SPNEGO: SSO for SAP Web Applications

  • Posted on: 27 December 2008
  • By: markus.wilhelm

SPNEGO is quite cool and simple. You just follow the configuration assistant of your SAP Webserver (http(s)://:/spnego).The only problem I found is that a multi domain model in combination with an Active Directory is not supported by the assistant. What does that mean?
You configure a SPNEGO user for the domain regensburg.bessieundmarkus.de to check users in the Active Directory. If I now want to logon with the user markus.wilhelm@regensburg.bessieundmarkus.de everything is all right. But when I want to logon with a user markus.wilhelm@muenchen.bessieundmarkus.de the logon fails because the user who checks the credentials looks in the wrong domain tree. Kerberos could handle such requests (thats what happens when you use SSO for SAP Gui) but the configuration assistant does not allow you to configure SPNEGO like this. 

Finally I did not test it but it should work, when you manipulate the kerberos configuration file after the assistant finished.

SAP HELP : Using Kerberos Authentication for Single Sign-On

SAP HELP: How to find the installation wizzard