SAP EP – Netweaver Portal

Symptom
You need further information about the SSO2 To Kerberos Mapping filter SSO22KerbMap.dll
Other terms
SSO22KerbMap ISAPI IIS Kerberos SSO Single Sign-On
Reason and Prerequisites
Users of the SAP Enterprise Portal want to use the SAP Logon Ticket information for Single Sign-On (SSO) to Microsoft based Web applications. For this, SAP has developed the SSO22KerbMap ISAPI module, which is based on the Windows 2003 Kerberos constrained delegation model.
For prerequisites and details of the configuration of the SSO22KerbMap ISAPI module, see the product specific documentation.
Solution

How the SSO22 KerbMap ISAPI module works
The SSO22KerbMap ISAPI module allows the authentication using SAP Logon Tickets. Each http request sent by the SAP Enterprise Portal contains an SAP Logon Ticket, which contains the user ID of the logged on SAP Enterprise Portal user. For this Portal user ID, the filter determines the corresponding operating system user of the Windows Server 2003 domain.
This user is impersonated and a Kerberos token is requested for the SPN specified in the configuration file SSO22KerbMap.ini. Finally, the authorization data of the incoming request is extended with the Kerberos token and the request is forwarded.
Where to download the SSO22KerbMap
You can download the following files from SAP Service Marketplace at:
http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSSOEXT -> SAPSSOEXT -> Windows Server on <Platform>:
SSO22Kerbmap_<PL>-<VS>.SAR:
Archive containing the latest version of the SSO22KerbMap ISAPI module and the corresponding documentation
The archive SSO22Kerbmap_<PL>-<VS>.SAR contains the following files:SSO22KerbMap.dll: implementation of Kerberos Mapping filterSSO22KerbMap.pdb: debug symbols needed in case of a problemSSO22KerbMap.ini: configuration for the modulemsvcr71.dll, msvcp71.dll: (only on 32-bit) MS Visual Studio Runtimefolder Microsoft.VC80.CRT (only on 64-bit) MS Visual Studio RuntimeSAPSSOEXT_<PL>-<VS>.SAR:
Archive containing the SAP logon ticket toolkit sapssoext.dllSSO22KerbMap.pdf:
Documentation of the module
You can download the SAP Security Library sapsecu.dll from SAP Service Marketplace at:
http://service.sap.com/patches -> SAP Support Packages and Patches ->
Entry by Application Group -> Additional Components -> SAPSECULIB you can download the SAP Security Library sapsecu.dll.
****************************** IMPORTANT ****************************
For each backend server, you must install hotfix 907524 to avoid a memory leak in Windows 2003 lsass.exe!
You find the hotfix and a more detailed description at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;907524
*********************************************************************

Support from SAP
SAP provides support for errors which occur in the main functionality of the filter (creating and adding a Kerberos ticket to an incoming HTTP request).
SAP doesnotprovide support for:
Questions concerning the configuration of any target application using the SAP Kerberos bridging mechanism.Problems caused by a misconfiguration of the Windows constrained delegation or of the target application.
In this case you can find any of the following error messages in the SSO22KerbMap logfile:OnPreprocHeaders: InitializeSecurityContext failed for SPN xxxOnPreprocHeaders: AcquireCredentialsHandle failed: <Err>
Starting with SSO22KerbMap release 1.1.0.4 several configuration checks are done during the upload of the ISAPI module if LogLevel is set to 2.
Check the corresponding section in the SSO22KerbMap logfile to get possible hints.
For any questions on configuration issues you must contact SAP Consulting.
Where to find further documentation or configuration examples
On the SAP Developer Network (SDN) you can download some collaboration briefs at the following link:
https://www.sdn.sap.com/sdn/developerareas/dotnet.sdnUsing SAP Logon Tickets for Single Sign-On to Microsoft based web applicationsIntegration of Outlook Web Access (OWA) into SAP Enterprise PortalOn the SAP Developer Network (SDN) you can download a configuration example for SSO22Kerbmap in a Microsoft Exchange Cluster at the following link:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/704e76ea-06b5-2910-c9a8-9a3b8874367cNote 785343 gives some hints for the configuration of Outlook Web Access (OWA) using the SSO22KerbMap module.
Frequently Asked Questions (FAQ)
IsWindows 2008supported for the SSO22KerbMap module?
SAP has not yet tested whether the SSO22KerbMap module can be installed with IIS7 on Windows Server 2008.IsWindows 2003 SP1supported for the SSO22KerbMap module?
Yes, Service Pack 1 can be installed on the OS where SSO22KerbMap is installed. Make sure that hotfix 907524 is reinstalled after the installation of SP1.How to install the SSO22KerbMap module on Windows 64-bit (x86_64)?
For further details, see note 984604.When will the SSO22KerbMap module be supported on Windows 64-bit (IA64)?
There are no plans to support SSO22KerbMap on IA64.I have no delegation tab to configure delegation.
Your domain is running in the Windows 2000 functional level – if the Windows 2003 functional level is configured the tab exists.Can I configure Integrated Windows Authentication and Basic Authentication as Authentication methods at the same time ?
Yes, you can use both authentication methods at the same time – the SSO22KerbMap module uses only Integrated Windows authentication.In the log of the SSO22KerbMap module, I get the error message’OnPreprocHeaders: AcquireCredentialsHandle failed: 0×8009030E’.
The reason of this error often resides in the wrong specification of delegation. Make sure that you have configured ‘Use any authentication protocol’ on the delegation tab in Active directory. (For more information, see chapter 2.1.3 of the SSO22Kerbmap documentation).I havemultiple SAP Portal installationswhich should use the same SSO22KerbMap configuration file. How can Icombine the different certificates into one verify.pse file?
With the SAP Ticket Tool, you can combine multiple certificates into one verify.pse file. This tool is available from SAP Consulting.Where can Idownload the sapsecu.dll?
Download the most recent version of SAPSECULIB from SAP Service Marketplace “Software Distribution Center” at
http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSECULIB.I useWindows SharePoint Servicesas target application and I get an error ‘401: Unauthorized Access’ when trying to access the SAP Portal iview.
For the target application Windows SharePoint Services, you have to activate Kerberos Authentication first. The necessary configuration steps are described in the Microsoft Knowledge Base article ‘How to configure a Windows SharePoint Services virtual server to use Kerberos authentication` (http://support.microsoft.com/default.aspx?scid=kb;en-us;832769).The SSO22KerbMap modulecannot determine user data if SSO2AccountAttribute other then userPrincipalNameis specified. The logfile contains the message: “Found 0 UserPrincipalNames for ADSI Filter (&(objectCategory=person) (objectClass=user) (<your attribute>=<…>)”.
The SSO22KerbMap module searchs in the Global Catalog for the attribute specified in the SSO22KerbMap.ini file. Not all attributes of the LDAP schema are replicated into the Global Catalog by default.
In any case, the attribute UserPrincipalName has to be populated to the Global Catalog.
To replicate an LDAP attribute to the Global Catalog, proceed as follows:Install the Active Directory Schema snap-in:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/6008f7bf-80de-4fc0-ae3e-51eda0d7ab65.mspxAdd an attribute to the global catalog:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/6008f7bf-80de-4fc0-ae3e-51eda0d7ab65.mspxReload the schema:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/6008f7bf-80de-4fc0-ae3e-51eda0d7ab65.mspxThe authentication using the SSO22KerbMap module fails, although the configuration looks fine. The host where the SSO22KerbMap module was installed, wasupgraded from Windows NT 4.0 or an older Windows version.
When you do a network trace from the target computer, you only see the NTLM WWW-Authenticate header sent to the client: ‘WWW-Authenticate: NTLM’.
The header ‘WWW-Authenticate: Negotiate’ is missing.
Change the value of NTAuthenticationProviders and add ‘Negotiate’ – otherwise no Kerberos authentication is possible.
Proceed as described in the Microsoft Knowledge Base article ‘Kerberos authentication fails after upgrading from IIS 4.0 to IIS 5.0′ (http://support.microsoft.com/kb/248350/en-us).SAP Portal and exchange serverare running ondifferent domains. No SAP Logon Ticket is provided from the SAP Portal.
In the SSO22KerbMap<xxx>.log, the following message is written:
‘getAccountFromCookie: No cookie MYSAPSSO2 in header Cookie found’.
If you install the Web Server Filter, the SAP Logon Ticket can be provided to multiple domains. Proceed as described in SAP note 874735 ‘EP 6.0: Web Server Filters: IIS 6′.
Versioning of the SSO22KerbMap module
1.0.0.0 This is the initial version of the SSO22KerbMap ISAPI module.
1.1.0.0 Patch for requests which contain only one cookie
1.1.0.1 Patch for SSO2AccountAttribute other then SAMAccountName and
userPrincipalName
1.1.0.2 Patch to write error messages into the logfile if an error
occurs after the impersonation has been done.
Change in loglevels:
LogLevel 1 is for productive use. LogLevel 2 should only be
used if very detailed information is needed, the performance of
the filter can be slowed down.
1.1.0.3 Patch for access violation during analysis of SSO2 cookie.
1.1.0.4 Patch for memory leak and additional configuration output and
checks implemented during upload of SSO22KerbMap ISAPI module
1.1.0.5 Patch for acces violation implemented in version 1.1.0.4 if
LogLevel > 1
1.1.0.6 Change to SAP Logon Ticket Toolkit sapssoext.dll instead of
wpsso_v3.dll.
Patch for multi-domain concept:
Use always userPrincipalName for impersonation. The server-
variables LOGON_USER, REMOTE_USER and AUTH_USER will contain
the same content independent from the SSO2AccountAttribute used.
The content looks as follows:
<full qualified domain>\<UserPrincipalName>
1.1.0.8 Support for Windows x86_64