SAP NetWeaver Portal publishing with single sign-on

First of all I’m glad to meet you on the UAG Team blog. My name is Alexey Goldbergs, I’m a Technology Solutions Professional on Security from Microsoft Russia, and I’m going to share with you my experience on SAP NetWeaver Portal publishing through Forefront UAG with single sign-on.

You probably know that IAG 2007 has a special wizard for publishing SAP Enterprise Portal 6. The UAG product team decided to drop special wizards and develop a unified publishing wizard instead.

But before we get started let’s imagine that we have SAP NetWeaver Portal with an internal FQDN https://sapportal.contoso.local.

Publishing

  1. On the first step in the application wizard you can choose a Web application template. For SAP NetWeaver Portal publishing (in my case that was v.7), I’ve used the “Other Web Application (portal hostname)” template, but you can also use “Other Web Application (application specific hostname)”. (You can find more details on this template’s benefits on Rayne Wiselman‘s blog post). It doesn’t really matter in this case
  2. The second step is setting the name and type of your application. This is the place for creative thinking :) You can specify any application name and almost any application type, for example:
    · Application name: Intranet
    · Application type: SAPPortal
  3. On the Endpoint Security page, select the endpoint policies for your application.
  4. On the fourth step specify whether you want to publish a single server or a Web farm.
  5. On the Web Servers page, if you are publishing a Web application, configure settings for the backend Web server that you want to publish. As I've mentioned earlier in my blog, my backend Web server is https://sapportal.contoso.local. In most cases the HTTP port for the SAP NetWeaver Portal is 50000 and you should set it as “HTTP ports” value.
  6. On the Authentication page you should specify how clients provide credentials to published backend Web servers that require authentication but at this time we keep it clear and will come back to it later.
  7. On the Portal Link page, step 7, you could specify how the application appears in the portal home page of the trunk, and you should set the SAP NetWeaver Portal home page as the “Application URL”. 
    Note: Check “Open in new windows” checkbox. This is because some applications are not “frame friendly” and SAP NetWeaver Portal is one of them.
  8. The Authorization page is the last page before you get finished and there you can select users or user groups who will have access to this application.

Now you have finished the application publishing!

Note: Include UAG Portal URL to Compatibility View Settings in IE8 at the endpoint. SAP Portal doesn’t work correctly on IE8 with default settings. You’ll find more details on this issue at SAP Note 1296463 (authentication required).

Single Sign-On

Before IAG 2007 SP2, single sign-on with Kerberos authentication was a hard job. You can find how it was done at Jan's blog post. But starting from SP2 it became much easier with Kerberos Constrained Delegation (thanks to Eli Tovbeyn who was the PM for this feature).

For configuring SSO for SAP Portal you should have SPN for SAP NetWeaver Portal service. In my case SAP Portal was started in the context of service account j2ee@contoso.local with SPN HTTP/intranet.contoso.local.

Now is the time to return to Authentication page.

Here you’ll find step-by-step guide on configuring KCD for application using your SPN.

Note: SPN is case sensitive.

After you have completed all of the tasks you should activate the UAG configuration.

Issue

When you’ll try to get access to SAP Portal from UAG Portal you could see the following page:

image

What’s the problem?

As you might know, the SPNego solution used by the SAP NetWeaver Portal v.7 is based on Java 1.4.2. Unfortunately Java 1.4.2 only supports the DES Encryption type for Kerberos.

With Windows 7 and Windows 2008 R2, Microsoft decided to stop supporting DES Kerberos encryption by default. This is all documented at KB 977321.

Solution

  1. In order to get SPNego working again we have to enable DES_CBC_MD5 encryption.
  2. Start GPEDIT.msc on the UAG host.
  3. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
  4. Double click on "Network security: Configure encryption types allowed for Kerberos" and select (at least) the entry DES_CBC_MD5 which from now on allows Kerberos tokens that are encrypted with DES_CBC_MD5. (In order to prevent issues with other applications you might want to consider enabling all other encryption types as well, or at least the ones that were active by default before).

image

And now you can get access to you SAP NetWeaver Portal from anywhere, any device and any time!

Take care and see u next time!

Author:
Alexey Goldbergs, Technology Solutions Professional, Microsoft Russia

Reviewers:
Ophir Polotsky, Supportability Program Manager, Forefront Edge
Simon Rabinowitz, Technical Writer, Forefront Edge