How To Fix SPN004 - Application help

Configuring Kerberos Services with SPNego in AS ABAP
&SHORTTEXT&
SPNego Configuration
&USE&
SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP supports
Kerberos with the Simple and Protected GSS API Negotiation Mechanism
(SPNego) enabling authentication with web clients, such as web browsers.
&RESTRICTIONS&
SPNego does not provide transport layer security. We recommend that you
use transport layer security mechanisms, such as Secure Socket Layer
(SSL), Transport Layer Security (TLS), to ensure confidentiality and
integrity of the communication with SAP NetWeaver AS ABAP.
&INTEGRATION&
Kerberos authentication requires several systems in your landscape,
which negotiate the outcome transparently for the user:
Web client
The web client requests a service or a resource from SAP NetWeaver AS
ABAP and authenticates against the Kerberos Key Distribution Center. For
example, users use a web browser as a web client to access web
applications running on SAP NetWeaver AS ABAP. The user's browser must
support SPNego.
Kerberos Key Distribution Center (KDC)
SAP NetWeaver AS ABAP uses the single sign-on authentication mechanism,
integrated, for example, into Microsoft Windows 2003 and higher. The
Microsoft Windows Domain Controller (DC) acts as a KDC enabling
Microsoft Windows integrated authentication in a Microsoft Windows
domain. It authenticates the user and grants a token that is used for
the communication between the user's web client and the AS ABAP.
SAP NetWeaver AS ABAP
&PREREQUISITES&
The following prerequisites must be fulfilled for the configuration of
SPNego for ABAP:
You have an administration account in Active Directory.
You have a license for SAP Single Sign-On 2.0 or higher.
You have installed the Secure Login Library or you are using the SAP
Cryptographic Library (see SAP Note 1848999).
You have configured SNC to enable the mapping of SNC names in the
<ZH>SNC</> tab of
<DS:TRAN.SU01>User Maintenance</> (SU01 transaction).
You are using a browser that supports SPNego.
(Optional) You use SSL/TLS for transport layer security.

The system issues an error message and will not allow you to continue with this transaction until the error is resolved.

&FEATURES&
The SPNego configuration enables you to maintain and derive new
symmetric keys with a Kerberos service name and password. You use the
Kerberos services you get from the Active Directory in keytab files. You
can configure a keytab either by importing the keytab files with the
Kerberos service entries and saving them, or you can generate a keytab
by providing Kerberos Principal Name and password. You can use this
keytab for Kerberos-based SNC and SPNego. You change the password, which
is hashed with the Kerberos service name as a salt in accordance with
the selected encryption algorithms. This procedure derives a new
symmetric key.
SPNego gets the Kerberos User Principals and the associated Service
Principal Names from Active Directory of the Microsoft Windows Domain
Controller. In the consistency check, you can check whether this
assignment is unique, create and verify a token to prove that
authentication with SPNego is possible when SAP GUI is in the Kerberos
User Principal?s domain.

How can this happen?

For example, to configure a Kerberos Key Distribution Center in a
Microsoft Windows 2003 Domain Controller that uses Active Directory
Server, proceed as follows:
Assumptions
KDC is a Microsoft Windows 2003 Active Directory Server.
Microsoft Windows domain name is <LS>IT.CUSTOMER.DE</>.
Fully qualified host name of the AS ABAP is <LS>hades.customer.de</>.
AS ABAP has an additional alias <LS>su3x24.customer.de</> and its system
ID is <ZK>AB1</>.
Configuration Steps on the Domain Controller
Create a service user <LS>KERBEROSAB1</>. You can also use another
service user. We recommend that you do not use SAPService<SID> because
the
<ZH>Password Never Expires</> option is not set for this user by
default. If the password for this user expires, single sign-on fails.
Enable the <ZH>Password Never Expires</> option for this user.
Register service principal names (SPNs) for the service user
<LS>KERBEROSAB1 </>for the AS ABAP host name and all aliases. Make sure
the SPNs are unique. You can either register the Service Principal Names
by means of the Active Directory or you use the <ZK>setspn</> command as
in the following example:
<NP>setspn -A HTTP/hades.customer.de IT.CUSTOMER.DE\KERBEROSAB1</>
<NP>setspn -A HTTP/su3x24.customer.de IT.CUSTOMER.DE\KERBEROSAB1</>
This registers both aliases <ZK>hades.customer.de</> and
<ZK>su3x24.customer.de</> as SPNs and associates them with the AS ABAP
service user on the Microsoft Windows Domain Controller.
To check the association between the AS ABAP service user and the
service principal name, use one of the following commands:
To easily find out in the client which service user is assigned to which
service principal name, use the following command in the domain of the
service user:
<NP>setspn -L KerberosAB1</>
To check the result of the configuration on the side of the Service
Principal Name, enter the following command at the command line for each
SPN you registered, for example:
<NP>ldifde -r serviceprincipalname=HTTP/hades.customer.de -f out.ldf</>
The output of this command (<NP>out.ldf</>) is one entry, which points
to the previously created service user (<LS>KERBEROSAB1</>).
To create a keytab for Kerberos-based SNC and SPNego on your Microsoft
Windows Domain Controller, take the following steps:
1.,,Create a keytab using Active Directory means.
For more information, see the Microsoft documentation.

How to fix this error?

To enable authentication with SPNego for ABAP, set the following profile
parameters:
<DS:PP.SPNEGO/ENABLE>spnego/enable</>
<DS:PP.SPNEGO/KRBSPNEGO_LIB>spnego/krbspnego_lib</>
<DS:PP.SPNEGO/CONSTRUCT_SNC_NAME>spnego/construct_SNC_name</>
Take the following steps:
1. Start transaction
<DS:TRAN.RZ10>RZ10</>.
2. Choose the default or instance profile.
3. Choose the profile parameter and enter the related values.
Set <ZK>spnego/enable</> to the value 1
Set <ZK>spnego/krbspnego_lib</> to the Kerberos library (SAP
Cryptographic Library or Secure Login Library of SAP Single Sign-On
2.0).
Value: <NP><path_to_Kerberos_library></>
Set <ZK>spnego/construct_SNC_name</> to the value 111. For more
information, see
<DS:PP.SPNEGO/CONSTRUCT_SNC_NAME>spnego/construct_SNC_name</>.
NOTE
Use the <ZK>libsapcrypto.so</> or <ZK>sapcrypto.dll </>file of SAP
Single Sign-On 2.0 or higher. HP-UX uses <ZK>libsapcrypto.sl.</> The
file name depends on the operating system.
4. Save your changes.
5. Restart the system to enable it to read the profile parameters.
To configure an SPNego trust configuration, proceed as follows:
1. Start
<DS:TRAN.SPNEGO>SPNego Configuration</>.
2. Choose the <ZH>Edit</> button.
3. Confirm the license disclaimer.
To create a keytab for Kerberos-based SNC and SPNego and to add a
Kerberos User Principal, take the following steps:
1.,,Choose the <ZH>Add </>button.
2.,,Enter the Kerberos User Principal Name.
Format:
<NP><sAMAccountName>@<WINDOWS-2000-DOMAIN-UPPERCASE></>
Example:
<NP>AD_KerbAdminABC@IT.CUSTOMER.DE</>
NOTE
The Kerberos service account is case-sensitive, but the Microsoft
Windows domain is always in uppercase.
3.,,Enter the password and confirm it.
4.,,Choose the encryption algorithms you want to use for this HTTP
connection.
5.,,Choose <ZH>Continue (Enter)</>.
6.,,Save your changes.
(Optional) If the Kerberos User Principal name is in a keytab file,
import the keytab.
1. Choose the <ZH>Import Keytab file</> button.
2. Select your keytab file.
3. Choose <ZH>Open</>.
4. A dialog box displays a list of Kerberos service names with their
encryption algorithms.
5. Select the Kerberos service names you want to import.
6. Choose <ZH>Continue (Enter)</>.
7. Save your changes.
After you have configured the Key Distribution Center and the trust
configuration, your users can log on to Microsoft Windows and
authenticate at the AS ABAP if SAP Single Sign-On is already used for
SNC-based authentication. If this is not the case, you must maintain SNC
mapping. You do not need to restart the application server if the
library was updated or configured for the first time. Wait two minutes
for all instances to receive the import. Provided that your browser is
configured for SPNego, your browser requests an SPNego token from the
Active Directory when users access an AS ABAP. The AS ABAP parses the
token and validates it.
The token contains the Kerberos Principal Name (KPN), which does not
match the ABAP user name. The Kerberos Principal Name from the Active
Directory has the following format:
Example:
<NP>Smith@IT.CUSTOMER.DE</>
During authentication, the Kerberos Principal Name must be converted to
an SNC name. By default, the conversion adds the prefix <NP>p:CN=</> and
sets the Kerberos Principal Name to uppercase.
Example:
<NP>Smith@IT.CUSTOMER.DE</> (Kerberos Principal Name)
<NP>p:CN=SMITH@IT.CUSTOMER.DE</> (converted to SNC name)
You can configure the conversion rule in the profile parameter
<DS:PP.SPNEGO/CONSTRUCT_SNC_NAME>spnego/construct_SNC_name</>.
1. Perform a user mapping with
<DS:TRAN.SU01>User Maintenance</> (SU01 transaction in the <ZH>SNC</>
tab).

Procedure for System Administrators

To analyze SPNego authentication failures, use the SPNego tracing
function by choosing Goto -> SPNego Tracing. For more information, see
SAP Note 1732610 and 1819808.
&PREREQUISITES&
+,,All servers, for example of dialog instances, Web Dispatcher, or
proxies, are listed as Service Principal Names.
+,,Each Service Principal Name is assigned to exactly one Kerberos User
Principal Name.
To find out whether authentication is possible, you make a consistency
check. It checks the configuration and determines whether one Service
Principal Name is assigned to only one Kerberos User Principal Name. It
creates and verifies a Kerberos token. During the consistency check the
front-end control checks the password of the User Principal Name, and
tries to create a Kerberos token from Active Directory for SPNego. This
proves that Kerberos authentication works with SPNego. The consistency
check always checks all Service Principal Names.
The green indicator in the <ZH>User Principal Uniqueness</> column for
the Service Principal Name means that there is a unique assignment from
a Service Principal Name to a Kerberos User Principal Name.
The green indicator in the <ZH>Token Check</> column tells you that the
token check was executed successfully.

How to fix this error?

1.,,Start <ZH>SPNego Configuration</>.
2.,,Choose the <ZH>Service Principal Name </>tab.
3.,,Choose the <ZH>Consistency Check</> button.
Result
If the indicator in the <ZH>User Principal Uniquenss </>column is green,
there is a unique assignment from a Service Principal Name to a Kerberos
User Principal Name. If you created a token and performed a successful
token verification, the <ZH>Token Check </>column displays a green
indicator in the row of the Service Principal Name you selected.
If the token verification was not successful, there is a red indicator.
To find more information, choose the process overview of the related
server in the
<DS:TRAN.SM50>SM50</> transaction.
If both indicators are green, authentication with SPNego is possible.
&SEE_ALSO&
For more information on user mapping, see the SAP Help Portal under
<ZK>SAP NetWeaver -> Application Help -> Function-Oriented View ->
Security -> Network and Transport Layer Security -> Configuring the AS
ABAP for Supporting SSL -> Configuring the Communication Partners to Use
SNC ->Special Cases -> Single Sign-On with Microsoft Kerberos SSP ->
Mapping Windows to SAP Users for Kerberos SSO</>.
For detailed documentation on the this transaction, and general
information on Kerberos, see <ZK>Kerberos Authentication</> at <ZK>
help.sap.com </>
For more information on authentication with logon procedures, see the
SAP Help Portal under <ZK>SAP NetWeaver -> Application Help -> SAP
NetWeaver Library: Function-Oriented View->Application Server ->
Application Server Infrastructure -> Connectivity -> Components of SAP
Communication Technology -> Internet Communication Framework ->
Server-Side Development -> Creating and Configuring ICF Services ->
Create Service -> Maintaining Logon Procedures -> Standard Login Order
or Alternative Logon Order.</>
For more information on Kerberos authentication, see the SAP Help Portal
under <ZK>SAP NetWeaver -> Application Help -> SAP NetWeaver Library:
Function-Oriented View-> Security -> User Authentication and Single
Sign-On -> Integration in Single Sign-On (SSO) Environments -> Single
Sign-On for Web-Based Access -> Using Kerberos Authentication</>.

Error message extract from SAP system. Copyright SAP SE.