is not unique, sort out by their attribute distinguishedName all


those users who are not in the domain IT.CUSTOMER.DE.

kpnprefix may not be the user id!!!!!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 51


SPNego Introduction
DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
Key Configurations
Common Problems
Common Problems

SPNego stops working after changing DNS alias of the


J2EE/reverse proxy
„ Update the Service Principal Name (SPN) of the J2EE server/reverse
proxy

If the browser always tries to use NTLM to authenticate to


the J2EE
„ The J2EE server is not in the Trusted Sites or Local Intranet zone
„ The browser is using a DNS alias of the J2EE server which does not
have a corresponding SPN

Some users cannot logon to the J2EE server intermittently


„ Make sure the system clocks are synchronized, especially when the
J2EE server and end users are in different forests

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 53


Summary

„ The SAP J2EE engine provides extensive support for MS Active


Directory
„ By integrating the Kerberos authentication service of Active
Directory, the SAP J2EE engine serves as an end-to-end SSO
solution
„ Always connect to Global Catalog in a multi-domain ADS for
better performance, if possible
„ Try to avoid using User Principal Name as user ID to simplify
Single Sign-On
„ Consider using ADAM if you need a flexible LDAP solution
„ Always maintain a highly available connection to your ADS
„ SAP J2EE engine supports SPNego authentication with multiple
ADS forests

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 54


Further Information

Î SAP Public Web


LDAP Directory as UME Data Source
http://help.sap.com/saphelp_nw2004s/helpdata/en/48/d1d13f7fb44c21
e10000000a1550b0/frameset.htm
SPNego Central Note 968191
https://service.sap.com/notes

Î Related Resources
Introduction to Active Directory
http://www.microsoft.com/windowsserver2003/technologies/directory/activedire
ctory/default.mspx
Active Directory Application Mode
http://www.microsoft.com/windowsserver2003/adam/default.mspx
How the Kerberos Version 5 Authentication Protocol Works
http://technet2.microsoft.com/WindowsServer/en/library/4a1daa3e-b45c-44ea-
a0b6-fe8910f92f281033.mspx?mfr=true
HTTP-Based Cross-Platform Authentication via the Negotiate Protocol
http://msdn2.microsoft.com/en-gb/library/ms995329.aspx

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 55


SAP NetWeaver, Development Subscription

The SAP NetWeaver, Development Subscription offers a cost


effective total solution for developers to build applications for
the SAP NetWeaver platform
Subscription gives you one year access to …
„ SAP NetWeaver platform software, patches, and updates
„ Development license for SAP NetWeaver to evaluate, develop and test
„ Standard software maintenance
„ Online sessions from SAP TechEd
„ Access to SAP Enterprise Services Workplace for testing
„ Premium presence in forums

Purchase the SAP NetWeaver, Development Subscription


today at the TechEd Community Clubhouse, or online at
https://www.sdn.sap.com/irj/sdn/subscriptions

Show us you are a subscriber and get a reward!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 56


Q&A

THANK YOU FOR YOUR


ATTENTION !

QUESTIONS – SUGGESTIONS – DISCUSSION

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 57


Feedback
Please complete your session evaluation.

Be courteous — deposit your trash,


and do not take the handouts for the following session.

Thank You !

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 58


Appendix 1: Details in UME Configuration for ADS

„ Define the mapping between UME objects and LDAP objects

„ Special customization LDAP user accounts and LDAP Groups


created by UME

„ Attribute-based Data Partitioning

„ Defining LDAP connection parameters for single-domain and


multi-domain environments

„ Tools in setting up LDAP over SSL connection

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 59


Mapping between UME Objects and LDAP Objects

Flat Hierarchy

UME Object LDAP Object


User Object User Object

Account Object User Object

Group Object Group Object

Deep Hierarchy

UME Object LDAP Object


User Object User Object

Account Object User Object

Group Object Organizational Unit

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 60


Mapping of UME Attributes to LDAP Attributes – Flat

User and Account Attribute LDAP Attribute


uniquename samaccountname

PRINCIPAL_RELATION_PARENT_ATTRIBUTE memberof

REFERENCE_SYSTEM_USER sapusername

j_user samaccountname

logonalias samaccountname

j_password unicodepwd

Group Attribute LDAP Attribute


uniquename cn
PRINCIPAL_RELATION_MEMBER_ATTRIBUTE member
PRINCIPAL_RELATION_PARENT_ATTRIBUTE memberof

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 61


Mapping of UME Attributes to LDAP Attributes – Deep

User and Account Attribute LDAP Attribute


uniquename samaccountname

PRINCIPAL_RELATION_PARENT_ATTRIBUTE *null*

REFERENCE_SYSTEM_USER sapusername

j_user samaccountname

logonalias samaccountname

j_password unicodepwd

Group Attribute LDAP Attribute


uniquename ou
PRINCIPAL_RELATION_MEMBER_ATTRIBUTE *null*
PRINCIPAL_RELATION_PARENT_ATTRIBUTE *null*

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 62


Creating LDAP Users

UserAccountControl Description
Attribute
2 (0x2) ACCOUNTDISABLE

512 (0x200) NORMAL_ACCOUNT


65536 (0x10000) DONT_EXPIRE_PASSWORD

2097152 (0x200000) USE_DES_KEY_ONLY

By default UME creates normal user account


ume.ldap.access.msads.control_attribute=userAccountControl

ume.ldap.access.msads.control_value=512

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 63


Creating Users to ADAM

Creating users from J2EE engine to ADAM

„ SSL connection required (as in Active Directory)

„ By default, created users are locked. To create normal users, set the
following UME properties:
ume.ldap.access.msads.control_attribute=msds-useraccountdisabled
ume.ldap.access.msads.control_value=FALSE

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 64


Creating LDAP Groups (Flat Hierarchy)

Group-Type Description
Attribute
2 Specifies a group with global scope

4 Specifies a group with domain local scope


8 Specifies a group with universal scope

2147483648 Specifies a security group. If this flag is not set, then


(0x80000000) the group is a distribution group

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 65


Creating LDAP Groups

„ To create global security groups, set

ume.ldap.access.msads.grouptype.attribute=none

„ To create local security groups, set

ume.ldap.access.msads.grouptype.attribute=grouptype

ume.ldap.access.msads.grouptype.value= 2147483652 (0x80000004)

„ For Deep Hierarchy, always set

ume.ldap.access.msads.grouptype.attribute=

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 66


Attribute-Based Data Partitioning

I want to store some application-specific attributes


for users, but my AD policy does not allow schema
extension. What can I do?

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 67


Attribute-Based Data Partitioning

I want to store some application-specific attributes


for users, but my AD policy does not allow schema
extension. What can I do?

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 68


Define Connection Parameters

Parameters Value
ume.persistence.data_source_configuration dataSourceConfiguration_ads
_readonly_db.xml
ume.ldap.access.server_name <LDAP Server Name>

ume.ldap.access.server_port 389/3268

ume.ldap.access.user <LDAP communication user>

ume.ldap.access.password <LDAP Password>

ume.ldap.access.base_path.user DC=company,DC=com

ume.ldap.access.base_path.grup DC=company,DC=com

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 69


Sample UME Data Source Config File for Multi-Domain

<privateSection>
...
<ume.ldap.access.server_type>MSADS</ume.ldap.access.server_type>
<ume.ldap.access.server_name>Domain1_Controller</ume.ldap.access.server_na
me>
<ume.ldap.access.server_port>389</ume.ldap.access.server_port>
<ume.ldap.access.user>CN=serviceuser1,CN=Users,DC=Domain1,DC=com</ume.
ldap.access.user>
<ume.ldap.access.password>$ume.ldap.access.additional_password.1</ume.ldap
.access.password>
<ume.ldap.access.base_path.user>USERPATH</ume.ldap.access.base_path.user
>
<ume.ldap.access.base_path.grup>GROUPPATH</ume.ldap.access.base_path.gr
up>
...
</privateSection>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 70


Setting Communication Users’ Passwords for Multi-Domain

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 71


Verify LDAPS Connection

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 72


Verify Common Name of Domain Controller’s Certificate

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 73


Appendix 2: SPNego Configuration

„ DEMO – SPNego Setup with Single Domain/Forest

„ DEMO – SPNego Setup with Multiple Domain/Forest

„ SPNego Tokens

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 74


DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
SPNego Tokens
Step1: Create a Service User on Active Directory

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 76


Step1: Create a Service User on Active Directory

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 77


Step1: Create a Service User on Active Directory

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 78


Step 2: Add Service Principal Name for the Service User

Use upper-case "HTTP" to match the way Internet


Explorer builds SPNs!

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 79


Step 2: Add Service Principal Name for the Service User

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 80


Step 3: Configure LDAP Datasource for the J2EE Engine

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 81


Step 3: Configure LDAP Datasource for the J2EE Engine

<attribute name="krb5principalname">
<physicalAttribute name="userprincipalname"/>
</attribute>
<attribute name="kpnprefix">
<physicalAttribute name="samaccountname"/>
</attribute>
<attribute name="dn">
<physicalAttribute name="distinguishedname"/>
</attribute>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 82


Step 3: Configure LDAP Datasource for the J2EE Engine

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 83


Step 4:
Configure SPNego Authentication With SPNego Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 84


Step 4:
Configure SPNego Authentication With SPNego Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 85


Step 4:
Configure SPNego Authentication With SPNego Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 86


Step 4:
Configure SPNego Authentication With SPNego Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 87


Step 4:
Configure SPNego Authentication With SPNego Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 88


Step 5: Configure Ticket Authentication Stack to Use
SPNego Authentication Template

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 89


Configuration Behind the Scene:
JGSS Authentication Template

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 90


Configuration Behind the Scene: JVM Parameters Added

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 91


Configuration Behind the Scene: Krb5.conf Created

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 92


Step 6: Browser Configuration

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 93


Step 6: Browser Configuration

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 94


Step 6: Browser Configuration

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 95


DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
SPNego Tokens
Adding multiple Kerberos Realms

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 97


Referring to Multiple JGSS Names in SPNegoLoginModule

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 98


Multiple Forests Configured in the Wizard

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 99


Behind the Scene: Multiple Krb5LoginModoles Placed in
JGSS Authentication Template

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 100


Behind the Scene: Multiple Krb5LoginModoles Placed in
JGSS Authentication Template

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 101


DEMO SPNego Setup With Single Domain/Forest
DEMO SPNego Setup With Multiple Domain/Forest
SPNego Tokens
SPNego Request Token (NegTokenInit)

Section Description
mechTypes The Security Mechanisms supported by the
client, e.g., 1.2.840.113554.1.2.2 for Kerberos V5
reqFlags Token flags
mechToken initial MechToken (Kerberos Ticket)

MechListMIC Message Integrity value

HTTP Request Header


Authorization: Negotiate YIIGUQY<remainder of base64 encoded
string>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 103


SPNego Response Token (NegTokenTarg)

Section Description
negResult Negotiation Result: accept_completed,
accept_incomplete or rejected
supportedMech A single supported mechanism (Kerberos)
responseToken Response MechToken

MechListMIC Message Integrity value

HTTP Response Header


WWW-Authenticate: Negotiate oYIBLj<remainder of base64 encoded
string>

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 104


SAP Certifications Related to SAP TechEd Topics

Topic Exam Level Certificate Title Solution Basis


ABAP Professional SAP Certified Development Professional - ABAP System Interfaces with SAP NetWeaver 7.0
SAP NetWeaver 7.0

ABAP Professional SAP Certified Development Professional - ABAP System Interfaces with SAP NetWeaver 7.0
SAP NetWeaver 7.0
ABAP Associate SAP Certified Development Consultant – ABAP Dev with NetWeaver 2004 SAP NetWeaver 2004
ABAP Associate SAP Certified Development Associate – ABAP with SAP NetWeaver 7.0 SAP NetWeaver 7.0
ADM Professional SAP Certified Technology Professional – NetWeaver 7.0 Platform SAP NetWeaver 7.0
ADM Professional SAP Certified Technology Professional – NetWeaver 7.0 Security SAP NetWeaver 7.0

ADM Associate SAP Certified Technology Associate – SAP Web AS Platform with Oracle SAP NetWeaver 2004
ADM Associate SAP Certified Technology Consultant – NetWeaver 7.0 SysAd with Oracle SAP NetWeaver 7.0
BI Associate Solution Consultant SAP NetWeaver ’04s – SAP BI SAP NetWeaver 7.0

E2E Associate SAP Certified E2E Application Management Expert – Change Control Mgmt SAP NetWeaver 7.0
E2E Associate SAP Certified E2E Application Management Expert – Root Cause Analysis SAP NetWeaver 7.0
Java Professional SAP Certified Development Professional – JAVA with NetWeaver 7.0 SAP NetWeaver 7.0
Java Associate SAP Certified Development Associate – JAVA with NetWeaver 7.0 SAP NetWeaver 7.0

MDM Associate SAP Certified Application Associate – Master Data Management 5.5 (SP04) SAP NetWeaver 2004
SM Associate Solution Consultant SAP Solution Manager 4.0 – Implementation Tools SAP NetWeaver 7.0
SOA Associate SAP Certified Associate Enterprise Architect Enterprise SOA

XI Associate Certification Development Consultant SAP NetWeaver 2004s SAP NetWeaver 7.0

For a complete listing of certifications, please go to


www.sap.com/services/education/certification

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 105


Copyright 2007 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p,
System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are
trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability,
fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This
limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

© SAP AG 2007, SAP TechEd ’07 / SIM301 / 106

You might also like