First of all I’m glad to meet you on the UAG Team blog. My name is Alexey Goldbergs, I’m a Technology Solutions Professional on Security from Microsoft Russia, and I’m going to share with you my experience on SAP NetWeaver Portal publishing through Forefront UAG with single sign-on.
You probably know that IAG 2007 has a special wizard for publishing SAP Enterprise Portal 6. The UAG product team decided to drop special wizards and develop a unified publishing wizard instead.
But before we get started let’s imagine that we have SAP NetWeaver Portal with an internal FQDN http://sapportal.contoso.local.
Now you have finished the application publishing!
Note: Include UAG Portal URL to Compatibility View Settings in IE8 at the endpoint. SAP Portal doesn’t work correctly on IE8 with default settings. You’ll find more details on this issue at SAP Note 1296463 (authentication required).
Before IAG 2007 SP2, single sign-on with Kerberos authentication was a hard job. You can find how it was done at Jan's blog post. But starting from SP2 it became much easier with Kerberos Constrained Delegation (thanks to Eli Tovbeyn who was the PM for this feature).
For configuring SSO for SAP Portal you should have SPN for SAP NetWeaver Portal service. In my case SAP Portal was started in the context of service account email@example.com with SPN HTTP/intranet.contoso.local.
Now is the time to return to Authentication page.
Here you’ll find step-by-step guide on configuring KCD for application using your SPN.
Note: SPN is case sensitive.
After you have completed all of the tasks you should activate the UAG configuration.
When you’ll try to get access to SAP Portal from UAG Portal you could see the following page:
As you might know, the SPNego solution used by the SAP NetWeaver Portal v.7 is based on Java 1.4.2. Unfortunately Java 1.4.2 only supports the DES Encryption type for Kerberos.
With Windows 7 and Windows 2008 R2, Microsoft decided to stop supporting DES Kerberos encryption by default. This is all documented at KB 977321.
And now you can get access to you SAP NetWeaver Portal from anywhere, any device and any time!
Take care and see u next time!
Author: Alexey Goldbergs, Technology Solutions Professional, Microsoft Russia
Reviewers: Ophir Polotsky, Supportability Program Manager, Forefront Edge Simon Rabinowitz, Technical Writer, Forefront Edge
Single sign on is a great idea, but what do you think about implementing the facebook sing in for company use? I know it is open to certain secutiry flaws, but also a very good system to use.
I want to thank you for you article, it helped me to fix SAP Portal SSO issue on Windows 7.
Thanks a bunch!
finally I have IE8 running with NetWeaver. Pretty Cool
very very good thoughts! thank you so much!
regards from berlin