SAP HANA® Platform
How-To Guide
Single Sign-On with SAP HANA® Database
using Kerberos and Microsoft Active
Directory
Applicable Releases:
SAP HANA 1 SPS11 (SPS11) and lower
SAP HANA 1 SPS12 (SPS12) and higher
SAP HANA 2 all SPS
Topic Area:
Installation, Configuration, Security and Troubleshooting
Required Capability:
SAP HANA Database, Single Sign-On (SSO), Kerberos, Windows Active
Directory, SAP HANA XS Classic, SPNEGO
Version 2.1.4
July 2023
© Copyright 2020 SAP AG or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP Group products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporateen/legal/copyright/index.epx#trademark for additional trademark information and notices.
MIT is the Massachusetts Institute of Technology
SAP HANA Platform “How-to” Guides are intended to simplify the product implementation. While specific product features
and procedures typically are explained in a practical business context, it is not implied that those features and procedures are
the only approach in solving a specific business problem using SAP HANA platform. Should you wish to receive additional
information, clarification or support, please refer to SAP Consulting.
Any software coding and/or code lines / strings (“Code”) included in this documentation are only examples and are not
intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax
and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and
SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP
intentionally or grossly negligent.
Disclaimer:
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or
altered in any way.
i
Document History
Document Version
Description
•
Introduction of new path and naming convention of keytab and
config file with HANA 1 SPS12
•
SPNEGO: Reverse proxy
•
•
Configuration for Scale Out, System Replication, MDC
Extend the troubleshooting section
•
Fixed: 5.1.2 Create or extend the Kerberos keytab
•
Added: 4.9.1 Avoid a restart of the SAP HANA DB
•
Fix: 4.1 Create the Windows AD User
•
Reworked APPENDIX 5 Kerberos AES256 encryption
•
fixed command dsadd user
2.1.1
•
Additional improvements
2.1.2
•
Minor formats fixes
2.1.3
•
Minor improvements
2.1.4
•
Added HANA database isolation mode high
•
Added sources of information
2.0.0
2.0.1
2.1.0
ii
Typographic Conventions
Type Style
Description
Example Text
Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Cross-references to other
documentation
Example text
Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text
File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text
User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for
example, F2 or ENTER.
Icons
Icon
Description
Caution
Important
Note
Recommendation or Tip
Example
iii
Table of Contents
1.
Scenario ................................................................................................................................ 1
1.1 Single Sign-on .............................................................................................................. 1
1.2 Definitions ..................................................................................................................... 2
2.
Background Information ..................................................................................................... 3
2.1 Microsoft Active Directory ............................................................................................. 3
2.2 Kerberos ....................................................................................................................... 4
2.3 SPNEGO ...................................................................................................................... 7
3.
Prerequisites ........................................................................................................................ 8
3.1 Network Requirements ................................................................................................. 8
3.2 Software Requirements ................................................................................................ 8
3.3 Organizational Requirements ....................................................................................... 9
3.4 Related Information .................................................................................................... 10
3.4.1 SAP HANA Database .................................................................................... 10
3.4.2 SAP Web Dispatcher ..................................................................................... 10
3.4.3 Kerberos/ Active Directory ............................................................................. 10
4.
Step-by-Step Procedure .................................................................................................... 11
4.1 Create the Windows AD User ..................................................................................... 11
4.2 Hostname Resolution ................................................................................................. 11
4.2.1 Setup .............................................................................................................. 11
4.2.2 Verification ..................................................................................................... 12
4.3 SAP HANA Database Server Kerberos Configuration ............................................... 14
4.3.1 Location of the Kerberos config File .............................................................. 14
4.3.2 Setup .............................................................................................................. 15
4.3.3 Verification ..................................................................................................... 17
4.4 Create the SAP HANA Database Service User(s) ..................................................... 18
4.4.1 Setup .............................................................................................................. 18
4.4.2 Verification ..................................................................................................... 19
4.5 Register Service Principal Name (SPN) in AD ........................................................... 20
4.5.1 Setup Kerberos for SAP HANA DB ............................................................... 20
4.5.2 Setup of SPNEGO for SAP HANA XS Classic .............................................. 21
4.5.3 Verification ..................................................................................................... 21
4.6 Create Kerberos keytab for the SAP HANA DB Server ............................................. 23
4.6.1 Location of the Kerberos keytab file .............................................................. 23
4.6.2 Definitions ...................................................................................................... 24
4.6.3 Create the keytab on SAP HANA DB Server using script hdbkrbconf.py ..... 25
4.6.4 Create the keytab manually on the SAP HANA DB Server ........................... 25
4.6.5 Create the keytab manually on the Windows AD domain controller ............. 26
4.6.6 Securing the keytab ....................................................................................... 26
4.6.7 Verification ..................................................................................................... 27
4.7 Change the Password of the SAP HANA DB Service User ....................................... 29
4.8 Assign the External ID to the SAP HANA DB user..................................................... 30
4.8.1 Verification of Kerberos for SAP HANA DB ................................................... 31
4.8.2 Verification of SPNEGO for SAP HANA XS Classic ...................................... 34
4.9 Footnotes .................................................................................................................... 36
4.9.1 Avoid a restart of the SAP HANA DB ............................................................ 36
5.
Appendix A: AES256 Encryption ..................................................................................... 37
iv
5.1
Create Kerberos keytab for the SAP HANA DB Server ............................................. 37
5.1.1 Creating the Kerberos keys in Windows AD .................................................. 37
5.1.2 Create or Extend the Kerberos Keytab on the SAP HANA DB Host ............. 38
5.1.3 SAP HANA DB Service User settings in Windows AD .................................. 40
5.1.4 Extend the Kerberos Config File .................................................................... 41
6.
Appendix B: SAP HANA DB Landscape.......................................................................... 42
6.1 SAP HANA DB System Replication and Scale Out .................................................... 42
6.2 SAP HANA DB Multi Database Container (MDC) ...................................................... 42
6.3 SPNEGO with Revers Proxy or Load Balancer .......................................................... 43
6.4 Linux host without SAP HANA DB installed ............................................................... 43
7.
Appendix C: Troubleshooting .......................................................................................... 44
7.1 SAP HANA DB Server ................................................................................................ 45
7.1.1 Verify the SAP HANA Server configuration using the python script
hdbkrbconf.py ................................................................................................ 45
7.1.2 Trace on SAP HANA DB server .................................................................... 46
7.2 SAP HANA Client ....................................................................................................... 47
7.2.1 Running hdbsql on the SAP HANA DB Server............................................ 47
7.2.2 SQLDBC Trace .............................................................................................. 48
7.2.3 JDBC Trace ................................................................................................... 48
7.2.4 ODBC Trace .................................................................................................. 50
7.3 Tracing SPNEGO and SAP Webdispatcher ............................................................... 51
7.3.1 SAP HANA DB Server: XS Classic Trace ..................................................... 51
7.3.2 SAP Web Dispatcher Trace ........................................................................... 51
7.4 Windows Tools ........................................................................................................... 53
7.5 Common Errors .......................................................................................................... 53
7.6 Kerberos GSS Error Codes ........................................................................................ 54
v
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
1. Scenario
This how-to guide describes the steps necessary for setting up Single Sign-on (SSO) with SAP
HANA® database using Kerberos and Microsoft Active Directory. Each step is accompanied by one or
more verification steps allowing a systematic completion of the process.
With HANA 1 SPS07, SPNEGO is made available as an authentication option for SAP HANA XS
Classic.
Note
Configuration of Kerberos for SAP HANA DB and SPNEGO for SAP HANA XS Classic consists of
mainly the same steps. In particular, if the SAP HANA DB was already configured for Kerberos
before, only a small number of additional configuration steps are necessary for activating
SPNEGO for SAP HANA XS Classic.
Since the steps for configuring Kerberos for SAP HANA DB and SPNEGO for SAP HANA XS Classic
are mainly the same, SPNEGO will only be mentioned explicitly in case there is some specific
configuration necessary.
The appendix contains a dedicated troubleshooting section.
1.1 Single Sign-on
SSO allows a user to log on once and gain access to multiple systems and services without being
asked to produce credentials again.
Kerberos is one of many ways for realizing SSO (other examples are SAML or X.509 certificates).
Depending on how SSO has been setup, it could permit the user logon to just a front-end application
or it can enable SSO all the way down to the database in what’s known as SSO to database
(SSO2DB). In case the user doesn’t use direct SAP HANA database interfaces such as SAP HANA
Studio or hdbsql, but e.g. an SAP BusinessObjects application (BI Launchpad, WEBI etc.), SSO2DB
is realized via delegation.
Example
An example of SSO that is relevant to many office workers day-to-day is the use of
Microsoft Outlook and the absence of a login and password to access your email and
address book. When a user logs into a workstation, they enter a username and
password. Shortly afterwards the desktop appears. If you start Outlook, you are not
prompted for the login and password you just entered. The mechanisms of this are
described in detail later in this document.
July 2023
1
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
1.2 Definitions
The following terms and example values will be used throughout this text:
•
Active Directory Domain Name – MYDOMAIN.COM.
What is called domain name in Windows AD is called Realm Name in Kerberos speak.
Recommendation
The convention for realm names is to use upper case letters.
•
Network Domain Name - mydomain.com.
Recommendation
The convention for network names is to use lower case letters.
Important
While Windows is case-insensitive, Linux is not. This becomes crucial when e.g. a
keytab is exported from Windows using ktpass and imported into the Linux based SAP
HANA database server.
•
DB Server – myhdbserver.mydomain.com.
The DB Server is the server where the SAP HANA database is installed.
Important
The DB server is denoted by its fully qualified canonical domain name.
•
SAP HANA Database Service User for SSO mapped in Windows AD – myhdbserviceuser
(Chapter 4.4Create the SAP HANA Database Service User(s))
A Service User is technically a plain Active Directory user account, which doesn't belong to a
natural person, but an IT service. It is used to access the KDC and to create the Kerberos
keytab.
Recommendation
The convention for the SAP HANA database Service User is to use the simple hostname
of the DB server.
•
Windows Active Directory SSO domain user – aduser1
The Kerberos SSO connection will be tested with this Windows AD user
(Chapter 4.1)
•
SAP HANA Database user to which the Windows Active Directory SSO domain user is
mapped as external ID - SSO_TEST
The Kerberos SSO connection will be tested with this DB user.
(Chapter 4.8)
•
Windows Active Directory admin user
The commands which have to be executed by this user are noted like
>
•
SAP HANA DB OS admin user - <sid>adm
The commands which have to be executed by this user are noted like
#>
•
For SAP HANA 1 SPS11 and older - OS admin user on SAP HANA DB - root
The commands which have to be executed by this user are noted like
$>
July 2023
2
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
2. Background Information
2.1 Microsoft Active Directory
Active Directory is a repository for information about objects that reside on an enterprise network, such
as users, groups, computers, printers, applications, and files. It is a centralized IT infrastructure being
used within nearly all enterprises today. It was introduced with Windows 2000 Server. Key version
numbers were introduced with Windows Server 2003, while strong encryption using AES 128/256 was
only introduced with Windows Server 2008.
CAUTION
Typically, Windows AD administration is done by a different organization within the enterprise than
SAP HANA database administration. This might require careful planning of configuration steps
involving AD and might also slow down troubleshooting.
This is also a reason why we recommend creating the Kerberos keytab on the SAP HANA DB
server for rc4-hmac encryption using hdbkrbconf.py and for aes256 using ktutil addent
instead of exporting it from Windows using ktpass: It reduces the dependency on the AD admins.
In addition, you should create a dedicated OU for the SAP HANA database administration.
Since AES256 offers a stronger protection of the Kerberos keys, we strongly recommend
configuring that for productive usage.
July 2023
3
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
2.2 Kerberos
Kerberos is an authentication protocol (RFC 4120) originally developed at the Massachusetts Institute
of Technology (MIT) which permits a client to authenticate with a service via a Service Ticket specific
to the service in question. This ticket will be issued by a Key Distribution Center (KDC) based on a
meta-ticket specific to the client, the Ticket Granting Ticket (TGT).
The service is known in the network under its Service Principal Name (SPN) which is a logical
mapping to an AD account where the service is registered as a Service User. In a Windows
environment, this TGT is automatically acquired during operating system user logon, while on Linux it
is typically acquired ad-hoc using the kinit tool.
Active Directory/ KDC
Authentication
Service
(AS)
Ticket Granting
Service
(TGS)
(1) AS-REQ: Request TGT
(2) AS-REP: TGT,
TGS session key, timestamp, expiry
(encrypted with user key)
(1) (2)
(3) (4)
(3) TGS-REQ: Request
service ticket using TGT
(4) TGS-REP:
1. session key (for client)
2. service ticket containing
session key, timestamp, expiry
(encrypted with service key)
(5)
Client
(6)
Service
(5) AP-REQ: Send client
authenticator and service ticket
(6) AP-REP: Send service authenticator
Figure 1: Protocol steps in Kerberos authentication (took and adapted from [1]).
Part of the authentication protocol messages are encrypted using a symmetric session key. Several
encryption algorithms (encryption types) are supported. The most wide-spread algorithm used to be
rc4-hmac, but aes256-cts is also available since Windows Server 2008.
The session key will be created by the KDC dynamically, but it is based on a longtime user or service
key, respectively. For an operating system user, the longtime key can always be restored by asking for
the password. For an IT service on the other hand, this key is stored on the server in a so-called
keytab file. We will have to create a keytab for the DB server. The keytab contains one or more keys
(depending on the number of supported encryption types) for one or more service principal names.
Note that in Figure 1 there is no communication between the service and the KDC! In fact, the only
piece of communication needed by the service is the keytab. From there, it gets its longtime service
key(s) allowing the service to decrypt the service ticket sent by the client. It contains the session key
needed for decrypting the client authenticator. By checking the contents of the authenticator, which in
addition to the client name contains a timestamp and an expiry date, the authentication is completed
on the server side. Since the timestamp is a critical part of the protocol, it is important that all hosts
July 2023
4
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
involved have synchronized clocks. For mutual authentication, the server also sends such an
authenticator to the client.
Since with MIT Kerberos the keytab is stored in the file system, we rely on the secureness of the
particular host and the privacy of the key(s). As Kerberos is using symmetric cryptography, in case
either the host or the service key is compromised the following attacks are possible:
1. Impersonating the service:
Authentication of the service (mutual authentication) relies on the privacy of the service key.
Anybody knowing the key would be able to decrypt the AP_REQ and forge a service
authenticator.
2. Impersonating arbitrary users:
The validation of service tickets relies on the privacy of the service key. A service ticket is valid
when it is encrypted with the service key, because it is assumed that only the KDC knows this
key. Anybody knowing the service key or the service user’s password (the key is generated
from the password using a fixed scheme) can forge service tickets, claiming to be originating
from arbitrary user principals. It is not possible for the service to distinguish such fabricated
Kerberos tickets from tickets issued by the KDC.
To minimize the above risks, read access to the keytab file should be restricted to a single user, which
would be the <SID>adm in SAP HANA database. Second, the password for the Service User
representing the SAP HANA database should be strong and it should be changed periodically.
Kerberos can be run via UDP or TCP, but we highly recommend TCP. When run via UDP, sporadic
logon errors may occur, which are difficult to troubleshoot.
July 2023
5
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Kerberos SSO can be used for direct connections to the SAP HANA database from e.g. SAP HANA
studio or hdbsql. In addition, it is also possible to propagate user identity from e.g. WEBI over BI
Server to SAP HANA database. Such an authentication from some frontend client via a middle tier
service to a backend service is realized using Kerberos delegation. To this end, a specific version of a
user’s TGT, a forwardable ticket granting ticket, is employed as the following figure explains.
(1) AS-REQ: TGT for Client
(2) AS-REP: TGT
(flags: “forwardable”, “initial”),
session key (encrypted)
Active Directory/ KDC
Authentication
Service
(AS)
(3) TGS-REQ: Service Ticket
for Middle Tier
(4) TGS-REP: ticket,
session key (encrypted)
(5) TGS-REQ: TGT’ for Middle
Tier, option “forwarded”
(6) TGS-REP: TGT’ for Middle
Tier, flag “forwarded”
Ticket Granting
Service
(TGS)
(7) AP-REQ: TGT’, session key
(8) AP-REP: Authenticator
for Middle Tier
(1) (2)
Frontend
(Client)
(3) (4) (5) (6)
(7)
(8)
(9) TGS-REQ: Service Ticket
for Backend
(10) TGS-REP: ticket,
session key (encrypted)
(11) AP-REQ: Authenticate
on behalf of Client
(12) AP-REP:
Authenticator Backend
(9) (10)
Middle Tier
Service
(11)
(12)
Backend
Service
Figure 2: Protocol steps involved in Kerberos delegation (e.g. WEBI <-> BI Server <-> DB Server)
(took and adapted from [1]).
In the example, the BI server logs into SAP HANA database on behalf of the AD user who has logged
into WEBI.
The SAP HANA database server, the SAP HANA studio and the SAP HANA ODBC client are based
on the MIT Kerberos V5 implementation, while the SAP HANA JDBC client is based on the Java
Development Kit (JDK) implementation of the protocol.
July 2023
6
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
2.3 SPNEGO
The Simple and Protected GSS-API Negotiation (SPNEGO) is a protocol for client and server to
determine a common set of SSO mechanisms. It was specified in RFC 4178, and the corresponding
HTTP binding in RFC 4599 (the latter can be seen as a natural HTTP extension of RFC 2617, the
HTTP authentication via challenge/response).
The negotiation became necessary because in the time when Kerberos was introduced, in Windows
networks there were legacy SSO protocols like NTLM, which were meant to be usable as a fallback
mechanism in case Kerberos is not available. However, many servers (including SAP HANA XS) don’t
support anything else but Kerberos 5 as mechanism and therefore do not support the actual
negotiation step, where the client in the first protocol message lists the supported mechanisms, and
the server then determines an appropriate one; rather, the client has to include a Kerberos 5 token
already in the first message. This behavior is implemented by all major web browsers.
An example HTTP request for a web site www.foo.com/index.html, which has been
configured for SPNEGO authentication, results in the following protocol flow between client (C) and
server (S):
1. C: Initial request
GET www.foo.com/index.html
2. S: Challenge - ask for SPNEGO authentication
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
3. C: Response – initialize Kerberos context and put resulting token into HTTP header
GET www.foo.com/index.html
Authorization: Negotiate <Kerberos Token>
4. S: Accept Kerberos context and put resulting token into HTTP header
HTTP/1.1 200 Success
WWW-Authenticate: Negotiate <Kerberos Token>
In order to avoid man-in-the-middle attacks, it is strictly recommended to protect resources where
users authenticate via SPNEGO with SSL: The HTTP server should require SSL connections, refusing
or redirecting any plain HTTP requests. Even better, the server should return HTTP Strict Transport
Security response headers to instruct the browser to use only SSL from now on. To this end, you can
set the flag Prevent Public Access for Sub-Packages in the SAP HANA XS Admin tool.
Furthermore, you should create separate service users for Kerberos and SPNEGO. Otherwise, since
plain Kerberos tokens travel over the network in the clear, it would be possible for an attacker to
capture such a packet and forge an HTTP Negotiate request from that.
Note: Do not access the webserver with its IP-address when you defined the of the SPN of the
webserver SPN as FQDN.
July 2023
7
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
3. Prerequisites
3.1 Network Requirements
...
The clocks of all hosts involved are synchronized.
On the Active Directory domain controller, Kerberos is forced to use TCP instead of UDP (see
http://support.microsoft.com/kb/244474/en-us for reference).
Hostname reverse lookup (/etc/hosts on the DB server and/or DNS record type PTR in Active
Directory) is set up for “physical” and “virtual” DB server hostname(s).
On the DB server, hostname resolution must be consistent with reverse lookup.
A “virtual” hostname must actually be a DNS alias, while the “physical” hostname must be a canonical
name.
Important
A virtual hostname aka DNS alias must be realized using a DNS CNAME record, while the
corresponding physical hostname must be registered as an A record in DNS.
3.2 Software Requirements
From SAP HANA 1 SPS12 and HANA 2
The required Kerberos libraries will be installed on the DB server from the SAP HANA server
installation into the path that belongs the SID of the SAP HANA installation.
/usr/sap/<SID>/HDB<Instance>/exe/krb5/lib/libgssapi_krb5.so
lrwxrwxrwx 1 <sid>adm sapsys
libgssapi_krb5.so
The path can be overruled by an environment parameter of the OS:
LD_LIBRARY_PATH=/usr/sap/<SID>/HDB<instance>/exe/krb5/lib
Additionally, the Kerberos library has to be present on the host to execute the Kerberos commands
like klist, kinit, etc.
Up to SAP HANA 1 SPS11
The MIT Kerberos client and server libraries must be installed on the DB Server as OS package.
To verify whether the software requirements are met, please run:
#> rpm -qa | grep krb5
krb5-1.6.3-133.49.103.1
krb5-client-1.6.3-133.49.103.1
krb5-32bit-1.6.3-133.49.103.1
The version numbers don’t have to match exactly but should be above 1.6.3-133 to include important
security patches.
July 2023
8
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
3.3 Organizational Requirements
Important
You need profound knowledge about Microsoft Active Directory and Kerberos.
Before setting up SSO, make sure you have the following resources available:
•
Windows Active Directory admin user having the right to manage Users and Computers for
the Active Directory Organizational Unit where the SAP HANA database Service User shall be
configured.
The commands which have to be executed are noted as >
•
SAP HANA OS admin user - <sid>adm
The commands which have to be executed are noted as #>
•
For SAP HANA 1 SPS11 and older - OS admin user on SAP HANA DB - root
The commands which have to be executed are noted as $>
Recommendation
Create a dedicated Organization Unit(OU) for the objects related to the SAP HANA database
configuration, e.g. OU=HANA_SSO,OU=Resources,DC=MYDOMAIN,DC=COM and grant the
SAP HANA database administrator the authorizations to Create, delete and manage user
accounts for this OU.
July 2023
9
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
3.4 Related Information
3.4.1
SAP HANA Database
•
SAP HANA Security Guide for SAP HANA Platform
•
SAP HANA Administration Guide for SAP HANA Platform
•
SAP Note 1813724 - HANA SSO using Kerberos and SPNEGO: Create keytab and validate
Kerberos configuration
A Python script hdbkrbconf.py is provided for:
Validating the IP configuration at the SAP HANA DB server (hostname resolution/
reverse lookup)
Checking the local Kerberos configuration for consistency with the remote Active
Directory
Creating the Kerberos keytab on SAP HANA DB for rc4-hmac encryption
3.4.2
•
SAP Web Dispatcher
Administration of the SAP Web Dispatcher
3.4.3
Kerberos/ Active Directory
For anyone needing background information on Kerberos or Active Directory troubleshooting, the
following web sites may be of interest:
•
Designing an Authentication System: a Dialogue in Four Scenes (MIT):
http://web.mit.edu/kerberos/dialogue.html
•
Active Directory: Using Kerberos s to integrate non-Windows systems
•
Kerberos Protocol Tutorial: http://www.kerberos.org/software/tutorial.html
•
Microsoft Windows Active Directory (Windows AD) Troubleshooting:
https://blogs.technet.microsoft.com/askds/2008/05/14/troubleshooting-kerberosauthentication-problems-name-resolution-issues/
Switch on Windows System Event Log for Kerberos:
http://support.microsoft.com/kb/262177/en-us
Things to check when Kerberos authentication fails using IIS/IE…:
http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberosauthentication-fails-using-iis-ie.aspx
•
SUSE:
•
SUSE Linux Enterprise Server 12 Security Guide
SUSE Linux Enterprise Server 15 Security Guide
Single Sign-On with SAP HANA Scale-out System using Kerberos and Microsoft Active Directory
https://blogs.sap.com/2020/09/23/single-sign-on-with-sap-hana-scale-out-system-usingkerberos-and-microsoft-active-directory/
We recommend the following books:
[1] Pröhl, Mark: Kerberos: Single Sign-on in gemischten Linux/Windows-Umgebungen.
Heidelberg: dpunkt.verlag, 2011
[2] Desmond, Brian et al.: Active Directory: Designing, Deploying, and Running Active Directory.
Sebastopol: O’Reilly Media, 2013
July 2023
10
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4. Step-by-Step Procedure
The configuration of SAP HANA database SSO with Kerberos consists of few, albeit error-prone
steps. We have to create a Service User representing SAP HANA database in AD, being mapped by a
Service Principal Name. Then we have to create a keytab for this SPN on the DB server. On the DB
server, we also need a Kerberos keytab file. Finally, we have to create an externally-mapped SAP
HANA database user.
4.1 Create the Windows AD User
Create the Windows test user aduser1 to verify your setup.
Log on to the Windows AD as domain administrator.
Execute the command on console:
> dsadd user "cn=aduser1,cn=users,dc=MYDOMAIN,dc=COM" –upn
aduser1@MYDOMAIN.COM -pwd <passwd> -disabled no
4.2 Hostname Resolution
4.2.1
Setup
When doing hostname resolution, you want to know one of the following:
•
IP address(es) given to the public hostname (potentially an alias)
•
Fully qualified domain name (FQDN) of the host for its simple hostname (or alias)
•
Canonical hostname of the host given for its simple hostname (or alias)
•
Public hostname given to the IP address of the host (reverse lookup)
On Linux there are several tools for hostname resolution. Some of them use DNS directly (dig,
host, nslookup), while others (hostname) follow the convention to first check whether a file-based
local resolution should be preferred over DNS, mimicking the behavior of the system calls
gethostbyname and gethostbyaddr. In this case the order that will be used is specified in the
following files:
• /etc/nsswitch.conf
• /etc/host.conf
Which file is actually used depends on the library or the system call, respectively host local lookup has
precedence, as configured in the following examples:
#> cat /etc/nsswitch.conf | grep hosts
hosts:
files dns
#> cat /etc/host.conf | grep hosts
# This line should be in sync with the "hosts"
order hosts, bind
July 2023
11
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
The main point here is that the reverse lookup must be configured consistently with the hostname
lookup, since this will be used by the SAP HANA database server Kerberos implementation for
determining the SPN. The SPN in turn will be used for the lookup into the keytab.
The local hostname resolution is done using the file /etc/hosts, for example:
#> cat /etc/hosts | grep myhdbserver
<IP address>
myhdbserver.mydomain.com myhdbserver
where <IP address> must be replaced with the primary IP address of the DB server.
CAUTION
In Windows, hostnames are sometimes created in upper case. However, the MIT Kerberos
implementation used by SAP HANA database strictly requires a lower-case hostname in the
keytab entry, so the respective SPN must be created with a lower-case hostname part in
Active Directory.
For changes to /etc/hosts taking effect, you have to flush the nscd DNS cache (SLES11 only):
#> sudo /etc/init.d/nscd restart
In case /etc/nsswitch.conf or /etc/host.conf specify that DNS should be used, this has to
be configured in /etc/resolv.conf, for example:
#> cat /etc/resolv.conf
domain dhcp.mydomain.com
search sub1.mydomain.com sub2.mydomain.com mydomain.com
nameserver 10.17.220.72
Please find detailed information about the hostname resolution on the DB server running
#> man hostname
#> man host
#> man nsswitch.conf
#> man host.conf
#> man resolv.conf
4.2.2
Verification
On the DB server, run
#> hostname --fqdn
myhdbserver.mydomain.com
for getting the public FQDN of the DB server.
Run
#> hostname --ip-address
<IP address>
for getting the respective IP address.
July 2023
12
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
For checking the reverse lookup, run
#> python <<EOF
> import socket
> host = socket.gethostbyaddr('<IP address>')[0]
> print host
> EOF
myhdbserver.mydomain.com
where <IP address> must be replaced with the primary IP address of the DB server.
The above python script does exactly the same as the SAP HANA database server when it constructs
the expected SPN. The result of the above python script must equal the result of the first command,
hostname –fqdn.
July 2023
13
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.3 SAP HANA Database Server Kerberos Configuration
The configuration file needs to be setup accordingly to your domain and realm landscape. For details
refer to MIT Kerberos Documentation krb5.conf definition.
4.3.1
Location of the Kerberos config File
From HANA 1 SPS012 and HANA 2
Log on to the SAP HANA DB server as user <sid>adm.
The configuration file must be located in directory $HOME/etc (by default, that will be
/usr/sap/<SID>/home/etc)
Create the folder /etc if needed:
#:/usr/sap/<SID>/home> ls -l
drwxr-xr-x 2 <sid>adm sapsys
etc
Create the file krb5_hdb.conf if needed:
#:/usr/sap/<SID>/home/etc> ls -l
-rw-r--r-- 1 <sid>adm sapsys
krb5_hdb.conf
The OS environment variable $KRB5_CONFIG is mapped to that path.
For deviated locations of the configuration file change the value of the OS environment variable for
user <sid>adm until the next login by using command
#> export KRB5_CONFIG=/<newpath>/krb5_hdb.conf
or permanently by adding it to the customer shell script:
#> cat /usr/sap/<SID>/home/.customer.sh
...
export KRB5_CONFIG=/<newpath>/krb5_hdb.conf
Create file .customer.sh if it does not exist.
#>/usr/sap/<SID>/home> ls -lah
-r-xr-xr-x 1 au9adm sapsys 2.3K .bashrc
-rw-r--r-- 1 au9adm sapsys
0 .customer.sh
Up to HANA 1 SPS011
Log on to the SAP HANA DB as user root
On the SAP HANA DB server, a configuration file for the MIT Kerberos libraries, krb5.conf, needs to
be setup. This file must be created on $HOME/etc. An environment variable $KRB5_CONFIG will be
automatically configured on the next login. However, restart of SAP HANA DB is required in order to
consume this variable in SAP HANA DB layer.
#/etc> ls -l
-rw-r--r-- 1 root root
July 2023
/etc/krb5.conf
14
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.3.2
Setup
There is no difference in the structure of the Kerberos config file used in
•
•
HANA 1 SPS12 and HANA 2: krb5_hdb.conf
HANA 1 SPS11 and lower: krb5.conf
Within this document will continue naming the Kerberos configuration file krb5_hdb.conf
Note
If there is no configuration file krb5_hdb.conf available in <sid>adm $HOME/etc (by default, that
will be /usr/sap/<SID>/home/etc), the SAP HANA DB will read the configuration file
krb5.conf from the root $HOME/etc folder as is was in HANA 1 SPS11 and older.
We can differentiate between several krb5_hdb.conf use cases. The MIT Kerberos libraries all use
the same format, but depending on the use case, many parameters from other use cases are
irrelevant (or may even be adverse).
The following use cases exist:
•
KDC: In case you want to run an MIT Kerberos based KDC (not applicable)
•
Client: When you want to connect from a Linux box as a client (e.g. hdbsql) to another server
(e.g. SAP HANA DB on another or the same host)
•
Server: The server could be the SAP HANA DB and this is exactly the case at hand
Technically, in many customer installations using a DNS Kerberos configuration (/etc/bind entries
like _kerberos._tcp.REALM etc.), the only thing the DB server needs is this stripped-down
krb5_hdb.conf:
Log on to the SAP HANA DB server as <sid>adm.
#> cat krb5_hdb.conf
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
In case Kerberos is not configured in DNS, the SAP HANA database server will additionally need the
default_realm and the [realm] specification. Make sure that the Active Directory domain
(MYDOMAIN.COM in the example) is consistent across default_realm , realms, domain_realm.
Furthermore, the keytab for the DB server must contain an entry exactly matching this Active Directory
domain, i.e. the SAP HANA Database Service User must be created within this domain. Creation of
the Service User and the keytab will be described below.
July 2023
15
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Basic Kerberos configuration:
#> cat krb5_hdb.conf
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = mykdc1_hostname.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
In section [libdefaults] you can add additional parameters.
The [realms] section contains the names of the KDC hosts. In case the IT landscape contains
multiple KDC hosts, you must provide a separate line for each of them:
kdc = mykdc1_hostname.mydomain.com
kdc = mykdc2_hostname.mydomain.com
Important
The [domain_realm] section covers only the mapping for the SAP HANA DB server domain (it has
nothing to do with the client domain(s)!). This will be used in mutual authentication when the SAP
HANA DB client tries to authenticate the SAP HANA database server.
The [domain_realm] mapping must consist of the domain name in its full length. In case the FQDN
of the SAP HANA DB server is hdbserver.subdomain.domain.com, the [domain_realm] entry
has to be:
.subdomain.domain.com = DOMAIN.COM
subdomain.domain.com = DOMAIN.COM
but not
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
The [logging] section is only used when the MIT KDC on Linux is used. It has no effect when the
KDC is running on Microsoft AD.
For completing the verification steps and a local SSO test later, you might need to extend the
Kerberos config file specifically for your use case.
July 2023
16
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Important
Changes to the krb5_hdb.conf take effect only after restart of the SAP HANA DB.
How a restart can be avoided is described in 4.9.1 Avoid a restart of the SAP HANA DB.
Note
In any case, you don’t have to set dns_lookup_kdc (relevant only for client use case) or
dns_lookup_realm to true, unless you really use DNS SRV records for maintaining KDC
addresses and/or DNS TXT records for mapping DNS domains to Kerberos realms. In doubt,
check with your local admin.
4.3.3
Verification
We will now test the
• connectivity between the SAP HANA DB server and the Windows AD
• SAO HANA DB server configuration file krb5_hdb.conf
Log on to the SAP HANA DB server as <sid>adm.
When using the kinit and klist utilities, we rely on the proper configuration of the Windows AD
test user aduser1. Using kinit we try to authenticate the test user against the AD domain and create
a TGT:
#> kinit aduser1@MYDOMAIN.COM
Password for aduser1@MYDOMAIN.COM:
Using klist we can see this ticket (parameter -e will show the encryption type):
#> klist -e
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: aduser1@MYDOMAIN.COM
Valid starting
02/18/13 15:25:58
Expires
02/19/13 01:26:02
Service principal
krbtgt/ MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:25:58 Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
July 2023
17
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.4 Create the SAP HANA Database Service User(s)
You must create one or more Service Users representing the SAP HANA database in Active Directory
on the AD Domain Controller. As explained in section Background Information, you should create
separate service users for Kerberos and SPNEGO.
A so-called Service User is technically a plain user account in the first place. It gets its special
meaning later, when we map a Service Principal Name to it.
Recommendation
We recommend creating a dedicated OU for the SAP HANA database Service User(s). This
allows granting the necessary administrative rights for this OU to SAP HANA database admins,
which typically wouldn’t have these rights in other OUs (see chapter 3.3 Organizational
Requirements).
A Service User should be assigned a strong password (i.e. minimum length 8 characters, not easy to
guess, containing digits and special characters). In case the password is compromised, clients
knowing it would be able to impersonate anybody when connecting to the SAP HANA database by
forging service tickets.
A Service User should be assigned a password which never expires to avoid service downtimes.
Nonetheless, you should change it periodically.
Furthermore, a SAP HANA database Service User should not be enabled for any kind of delegation
(e.g. Constrained Delegation aka “S4U2Proxy", aka "Protocol Transition"), because then it could
obtain Kerberos tickets for all services configured under Constrained Delegation in the name of
arbitrary users. This could be exploited by attackers in case the Service User password is
compromised.
4.4.1
Setup
Log on to the Windows AD as domain administrator.
We recommend creating the user via CLI. In an elevated Windows command shell, run (choosing a
strong password matching the local policy that never expires):
> dsadd user "cn=myhdbserviceuser,cn=users,dc=MYDOMAIN,dc=COM" -upn
myhdbserviceuser@MYDOMAIN.COM -pwd <passwd> -disabled no -pwdneverexpires
yes -acctexpires never
CAUTION
Choose a strong password (see explanation above).
Recommendation
In case you run into problems, do not blindly rely on the correctness of the service user. There
was a Very High customer message due to a service user with an encryption type not supported
(it was DES, now considered insecure). Rather, don’t hesitate to start over with a fresh service
user (see below).
July 2023
18
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Important
The Active Directory domain (dc=MYDOMAIN,dc=COM in the example above) must be the same
as specified in the DB server’s krb5.conf (see above).
To use Kerberos key encryption AES256 check the Account option "This account supports Kerberos
256 bit encryption". For details refer to Windows Configurations for Kerberos Supported Encryption
Type.
Figure 3: Account options to be set for SAP HANA Database service user and AES256 key encryption
4.4.2
Verification
Log on to the SAP HANA DB server as <sid>adm.
Execute
#> kinit myhdbserviceuser@MYDOMAIN.COM
to get a TGT for the SAP HANA database service user. You must supply the password that was used
when the service user account was created in AD.
Afterwards, run klist to check the resulting ticket cache (example):
#> klist -e
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: myhdbserviceuser@MYDOMAIN.COM
Valid starting
02/18/13 15:50:47
Expires
02/19/13 01:50:50
Service principal
krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 02/19/13 15:50:47 Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
July 2023
19
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.5 Register Service Principal Name (SPN) in AD
Next, we need to create a Service Principal Name (SPN) for the SAP HANA DB server in Windows
AD. The SPN is simply a mapping of a service name to a service user. We need this SPN later, when
we create the SAP HANA DB server’s Kerberos Keytab.
4.5.1
Setup Kerberos for SAP HANA DB
Log on to the Windows AD as domain administrator.
When configuring Kerberos for SAP HANA DB, you must create exactly one SPN for each physical
host of the system.
The SPN for SAP HANA DB must strictly follow the following format:
hdb/<DB server>@<domain>
where <DB server> should be the fully qualified canonical domain name of the DB server host and
<domain> is the AD Domain Name.
CAUTION
In Windows, hostnames are sometimes created with upper case. However, the SAP HANA
implementation strictly requires a lower-case hostname in the keytab entry, so the respective SPN
must be created with a lower-case hostname part in Active Directory.
To create the SPN by mapping the service hdb/myhdbserver.mydomain.com to the HANA DB
service user MYDOMAIN\myhdbserviceuser execute the command on Windows AD shell:
> setspn -S hdb/myhdbserver.mydomain.com MYDOMAIN\myhdbserviceuser
CAUTION
In the setspn command, you must not include the @<domain> part of the SPN.
Note
In contrast to many other server products, a SAP HANA database client doesn't have to know this
SPN, since it is retrieved from the DB server as the first step in the SAP HANA database
authentication protocol.
CAUTION
In case you change something in AD, e.g. the SPN mapping, you must make sure that this change
is replicated. Replication typically happens within the order of minutes, but the interval is
configurable.
Every Kerberos connect will stop if you change the SPN or the SAP HANA service user's
password for the service connection as the keytab entry for the SPN is not valid any more.
July 2023
20
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.5.2
Setup of SPNEGO for SAP HANA XS Classic
Log on to the Windows AD as domain administrator.
When you configure SPNEGO for SAP HANA XS Classic, you must create one SPN for each alias of
each physical host of the system.
An SPN for SAP HANA XS Classic must strictly follow the following format:
HTTP/<DB server>@<domain>
where <DB server> should be the fully qualified canonical domain name of the DB server host or any
alias of the same and <domain> is the AD Domain Name.
CAUTION
In Windows, hostnames are sometimes created with upper case. However, the SAP HANA
implementation strictly requires a lower-case hostname in the keytab entry, so the respective SPN
must be created with a lower-case hostname part in Windows AD.
To create the SPN by mapping the service HTTP/myhdbserver.mydomain.com to the HANA DB
service user MYDOMAIN\myhdbserviceuser execute the command on Windows AD shell:
> setspn -S HTTP/myhdbserver.mydomain.com MYDOMAIN\myhdbserviceuser
CAUTION
In case you change something in Windows AD, e.g. the SPN mapping, you must make sure that
this change is replicated. Replication typically happens within the order of minutes, but the interval
is configurable.
4.5.3
Verification
In the following the verification steps for configuring Kerberos for SAP HANA DB are shown. Doing the
same for SPNEGO means simply replacing hdb by HTTP in the SPNs given below.
Log on to the Windows AD as domain administrator.
In a Windows command shell, run
> setspn -L MYDOMAIN\myhdbserviceuser
to see the SPN mapped to the service user account.
To query the existence of the SPN run
> setspn -Q hdb/myhdbserver.mydomain.com
On the DB server, run
#> kinit myhdbserviceuser@MYDOMAIN.COM -S
hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
to retrieve a service ticket for the DB server.
July 2023
21
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
The result should be like
#> klist
Ticket cache: FILE:/tmp/krb5cc_1003
Default principal: myhdbserviceuser@MYDOMAIN.COM
Valid starting
Expires
02/18/13 20:13:40 02/19/13 06:13:40
renew until 02/19/13 20:13:40
July 2023
Service principal
hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
22
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.6 Create Kerberos keytab for the SAP HANA DB Server
The Kerberos keytab is a file containing pairs of Kerberos principals and encrypted keys (which are
derived from the Kerberos password). The keys are needed by the SAP HANA DB to take part in
the authentication protocol. For details refer to MIT Kerberos Documentation keytab.
When you change the password of the DB Service User in the Windows AD myhdbserviceuser
you will need to recreate the corresponding key(s) in the keytab.
There are three alternative methods to create and extend the Kerberos keytab:
• On SAP HANA DB server using python script hdbkrbconf.py (for rc4-hmac encryption only)
see chapter 4.6.3 Create the keytab on SAP HANA DB Server using script hdbkrbconf.py
• On SAP HANA DB server using Kerberos command ktutil
see chapter 4.6.4 Create the keytab manually on the SAP HANA DB Server
• On Windows AD domain controller using command ktpass
see chapter 4.6.5 Create the keytab manually on the Windows AD domain controller
Recommendation
For MD5 encryption we recommend creating the keytab using the python script, since there are
some minor drawbacks creating the keytab using ktpass on the Windows AD domain controller.
Since AES256 offers a stronger protection of the Kerberos keys, we strongly recommend
configuring AES256 for productive usage.
4.6.1
Location of the Kerberos keytab file
From HANA 1 SPS012 and HANA 2
Log on to the SAP HANA DB server as user <sid>adm.
The Kerberos keytab file must be located in directory $HOME/etc (by default, that will be
/usr/sap/<SID>/home/etc)
Create the folder /etc if needed:
#:/usr/sap/<SID>/home> ls -l
drwxr-xr-x 2 <sid>adm sapsys
etc
#:/usr/sap/<SID>/home/etc> ls -l
-r-------- 1 <sid>adm sapsys
krb5_hdb.keytab
The OS environment variable $KRB5_KTNAME is mapped to that path.
For deviated locations of the configuration file change the value of the OS environment variable for
user <sid>adm until the next login by using command
#> export KRB5_KTNAME=/<newpath>/etc/krb5_hdb.keytab
or permanently by adding it to the customer shell script:
July 2023
23
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
#> cat /usr/sap/<SID>/home/.customer.sh
...
export KRB5_KTNAME=/<newpath>/krb5_hdb.keytab
View the content of the keytab using Kerberos command klist:
#> klist -k /usr/sap/<SID>/home/etc/krb5_hdb.keytab
Up to HANA 1 SPS011
Log on to the SAP HANA DB as user root
The Kerberos keytab file must be created on $HOME/etc. An environment variable $KRB5_KTNAME
will be automatically configured on the next login. However, restart of SAP HANA DB is required to
consume this variable in SAP HANA DB layer.
$/etc> ls -l
-r-------- 1 <sid>adm sapsys
krb5.keytab
Note
If there is no Kerberos keytab file krb5_hdb.keytab available in <sid>adm $HOME/etc (by default,
that will be /usr/sap/<SID>/home/etc), the SAP HANA DB will read the keytab file
krb5.keytab from the root $HOME/etc folder as is was in HANA 1 SPS11 and older.
4.6.2
Definitions
KVNO stands for: Key Version Number. Find details at
https://blogs.msdn.microsoft.com/openspecification/2009/11/13/to-kvno-or-not-to-kvno-what-isthe-version/
The Windows AD server will follow these steps:
1)
It will try to decrypt the service ticket in the AP_REQ with the current key
2)
If it succeeds, it then sends the AP_REP to the client and the process moves forward
3)
But if it fails, it will then make its best effort and try to decrypt the ticket with the previous
version of the key (KVNO-1)
4)
If it succeeds, AP_REP and process moves forward
5)
If it fails, it will fail the AP_REQ and send an AP_REP with KRB_AP_ERR_MODIFIED
There is no difference in the structure of the Kerberos keytab file used in the different HANA revisions:
•
•
HANA 1 SPS12 and HANA 2: krb5_hdb.keytab
HANA 1 SPS11 and lower: krb5.keytab
Within this document will continue naming the Kerberos configuration file krb5_hdb.keytab
Important
Changes to the krb5_hdb.keytab take effect only after restart of the SAP HANA DB.
How a restart can be avoided is described in chapter 4.9.1 Avoid a restart of the SAP HANA DB.
July 2023
24
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.6.3 Create the keytab on SAP HANA DB Server using script
hdbkrbconf.py
When using rc4-hmac encryption, the most comfortable way to create the Kerberos keytab is using
script hdbkrbconf.py attached to SAP Note 1813724.
Logon to SAP HANA DB server as <sid>adm.
Create new Kerberos keytab using parameter -k
#> python hdbkrbconf.py -k -V
Add a key to an existing Kerberos keytab using parameters -a -k
#> python hdbkrbconf.py -a -k -V
4.6.4 Create the keytab manually on the SAP HANA DB
Server
Logon to SAP HANA DB server as <sid>adm
Create the Kerberos keytab by executing Kerberos command ktutil, (refer to MIT Kerberos
Documentation ktutil and the Encryption types)
#> ktutil
ktutil: add_entry -password -p hdb/myhdbserver.mydomain.com@MYDOMAIN.COM k <kvno> -e <encryption type>
Password for hdb/myhdbserver.mydomain.com@MYDOMAIN.COM:
ktutil:
ktutil:
write_kt krb5_hdb.keytab
quit
<encryption type>
In case you use
rc4-hmac
RC4 HMAC encryption (insecure)
aes256-cts
AES256 encryption (see Appendix A: AES256 Encryption)
If the keytab file already exists, the new key will be appended. Otherwise a new keytab file will be
created.
Note
The key version number <knvo> can be retrieved by
#> kinit myhdbserviceuser@MYDOMAIN.COM
#> <password>
#> kvno hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
July 2023
25
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Important
Changes to the krb5_hdb.keytab take effect only after restart of the DB server.
Recommendation
For setting up SSO the first time we recommend starting with encryption type rc4-hmac. This is
the most wide-spread algorithm for Kerberos but insecure. After successful completion of the
Kerberos configuration, you should switch to aes256-cts which offers a stronger protection (see
Appendix A: AES256 Encryption).
For SPNEGO, you must repeat the ktutil command for each alias of the DB server host by simply
replacing hdb by HTTP in the SPN.
$> ktutil
ktutil: add_entry -password -p HTTP/myhdbserver.mydomain.com@MYDOMAIN.COM
-k <kvno> -e <encryption type>
Password for HTTP/myhdbserver.mydomain.com@MYDOMAIN.COM:
ktutil:
ktutil:
write_kt krb5_http.keytab
quit
4.6.5 Create the keytab manually on the Windows AD
domain controller
Log on to the Windows AD as domain administrator.
Note: ktpass manipulates the user account (e.g. it increments the KVNO), which is not desired here.
> ktpass -princ hdb/myhdbserver.mydomain.com@MYDOMAIN.COM -mapuser
myhdbserviceuser@MYDOMAIN.COM -pass <passwd> -out C:\krb5_hdb.keytab -ptype
KRB5_NT_PRINCIPAL -crypto <encryption type>
<encryption type>
In case you use
RC4-HMAC-NT
RC4 HMAC encryption (insecure)
AES256-SHA1
AES256 encryption (see Appendix A: AES256 Encryption)
Copy the above created keytab krb5_hdb.keytab from the AD domain controller to the SAP HANA DB
server as described in chapter 4.6.1 Location of the Kerberos keytab.
4.6.6
Securing the keytab
Since the keytab is stored in the file system, you rely on the secureness of the dedicated SAP HANA
DB host. If not, the key(s) could be used for attacks. Therefore, the read access to the keytab file
should be restricted to a single user, which is the SAP HANA OS admin user <sid>adm.
July 2023
26
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
From HANA 1 SPS012 and HANA 2
The Kerberos keytab was created from the SAP HANA admin user <sid>adm on
$> ls -l $HOME/etc |grep krb5_hdb.keytab
-r-------- 1 <sid>adm sapsys
krb5_hdb.keytab
For HANA systems on Database Isolation Level 'high' you must add the group permission read to the
keytab file
$> chmod 440 krb5_hdb.keytab
$> ls -l $HOME/etc |grep krb5_hdb.keytab
-r--r----- 1 <sid>adm
sapsys
krb5_hdb.keytab
Up to HANA 1 SPS011
Log on to the SAP HANA DB as user root
Give the ownership of the new keytab to the HANA OS admin user <sid>adm:
$ chown <sid>adm:sapsys krb5.keytab
As a <sid>adm restrict the authorizations to read only be the owner:
$> chmod 400 krb5.keytab
$> ls -l $HOME/etc |grep krb5.keytab
-r-------- 1 <sid>adm sapsys
krb5.keytab
4.6.7
Verification
Independent on how the keytab was created, you verify the correctness as follows.
Only the verification steps for configuring Kerberos for SAP HANA DB are shown. Doing the same for
SPNEGO means simply replacing hdb by HTTP in the SPNs given below.
Logon to SAP HANA DB server as <sid>adm
Check the content of the new keytab:
#> klist -k krb5_hdb.keytab -etK
Keytab name: FILE:/etc/krb5_hdb.keytab
KVNO Timestamp
Principal
---- ----------------- ---------------------------------------------------2 09/11/18 12:08:50 hdb/myhdbserver.mydomain.com (ArcFour with HMAC/md5)
(0x58a478135a93ac3bf058a5ea0e8fdb71)
Note
From our experience with Windows Server 2008 and Windows Server 2012, the key version
number (KVNO) for a new service user always starts with 2.
July 2023
27
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Verify the consistency of the keytab with the SAP HANA DB service data stored in the KDC.
As a preparation step for kvno, run
#> kinit myhdbserviceuser@MYDOMAIN.COM
to get a TGT for the SAP HANA DB service user. For verifying the correctness of the key version
number and the key(s) contained in the keytab run
#> kvno -k krb5_hdb.keytab hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
hdb/myhdbserver.mydomain.com@MYDOMAIN.COM: kvno = 2, keytab entry valid
July 2023
28
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.7 Change the Password of the SAP HANA DB Service
User
Since the keys stored in the keytab are generated from the password of the SAP HANA DB Service
User on Windows AD, you should change the Service User password periodically. After a change of
the password, either created again or extended the keytab to contain the new key(s). The password
change increment of the key version number (KVNO) of the key.
Recommendation
To avoid a downtime, you should add the new Kerberos key(s) to the existing keytab. This can
only be done using the Kerberos ktutil subcommand add_entry.
Otherwise, if you simply created a new keytab, users currently logged in would have to log off from
their Windows sessions to get new service tickets for the SAP HANA database. After a certain
transition period, you can delete the old Kerberos key(s) using the ktutil subcommand
delete_entry.
July 2023
29
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.8 Assign the External ID to the SAP HANA DB user
To complete the SSO configuration, a SAP HANA DB user (of any name) representing the Windows
AD test user aduser1 needs to be created in the SAP HANA DB user administration.
For the SAP HANA DB user, you can choose any user name within the limits of the SAP HANA
database user name rules. However, the External ID must exactly match the Windows AD user and
domain name, in the format USER@ACTIVE DIRECTORY DOMAIN NAME, as seen below.
Logon to SAP HANA studio as a USER_ADMIN and complete the following steps.
Figure 4: Creating new HANA DB User (right-click on “Users” and New User)
Figure 5: Mapping the new DB user (of any name - here SSO_TEST) to Windows Active Directory
user (External ID).
July 2023
30
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
You can create a new HANA DB user for Kerberos with the following command:
create user <DB USER> with identity '<aduser1>@<MYDOMAIN.COM>' for
kerberos;
or map existing ones:
alter user <DB USER> identified externally as '<aduser1>@<MYDOMAIN.COM>';
and enable them for Kerberos:
alter user <DB USER> enable kerberos;
CAUTION
Since Linux is case sensitive, the @MYDOMAIN.COM of the External ID must be written exact
(upper or lower case) like the realm has been defined in the Kerberos config file.
[realms]
MYDOMAIN.COM = { kdc = mykdc1_hostname.mydomain.com }
Note
External ID must exist in Window AD, but not necessarily the AD user who contains the SPN.
4.8.1
Verification of Kerberos for SAP HANA DB
4.8.1.1 SSO via hdbsql
To start simple, you may want to test the SAP HANA database SSO configuration by running the
hdbsql command. First, you would run it directly from the SAP HANA DB server, and then from a
different host. For troubleshooting, it might be useful to strictly separate a server and client
krb5_hdb.conf (refer to chapter 7.2.1 Running hdbsql on the SAP HANA DB Server for details).
You might have to run the SAP HANA client installation on the client host first.
In the case that you run hdbsql from Linux, please initially execute the following command:
#> kinit aduser1@MYDOMAIN.COM
to get a TGT for the test user. From Windows, this is not necessary, since you get the ticket
automatically during Windows logon, assuming that the organization uses the same directory for
workstation and SAP HANA database logons.
Try connecting without providing user name and password:
#> hdbsql -i <Instance> –n myhdbserver.mydomain.com
Welcome to the SAP HANA Database interactive terminal.
Type:
\h for help with commands
\q to quit
hdbsql=> \c
Connected to <SID>@myhdbserver.mydomain.com:3<instance>15
hdbsql <SID>=>
July 2023
31
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.8.1.2 SSO via SAP HANA Studio
When creating a connection to the SAP HANA DB server in SAP HANA studio, the main point is to
select the Authentication by current operating system user as seen below.
Screen shots step by step (starting from user SYSTEM):
Figure 6: SAP HANA studio: Right-click on the left, Add System.
Figure 7: Specify DB instance to connect to.
July 2023
32
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
Figure 8: Specify authentication method: Choose SSO (current operating system user).
Figure 9: After successful connect: Added system TDO.
July 2023
33
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.8.2
Verification of SPNEGO for SAP HANA XS Classic
4.8.2.1 Setup
First you must check the web browser configuration. Each browser handles it differently, but usually
you must explicitly allow sites or domains for SPNEGO authentication. E.g., for Mozilla Firefox, you
have to type about:config in the address bar and then search for network.negotiate-auth.trusteduris. Double-click on Value and enter the domain name of the SAP HANA DB server you will use for
accessing your XS application, e.g. mydomain.com.
Note
*. mydomain.com won’t work! You cannot use wild cards.
For the MS Internet Explorer the following article explains how to setup the browser for Kerberos
authentication:
•
•
•
HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol:
http://msdn.microsoft.com/en-us/library/ms995329.aspx
Authentication Uses NTLM instead of Kerberos:
http://technet.microsoft.com/en-us/library/cc779070.aspx
Unable to negotiate Kerberos authentication after upgrading to Internet Explorer 6:
http://support.microsoft.com/kb/299838
4.8.2.2 Adjusting Kerberos Realms on Windows
In order to request a service ticket, the client has to conclude the Kerberos realm (Active Directory
domain) from the domain name of the DB server used in the URL.
In case the Kerberos realm name is not identical with the DNS domain name, and/ or the realm of the
HANA DB service is different from the realm of the end user, this resolution may lead to a wrong
request for the service ticket issued by the browser.
However you can enforce a Kerberos realm name for a certain server using Microsoft’s ksetup.exe
on the client machine(s). This must be run by an administrator:
1. If necessary, add the Kerberos realm where the HANA service is registered:
ksetup /addkdc <RealmName> [<KDCName>]
where <RealmName> is the realm of the HANA DB service and <KDCName> is the FQDN of
the end users Active Directory Domain controller.
2. Map the server FQDN to this realm:
ksetup /addhosttorealmmap <HostName> <RealmName>
where <RealmName> is the realm of the HANA DB service and <HostName> is the hostname
used in the URL for accessing the XS application. Note that in case you want to use also the
simple hostname or aliases, you must map these as well.
For reference, see the official documentation of the tool: http://technet.microsoft.com/enus/library/hh240190.aspx.
July 2023
34
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
4.8.2.3 Test Accessing XS Classic Admin Tools
The easiest way to test SPNEGO is configuring it for the XS Classic admin tools:
1) Log on to XS Classic admin tools using Log on Credentials (Basic authentication).
http://<hostname>:<port>/sap/hana/xs/admin
2) Activate for the package you want to log on ( in this example package /sap/) the
authentication Method SPNEGO.
3) Log off
4) Start the Chrome browser in incognito mode.
5) Log on to XS Classic admin tools again using your Windows AD SSO user:
http://<hostname>:<port>/sap/hana/xs/admin
4.8.2.4 Deploy Test App
For testing SPNEGO end-to-end, you now must deploy a test app and configure the authentication
method SPNEGO.
You can simply extend the Hello World example from the SAP HANA Developer Guide, Tutorial: My
First SAP HANA Application, in particular the Tutorial: Write Server-Side JavaScript.
In the .xsjs file, enter the following code and save the file:
$.response.contentType = "text/html";
$.response.setBody("Authenticated user=" + $.session.getUsername())
Enter the following lines of code into the .xsaccess file:
{ "exposed" : true }
July 2023
35
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
You will have to define the user-authentication method in the application's runtime configuration by
using the SAP HANA XS Admin tools (SAP HANA Administration Guide, chapter Maintaining
Application Runtime Configurations).
After completing these steps please open the xsjs resource in your browser.
4.9 Footnotes
4.9.1
Avoid a restart of the SAP HANA DB
Changes to the krb5*.conf file and krb5*.keytab on the SAP HANA DB host will take effect only
after a restart of the SAP HANA DB or by setting and unsetting the SAP HANA DB authentication
trace to debug:
Execute the following commands on the SYSTEMDB to reload the krb5*.keytab and krb5*.conf
files for the SYSTEMDB and all currently running Tenant DBs:
1. alter system alter configuration ('global.ini','system') set
('trace','authentication') = 'debug' with reconfigure;
2. alter system alter configuration ('global.ini','system') unset
('trace','authentication') with reconfigure;
Execute the commands on a dedicated Tenant DB to reload the files for that Tenant DB only:
1. alter system alter configuration ('indexserver.ini','system') set
('trace','authentication') = 'debug' with reconfigure;
2. alter system alter configuration ('indexserver.ini','system') unset
('trace','authentication') with reconfigure;
Note: The python script hdbkrbconf.py that verifies the Kerberos configuration of a SAP HANA DB is
not aware of when the keytab and config files have been loaded by the above commands. The script
reads the last restart of the indexserver and compares that to the last change date of the keytab file.
Hence, you can ignore the below error messages when using the above commands:
[...]
ERROR: /usr/sap/<SID>/home/etc/krb5_hdb.keytab modified after
hdbnameserver start (change=2019-03-18 15:54:47, start=2019-03-08
12:11:33, pid=31389).
--> restart HANA
July 2023
36
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
5. Appendix A: AES256 Encryption
The Security Glossary RFC 4757 specifies rc4-hmac for Kerberos but recommends using aes256cts-hmac-sha1-96 if available (http://tools.ietf.org/html/rfc4757#page-15).
Since AES256 offers a stronger protection of the Kerberos keys than RC4-HMAC which is insecure,
we strongly recommend configuring AES256 for productive usage.
Note: due to the fact that the SPN is used as a salt parameter in the key generation algorithm of
AES256, ktutil creates different keys for different SPN.
5.1 Create Kerberos keytab for the SAP HANA DB Server
5.1.1
Creating the Kerberos keys in Windows AD
Note
The Kerberos key must be created in the Windows Active Directory.
Log on to the Windows AD as domain administrator.
The command ktpass creates the key used from AES256 encryption and creates the SPN by
mapping the service to the SAP HANA DB service user.
> ktpass -princ hdb/myhdbserver.mydomain.com@MYDOMAIN.COM -mapuser
myhdbserviceuser@MYDOMAIN.COM -pass <passwd> -ptype KRB5_NT_PRINCIPAL crypto AES256-SHA1 -out C:\krb5_hdb.keytab
The parameter -out is optional and will create the corresponding Kerberos keytab.
Note
If you are fine with only one key in the keytab you can directly copy that keytab to the SAP HANA
DB Server as described in chapter 4.6.5 and skip the next chapter.
Output:
Targeting domain controller: <domain_controller_hostname>.MYDOMAINE.COM
Using legacy password setting method
Successfully mapped hdb/myhdbserver.mydomain.com to myhdbserviceuser.
Key created.
Output keytab to C:\krb5_hdb.keytab:
Keytab version: 0x502
keysize 93 hdb/myhdbserver.mydomain.com@MYDOMAIN.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 6 etype 0x12 (AES256-SHA1) keylength 32
(0xbd8e67dddbe7dbc0f51f92cb56ad995ba0fc16911e3836e774672ea8db619e46)
As a result, you now have:
- the SPN mapping hdb/myhdbserver.mydomain.com to myhdbserviceuser@MYDOMAIN.COM
July 2023
37
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
- the key for service hdb/myhdbserver.mydomain.com
- the keytab file C:\krb5_hdb.keytab:
The last line is your individual Kerberos key, belonging to the SPN, in hexadecimal representation.
Make a note of this Kerberos key without the prefix 0x and the brackets to create or extend an existing
Kerberos keytab on HANA DB host side in the next chapter.
You can retrieve the Kerberos key from the above keytab using command klist on Linux:
#> klist -k krb5_hdb.keytab -etK
KVNO Timestamp
Principal
---- ------------------- ------------------------------------------------6 01/01/1970 01:00:00 hdb/myhdbserver.mydomain.com@MYDOMAIN.COM (aes256cts-hmac-sha1-96)
(0xbd8e67dddbe7dbc0f51f92cb56ad995ba0fc16911e3836e774672ea8db619e46)
In case you want to map multiple SPNs to one SAP HANA DB service user each subsequent mapping
has to be done using command setspn (not ktpass).
To add SPNEGO, for example, execute the commands on Windows AD:
> setspn -S HTTP/myhdbserver.mydomain.com MYDOMAIN\myhdbserviceuser
and for aliases:
> setspn -S HTTP/myhdbserveralias MYDOMAIN\myhdbserviceuser
5.1.2 Create or Extend the Kerberos Keytab on the SAP
HANA DB Host
When the AES256 encrypted Kerberos Key once has been created as described in the previous
chapter on the Windows AD your next step is either to create or extend the Kerberos keytab on the
HANA DB host.
5.1.2.1 Create the Kerberos Keytab on the SAP HANA DB Host
Create the Kerberos keytab as following:
Logon to SAP HANA DB server as <sid>adm and start the Kerberos tool ktutil:
#> ktutil
Create and add key to memory:
ktutil: add_entry -key -p hdb/myhdbserver.mydomain.com@MYDOMAIN.COM -k
<KVNO> -e aes256-cts-hmac-sha1-96
Kerberos key for hdb/myhdbserver.mydomain.com@MYDOMAIN.COM (hex):
Enter the hex value of the Kerberos key from chapter 5.1.1.
July 2023
38
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
(In my example that is:
bd8e67dddbe7dbc0f51f92cb56ad995ba0fc16911e3836e774672ea8db619e46 )
list the content of the Kerberos keytab in memory
ktutil: list
slot KVNO Principal
---- ---- -----------------------------------------------------------1
2 hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
write the created Kerberos keytab from memory to its location:
ktutil: write_kt /usr/sap/<SID>/home/etc/krb5_hdb.keytab
leave the tool:
ktutil: quit
Note
The currently used Kerberos key version number <knvo> can be retrieved by
#> kinit myhdbserviceuser@MYDOMAIN.COM
#> <password>
#> kvno hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
5.1.2.2 Extend the Kerberos keytab on the SAP HANA DB Host
If you want to add a second Kerberos key, for example to use SPNEGO, you can extend an existing
keytab on the SAP HANA DB host.
In this example you will extend the Kerberos keytab by a key for SPNEGO.
Logon to SAP HANA DB server as <sid>adm and start the Kerberos tool ktutil:
#> ktutil
read the current Kerberos Keytab from its location into memory:
ktutil: read_kt /usr/sap/<SID>/home/etc/krb5_hdb.keytab
list the content of the Kerberos keytab in memory:
ktutil: list
slot KVNO Principal
---- ---- -------------------------------------------------------------1
2 hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
Create and add key for SPNEGO to memory:
ktutil: add_entry -key -p HTTP/myhdbserver.mydomain.com@MYDOMAIN.COM -k
<KVNO> -e aes256-cts-hmac-sha1-96
Kerberos key for hdb/myhdbserver.mydomain.com@MYDOMAIN.COM (hex):
Enter the hex value of the Kerberos key from chapter 5.1.1
July 2023
39
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
(In my example that is:
bd8e67dddbe7dbc0f51f92cb56ad995ba0fc16911e3836e774672ea8db619e46 )
list the content of the Kerberos keytab in memory - now showing the new key for SPNEGO:
ktutil: list
slot KVNO Principal
---- ---- -----------------------------------------------------------1
2 hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
2
2 HTTP/myhdbserver.mydomain.com@MYDOMAIN.COM
write the created Kerberos keytab from memory to its location:
ktutil: write_kt /usr/sap/<SID>/home/etc/krb5_hdb.keytab
leave tool:
ktutil: quit
5.1.3
SAP HANA DB Service User settings in Windows AD
When using Kerberos keys with AES 256 encryption in the Kerberos keytab, you must explicitly mark
the SAP HANA DB service User myhdbserviceuser, you created in chapter 4.4 Create the SAP HANA
Database Service User(s), for AES 256 in the Windows AD account options.
Figure 10: Account options to be set for SAP HANA DB Service User and AES256 key encryption
Note
From Kerberos perspective there is no need to set the Account option AES 256 bit to the Windows
AD SSO users aduser1
CAUTION
Since the password of the SAP HANA DB Service User is used to generate the Kerberos AES256
key value, a change of the password will require to create a new key and to recreate the service
keys within the Kerberos keytab.
The following error will be shown:
Error during Kerberos: Major: "unspecified [851968]", minor: "Key version is
not available [2529638956/-1765328340]"
July 2023
40
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
5.1.4
Extend the Kerberos Config File
You should add the below parameters to only allow high security access to the [libdefaults]
section of your Kerberos config file. The value depends on the encryption type you configured in
chapter 5.1.2:
[libdefaults]
default_tgs_enctypes = aes256-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96
preferred_enctypes
= aes256-cts-hmac-sha1-96
5.2 Further source of Information
3000930 - How to Switch Encryption Type from default rc4-hmac to AES256-SHA1 for Kerberos SSO
to SAP HANA DB using Microsoft Windows Active Directory
blog: Single Sign-On with SAP HANA Scale-out System using Kerberos and Microsoft Active Directory
July 2023
41
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
6. Appendix B: SAP HANA DB Landscape
6.1 SAP HANA DB System Replication and Scale Out
If you are using host alias names or virtual host names you want to use for SSO, you have to do the
configuration steps below for that names too.
Every SAP HANA DB server that should be used for SSO (scale out node and secondary or tertiary
servers and nodes) must be configured as described in chapter 4.1 Create the Windows AD User
Log on to the Windows AD as domain administrator.
Execute the command on console:
> dsadd user "cn=aduser1,cn=users,dc=MYDOMAIN,dc=COM" –upn
aduser1@MYDOMAIN.COM -pwd <passwd> -disabled no
The Kerberos config file you created in chapter 4.3 SAP HANA Database Server Kerberos
Configuration must be copied to every SAP HANA DB server (scale out node and secondary or
tertiary servers and nodes) that should be used for SSO.
Register every SAP HANA DB server that should be used for SSO (scale out node and secondary or
tertiary servers and nodes) as described in chapter 4.5 Register Service Principal Name (SPN) in AD
The Kerberos Keytab file you created in chapter 4.6 Create Kerberos keytab for the SAP HANA DB
Server must be copied to every SAP HANA DB server (scale out node and secondary or tertiary
servers and nodes) that should be used for SSO.
Note
AES256 encryption is much more complicated to configure for a scale out scenario. It works only with
a virtual SPN.
6.2 SAP HANA DB Multi Database Container (MDC)
Depending on your system landscape configure Kerberos SSO as explained above.
Assign the Kerberos External ID to the HANA DB users in every HANA DB (SYSTEMDB, Tenant DB
1, Tenant DB 2, …) you want them to be able to log on by Kerberos SSO. For details refer to chapter
4.8 Assign the External ID to the SAP HANA DB user.
You need to configure a virtual host name for the tenant DB that you want to access with XS Classic.
Configure HTTP(S) Access to Multitenant Database Containers via SAP HANA XS Classic
July 2023
42
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
6.3 SPNEGO with Revers Proxy or Load Balancer
If the SPNEGO requests reach the SAP HANA DB from a Reverse Proxy or Load balancer, you need
to register the SPN of the Reverse Proxy or Load balancer as described in chapter 4.5 Register
Service Principal Name (SPN) in AD
Create and add a Kerberos Key for the Reverse Proxy or Load balancer to the Kerberos Keytab as
described in chapter 4.6 Create Kerberos keytab for the SAP HANA DB Server.
6.4 Linux host without SAP HANA DB installed
Make sure that the Kerberos libraries installed on a Linux host fulfill the requirements mentioned in
chapter 3.2 Software Requirements.
You can copy the required Kerberos libraries from an existing SAP HANA DB server installation.
Copy the files from the folder of an SAP HANA DB server installation
#>/usr/sap/<SID>/HDB<instance>/exe/krb5/lib
to the Linux host in an arbitrary folder
$>/usr/sap/.../krb5/lib
and replace the environment variable of the Linux host by the path to the library folder
LD_LIBRARY_PATH=/usr/sap/.../krb5/lib
July 2023
43
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7. Appendix C: Troubleshooting
There are several sources for information once you run into problems with Active Directory/Kerberos
and SAP HANA database. Of course, you should always adhere to the verification steps outlined in this
text directly after the respective configuration step in the first place. These mainly employ the MIT
Kerberos tools on the DB server like kinit, klist and kvno.
Direct feedback is provided by the DB client itself (hdbsql, SAP HANA studio). In addition, you should
always check the DB server trace. For SPNEGO, you must also configure tracing for the SAP Web
Dispatcher. On the client side, you may need to activate JDBC, ODBC or SQLDB trace, depending on
the client used.
Note that for SPNEGO, the traces contain only a GSS error code, but no error text. In section /Kerberos
GSS Error Codes/, a table mapping error codes to text is provided.
In some cases, the SAP HANA tracing is not sufficient. Then you should consider switching on the
Windows System Event Log for Kerberos.
As a mean of last resort, you should consider switching on the SAP HANA database protocol trace,
optionally in conjunction with a network sniffer such as Wireshark, Microsoft Network Monitor or
tcpdump. Depending on the issue, you might have to run it on the client or server side or both.
Figure 11: Authentication process
July 2023
44
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.1 SAP HANA DB Server
The traces must be collected on the involved clients, devices, hosts and the Windows AD and KDC.
Figure 12: System landscape of potentially involved devices
7.1.1 Verify the SAP HANA Server configuration using the
python script hdbkrbconf.py
The first and easiest step is to verify the Kerberos configuration of the SAP HANA DB Server using the
python script hdbkrbconf.py from SAP Note 1813724 - HANA SSO using Kerberos and SPNEGO:
Create Kerberos keytab and validate Kerberos configuration.
The script supports the verification of rc4-hmac, aes128 and aes256 encrypted keys.
You will need the passwords of the following users:
•
•
•
•
SAP HANA DB user SYSTEM
SAP HANA DB OS user <sid>adm
Windows AD service user for the SAP HANA DB server <myhostname.com>
A Windows AD domain user to test the SSO connection <aduser1>
Logon to SAP HANA DB server as <sid>adm.
Execute the python script with the parameter –v (verification) and –V (verbose)
#> python hdbkrbconf.py –v –V
-------- CHECKS for preparation (local) ------------------------------------Checking HANA DB SQL port 3<Instance>13 ... checkHanaSqlPort ... OK (with
user SYSTEM)
Checking Kerberos environment ... OK
(Env. variables and path to config
and keytab files)
Checking IP configuration ... OK
(Hostname resolution)
July 2023
45
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
-------- CHECKING Kerberos configuration file (local) -------------------Checking Kerberos conf file /usr/sap/<SID>/home/etc/krb5_hdb.conf ... OK
-------- CHECK consistency of Kerberos (local) and Active Directory
(remote) --Searching for SPN hdb/<myhostname.com>@<MYDOMAIN.COM> in Keytab
"/usr/sap/<SID>/home/etc/krb5_hdb.keytab" ... OK
Checking Service User "m23serviceuser" ... OK
(valid in AD)
Checking Service Principal Name "hdb/<myhostname.com>" ... OK
(valid in
AD)
Checking HANA DB server startup time against modifications of Kerberos
conf/keytab files ... OK
(Changes in Keytab and Config file will become active after a restart of
the HANA DB)
-------- CHECK keytab on HANA Server-----------------------------------------------------Checking key version number and key in keytab
/usr/sap/<SID>/home/etc/krb5_hdb.keytab for SPN hdb/<myhostname.com> ... OK
-------- CHECK Kerberos login to HANA DB with existing HANA user ----------Retrieving TGT for HANA DB external user ... OK
Trying Kerberos login to HANA DB with domain user ... OK
------------------------------------------------------------------------------SUMMARY - All checks OK
→ If all checks are OK the HANA Server configuration works fine and you need to continue your
investigation on the client side.
7.1.2
Trace on SAP HANA DB server
The Authentication trace of the SAP HANA DB server collects trace information about every kind of
authentication method (Kerberos, SPNEGO, SAML, X509, ...)
Activate the trace for MDC on the SAP HANA Tenant DB level.
indexserver.ini
[trace]
authentication = 'debug’
<- shows details of every authentication method
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','system') SET
('trace','authentication') = 'debug' WITH RECONFIGURE;
CAUTION
Make sure that trace file limits are configured properly. You might have to increase the maxfiles
and/or the maxfilesize parameters.
July 2023
46
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
If necessary, adapt trace file limits:
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set
('trace', 'maxfiles') = '<number>' with reconfigure;
ALTER SYSTEM ALTER CONFIGURATION ('indexserver.ini', 'SYSTEM') set
('trace', 'maxfilesize') = '<size in bytes>' with reconfigure;
CAUTION
Remember to disable tracing once you are done with the analysis.
The Kerberos GSS Error Codes point to the possible root cause of the error. Find a list of them in SAP
Note 1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory.
Since the GSS error Codes are standardized, you can also search for them in the internet:
•
•
SAP HANA Troubleshooting and Performance Analysis Guide: Kerberos-Related
Authentication Issues
Microsoft Technical Reference: Kerberos Authentication Tools and Settings
7.2 SAP HANA Client
In case the SSO fails from hdbsql or SAP HANA studio, you might get meaningful error messages or
not. The reason is that the SAP HANA database protocol layer simply propagates the error message
as returned by the underlying Kerberos implementation.
Nonetheless, it is always worthwhile trying to understand the text and trying to find help on that in the
internet. While the text is platform dependent, the error code is standardized and may suit better for
searches.
Example:
Error during Kerberos: Major: "unspecified [851968]", minor: "Key version is not
available [2529638956/-1765328340]"
7.2.1
Running hdbsql on the SAP HANA DB Server
For ruling out network problems (e.g. DNS), it might be useful to try hdbsql from the DB server.
Recommendation
During troubleshooting, do not use the same configuration file krb5_hdb.conf as SAP HANA
DB does. We recommend creating the client configuration in /tmp and to use the environment
variable KRB5_CONFIG when calling hdbsql.
As a <SID>adm, run
#> cd $DIR_EXECUTABLE
#> KRB5_CONFIG=/tmp/krb5_hdb.conf hdbsql -i <Instance>
Welcome to the SAP HANA Database interactive terminal.
Type:
\h for help with commands
July 2023
47
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
\q to quit
hdbsql=> \c
Connected to <SID>O@<myhdbserver.com>:3<Instance>15
hdbsql <SID>=>
7.2.2
SQLDBC Trace
The SQLDBC trace will be needed when connections are made from hdbsql or other ODBC clients.
For switching on the SQLDBC trace (no matter on which platform except for the filename path), run
> hdbsqldbc_cons trace debug on
> hdbsqldbc_cons trace packet on
> hdbsqldbc_cons trace sql on
> hdbsqldbc_cons config trace filename c:\temp\sqldbc.trc
CAUTION
Remember to disable tracing after you are done with the analysis.
7.2.3
JDBC Trace
The JDBC trace will be needed when connections are made from SAP HANA studio or other JDBC
clients.
CAUTION
The trace file size may grow to gigabytes within relative short time, depending on the system load.
Note that it will become difficult to open it with many editors. The tool less on Linux (or less
coming with cygwin on Windows) will always be able to open the file, though.
Prerequisite: You are logged on as the operating system user who started (or will start) the JDBC
application.
Note
•
You always activate the JDBC trace for all JDBC applications that the current operating system
user has started.
•
Configuration changes have an effect on all JDBC applications that the current operating
system user has started.
•
In case the application is running on Windows, you might run into the problem that the
application is running under a service user which is not allowed to log on. In this case, you have
to either let the application run under another user or modify the service user such that a logon
is possible.
You have to find the JDBC driver file ngdbc.jar. It should be within the installation directory of the
client connecting against SAP HANA database or the SAP HANA client installation directory. You may
want to simply use the operating system search for finding it.
July 2023
48
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.2.3.1 Enable tracing via GUI:
Figure 13: Location of JDBC driver ngdbc.jar in client installation directory.
1. Double-click on the ngdbc.jar file.
Figure 14: SAP HANA database JDBC trace configuration panel GUI.
2. Create "Trace file folder" if required
3. Check “Trace enabled" to activate the trace collection
4. Press button “Apply” to start tracing
7.2.3.2 Enable tracing via command line:
Show trace configuration
java -jar ngdbc.jar SHOW
1. Define trace file folder and file name:
java -jar ngdbc.jar TRACE FILENAME c:\temp\krb
2. Start tracing:
java -jar \ngdbc.jar TRACE ON
3. Execute the command to be traced
4. Stop tracing:
java -jar ngdbc.jar TRACE OFF
July 2023
49
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.2.4
ODBC Trace
The ODBC trace will be needed when connections are made from ODBC clients.
You have to find the ODBC trace console executable hdbodbc_cons.exe. It should be within the
installation directory of the client connecting against SAP HANA database or the SAP HANA client
installation directory. You may want to simply use the operating system search for finding it.
Enable tracing via command line:
1. Define file location and file name:
hdbodbc_cons CONFIG TRACE FILENAME c:\temp\krb\odbc.trc
2. Set components to be traced:
hdbodbc_cons TRACE API ON
hdbodbc_cons TRACE DEBUG ON
hdbodbc_cons TRACE PACKET ON
3. Start tracing:
hdbodbc_cons TRACE ON
4. Execute the command to be traced
5. Stop tracing:
hdbodbc_cons TRACE OFF
7.2.4.1 ODBC Troubleshooting
Run driver directly (64 Bit)
Windows Control Panel -> Administrative Tools -> Data Sources (ODBC)
In tab Drivers, check that the HANA ODBC driver is installed (client installation). Then under User
DSN, click Add and then Connect.
Run driver directly (32 Bit)
In C:\Windows\SysWOW64\ run odbcad32.exe. Then under User DSN, click Add and then
Connect.
Use driver from separate tool
In client installation directory, run
odbcreg32.exe –t <driver name>
where <driver name> is the name displayed in above mentioned tab Drivers.
July 2023
50
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.3 Tracing SPNEGO and SAP Webdispatcher
For tracing SPNEGO, you need to configure the SAP HANA DB server and the SAP Web Dispatcher.
7.3.1
SAP HANA DB Server: XS Classic Trace
Use the authentication and SAP HANA XS Classic trace (via SQL) on Tenant DB:
indexserver.ini
[trace]
authentication = 'debug’ <- shows details of every authentication method
xsengine.ini (if standalone -not embedded- XS server)
indexserver.ini (if embedded XS server)
[trace]
xsauthentication = 'debug’
xsrequesthandler = 'debug’
xssession
= 'debug’
<- shows details of every XSC authentication method
<- shows the XS http request details
<- shows the XS session details of a request
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','system') SET
('trace','authentication')
= 'debug',
('trace','XSRequestHandler') = 'debug',
('trace','xssession')
= 'debug',
('trace','xsauthentication') = 'debug'
WITH RECONFIGURE;
The trace will be written to the xsengine trace or in the indexserver trace for embedded xsengine.
7.3.2
SAP Web Dispatcher Trace
Figure 15: Web Dispatcher from SAP HANA Administration Guide: Configuring an External SAP Web
Dispatcher for Tenant Databases
July 2023
51
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.3.2.1 Internal Web Dispatcher
The SAP Web Dispatcher is the HTTP server of SAP HANA XS classic running on the SYSTEMDB.
webdispatcher.ini
[trace]
dev_webdisp
= 'debug'
7.3.2.2 External Web Dispatcher
You must add the following lines to the file $DIR_INSTANCE/<hostname>/wdisp/sapwebdisp.pfl after
the definition of the DIR_INSTANCE variable:
DIR_INSTANCE = $(_LOCAL_HOST_NAME)
# Trace
rdisp/TRACE = 2
# Access log
icm/HTTP/logging_0 = PREFIX=/, LOGFILE=$(DIR_INSTANCE)/trace/access_log-%d%m-%y, LOGFORMAT=%b %h %H %S %a %l %u %t %T Line=%r %f %U %s %{user-agent}i
To activate tracing, the SAP Web Dispatcher must be restarted:
For getting the web dispatcher PID, run as <SID>adm:
#> HDB info | grep sapwebdisp_hdb | grep -v grep
<sid>adm
<PID> 3973 2.8 205288 75628
\_ sapwebdisp_hdb […]
Then let the daemon restart it:
#> kill -2 <PID>
You can find the resulting trace files in the directory $DIR_INSTANCE/<hostname>/trace:
1. dev_webdisp
2. access_log-<day>-<month>-<year>
SAP HANA Administration Guide: Configuring an External SAP Web Dispatcher for Tenant Databases
July 2023
52
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.4 Windows Tools
In case only a fraction of the users has logon problems, or if logon problems seem to be sporadically
distributed over all users, the reason might be UDP fragmentation. To diagnose, users could run in
Windows XP or earlier
> netdiag /test:kerberos
In newer Windows versions, this tool was merged into the general OS troubleshooting framework
(Control panel …).
In either case, you should force Kerberos to run over TCP following the instructions in MS KB 244474
(http://support.microsoft.com/kb/244474/en-us).
For various analysis tasks it might be useful to switch on the Windows System Event Log for Kerberos
on the AD domain controller and the client (see http://support.microsoft.com/kb/262177/en-us). Note
that it is not recommended to run a production system with this log switched on.
Especially on the client you can observe if the requested service ticket is addressed for the right SPN.
For inspecting the ticket cache or forcing the client to retrieve a new ticket, there is a tool klist
available from Microsoft.
Here is another troubleshooting guide from Microsoft:
http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-failsusing-iis-ie.aspx
7.5 Common Errors
Connection failed (RTE:[-1] Kerberos error. Major: "unspecified [851968]",
minor: "Server not found in Kerberos database [2529638919]”<<
The SPN for the DB server was not registered within the Windows Active Directory.
Additionally, Kerberos is case sensitive. Problems can occur in an environment using host names with
mixed case. In the world of Kerberos, appserver1.EXAMPLE.COM and appserver1.example.com are
not the same. Check that DNS resolves host names with consistent case.
Connection failed (RTE:[-1] Kerberos error. Major: "Miscellaneous error
[851968]", minor: " []”<<
Is caused by a problem within the AD. Either the SAP HANA database SPN is completely missing, or
there are several mappings where the SAP HANA database SPN points to different accounts.
AbstractMethodGSSAcceptor.cpp(00032) : Error during Kerberos: Major: "unspecified
[851968]", minor: "Key version is not available [2529638956/-1765328340]"
The password of the SAP HANA Kerberos Service User on Windows AD that is assigned to the SPN
different from the password the user had when the key of the service has been created and stored
within the Kerberos keytab file. Recreate the affected key in the Kerberos keytab or revert the
password to the old value.
kvno: Wrong principal in request while decrypting ticket for
hdb/myhdbserver.mydomain.com@MYDOMAIN.COM
There is a mismatch in the type of encryption used to create the Kerberos key in keytab and KDC.
July 2023
53
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
7.6 Kerberos GSS Error Codes
The following table lists the mapping of signed integer error codes to error texts as used in the MIT
Kerberos lib as of version 1.6.3.
Error Code
C Preprocessor Macro
Error Text
-1765328384 KRB5KDC_ERR_NONE
"No error"
-1765328383 KRB5KDC_ERR_NAME_EXP
"Client's entry in database has expired"
-1765328382 KRB5KDC_ERR_SERVICE_EXP
"Server's entry in database has expired"
-1765328381 KRB5KDC_ERR_BAD_PVNO
"Requested protocol version not supported"
-1765328380 KRB5KDC_ERR_C_OLD_MAST_KVNO
"Client's key is encrypted in an old master key"
-1765328379 KRB5KDC_ERR_S_OLD_MAST_KVNO
"Server's key is encrypted in an old master key"
-1765328378 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
"Client not found in Kerberos database"
-1765328377 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
"Server not found in Kerberos database"
-1765328376 KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE
"Principal has multiple entries in Kerberos database"
-1765328375 KRB5KDC_ERR_NULL_KEY
"Client or server has a null key"
-1765328374 KRB5KDC_ERR_CANNOT_POSTDATE
"Ticket is ineligible for postdating"
-1765328373 KRB5KDC_ERR_NEVER_VALID
"Requested effective lifetime is negative or too short"
-1765328372 KRB5KDC_ERR_POLICY
"KDC policy rejects request"
-1765328371 KRB5KDC_ERR_BADOPTION
"KDC can't fulfill requested option"
-1765328370 KRB5KDC_ERR_ETYPE_NOSUPP
"KDC has no support for encryption type"
-1765328369 KRB5KDC_ERR_SUMTYPE_NOSUPP
"KDC has no support for checksum type"
-1765328368 KRB5KDC_ERR_PADATA_TYPE_NOSUPP
"KDC has no support for padata type"
-1765328367 KRB5KDC_ERR_TRTYPE_NOSUPP
"KDC has no support for transited type"
-1765328366 KRB5KDC_ERR_CLIENT_REVOKED
"Clients credentials have been revoked"
-1765328365 KRB5KDC_ERR_SERVICE_REVOKED
"Credentials for server have been revoked"
-1765328364 KRB5KDC_ERR_TGT_REVOKED
"TGT has been revoked"
-1765328363 KRB5KDC_ERR_CLIENT_NOTYET
"Client not yet valid - try again later"
-1765328362 KRB5KDC_ERR_SERVICE_NOTYET
"Server not yet valid - try again later"
-1765328361 KRB5KDC_ERR_KEY_EXP
"Password has expired"
-1765328360 KRB5KDC_ERR_PREAUTH_FAILED
"Preauthentication failed"
-1765328359 KRB5KDC_ERR_PREAUTH_REQUIRED
"Additional pre-authentication required"
-1765328358 KRB5KDC_ERR_SERVER_NOMATCH
"Requested server and ticket don't match"
-1765328357 KRB5PLACEHOLD_27
"KRB5 error code 27"
-1765328356 KRB5PLACEHOLD_28
-1765328355 KRB5KDC_ERR_SVC_UNAVAILABLE
"KRB5 error code 28"
"A service is not available that is required to process the
request"
-1765328354 KRB5PLACEHOLD_30
"KRB5 error code 30"
-1765328353 KRB5KRB_AP_ERR_BAD_INTEGRITY
"Decrypt integrity check failed"
-1765328352 KRB5KRB_AP_ERR_TKT_EXPIRED
"Ticket expired"
-1765328351 KRB5KRB_AP_ERR_TKT_NYV
"Ticket not yet valid"
-1765328350 KRB5KRB_AP_ERR_REPEAT
"Request is a replay"
-1765328349 KRB5KRB_AP_ERR_NOT_US
"The ticket isn't for us"
-1765328348 KRB5KRB_AP_ERR_BADMATCH
"Ticket/authenticator don't match"
-1765328347 KRB5KRB_AP_ERR_SKEW
"Clock skew too great"
-1765328346 KRB5KRB_AP_ERR_BADADDR
"Incorrect net address"
July 2023
54
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
-1765328345 KRB5KRB_AP_ERR_BADVERSION
"Protocol version mismatch"
-1765328344 KRB5KRB_AP_ERR_MSG_TYPE
"Invalid message type"
-1765328343 KRB5KRB_AP_ERR_MODIFIED
"Message stream modified"
-1765328342 KRB5KRB_AP_ERR_BADORDER
"Message out of order"
-1765328341 KRB5KRB_AP_ERR_ILL_CR_TKT
"Illegal cross-realm ticket"
-1765328340 KRB5KRB_AP_ERR_BADKEYVER
"Key version is not available"
-1765328339 KRB5KRB_AP_ERR_NOKEY
"Service key not available"
-1765328338 KRB5KRB_AP_ERR_MUT_FAIL
"Mutual authentication failed"
-1765328337 KRB5KRB_AP_ERR_BADDIRECTION
"Incorrect message direction"
-1765328336 KRB5KRB_AP_ERR_METHOD
"Alternative authentication method required"
-1765328335 KRB5KRB_AP_ERR_BADSEQ
"Incorrect sequence number in message"
-1765328334 KRB5KRB_AP_ERR_INAPP_CKSUM
"Inappropriate type of checksum in message"
-1765328333 KRB5KRB_AP_PATH_NOT_ACCEPTED
"Policy rejects transited path"
-1765328332 KRB5KRB_ERR_RESPONSE_TOO_BIG
"Response too big for UDP, retry with TCP"
-1765328331 KRB5PLACEHOLD_53
"KRB5 error code 53"
-1765328330 KRB5PLACEHOLD_54
"KRB5 error code 54"
-1765328329 KRB5PLACEHOLD_55
"KRB5 error code 55"
-1765328328 KRB5PLACEHOLD_56
"KRB5 error code 56"
-1765328327 KRB5PLACEHOLD_57
"KRB5 error code 57"
-1765328326 KRB5PLACEHOLD_58
"KRB5 error code 58"
-1765328325 KRB5PLACEHOLD_59
"KRB5 error code 59"
-1765328324 KRB5KRB_ERR_GENERIC
"Generic error (see e-text)"
-1765328323 KRB5KRB_ERR_FIELD_TOOLONG
"Field is too long for this implementation"
-1765328322 KRB5KDC_ERR_CLIENT_NOT_TRUSTED
"Client not trusted"
-1765328321 KRB5KDC_ERR_KDC_NOT_TRUSTED
"KDC not trusted"
-1765328320 KRB5KDC_ERR_INVALID_SIG
"Invalid signature"
KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT
-1765328319 _ACCEPTED
"Key parameters not accepted"
-1765328318 KRB5KDC_ERR_CERTIFICATE_MISMATCH
"Certificate mismatch"
-1765328317 KRB5PLACEHOLD_67
"KRB5 error code 67"
-1765328316 KRB5PLACEHOLD_68
"KRB5 error code 68"
-1765328315 KRB5PLACEHOLD_69
"KRB5 error code 69"
-1765328314 KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE
"Can't verify certificate"
-1765328313 KRB5KDC_ERR_INVALID_CERTIFICATE
"Invalid certificate"
-1765328312 KRB5KDC_ERR_REVOKED_CERTIFICATE
KRB5KDC_ERR_REVOCATION_STATUS_UNK
-1765328311 NOWN
KRB5KDC_ERR_REVOCATION_STATUS_UNA
-1765328310 VAILABLE
"Revoked certificate"
-1765328309 KRB5KDC_ERR_CLIENT_NAME_MISMATCH
"Client name mismatch"
-1765328308 KRB5KDC_ERR_KDC_NAME_MISMATCH
KRB5KDC_ERR_INCONSISTENT_KEY_PURPO
-1765328307 SE
KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACC
-1765328306 EPTED
KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_I
-1765328305 NCLUDED
KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_
-1765328304 NOT_ACCEPTED
"KDC name mismatch"
July 2023
"Revocation status unknown"
"Revocation status unavailable"
"Inconsistent key purpose"
"Digest in certificate not accepted"
"Checksum must be included"
"Digest in signed-data not accepted"
55
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_
-1765328303 NOT_SUPPORTED
"Public key encryption not supported"
-1765328302 KRB5PLACEHOLD_82
"KRB5 error code 82"
-1765328301 KRB5PLACEHOLD_83
"KRB5 error code 83"
-1765328300 KRB5PLACEHOLD_84
"KRB5 error code 84"
-1765328299 KRB5PLACEHOLD_85
"KRB5 error code 85"
-1765328298 KRB5PLACEHOLD_86
"KRB5 error code 86"
-1765328297 KRB5PLACEHOLD_87
"KRB5 error code 87"
-1765328296 KRB5PLACEHOLD_88
"KRB5 error code 88"
-1765328295 KRB5PLACEHOLD_89
"KRB5 error code 89"
-1765328294 KRB5PLACEHOLD_90
"KRB5 error code 90"
-1765328293 KRB5PLACEHOLD_91
"KRB5 error code 91"
-1765328292 KRB5PLACEHOLD_92
"KRB5 error code 92"
-1765328291 KRB5PLACEHOLD_93
"KRB5 error code 93"
-1765328290 KRB5PLACEHOLD_94
"KRB5 error code 94"
-1765328289 KRB5PLACEHOLD_95
"KRB5 error code 95"
-1765328288 KRB5PLACEHOLD_96
"KRB5 error code 96"
-1765328287 KRB5PLACEHOLD_97
"KRB5 error code 97"
-1765328286 KRB5PLACEHOLD_98
"KRB5 error code 98"
-1765328285 KRB5PLACEHOLD_99
"KRB5 error code 99"
-1765328284 KRB5PLACEHOLD_100
"KRB5 error code 100"
-1765328283 KRB5PLACEHOLD_101
"KRB5 error code 101"
-1765328282 KRB5PLACEHOLD_102
"KRB5 error code 102"
-1765328281 KRB5PLACEHOLD_103
"KRB5 error code 103"
-1765328280 KRB5PLACEHOLD_104
"KRB5 error code 104"
-1765328279 KRB5PLACEHOLD_105
"KRB5 error code 105"
-1765328278 KRB5PLACEHOLD_106
"KRB5 error code 106"
-1765328277 KRB5PLACEHOLD_107
"KRB5 error code 107"
-1765328276 KRB5PLACEHOLD_108
"KRB5 error code 108"
-1765328275 KRB5PLACEHOLD_109
"KRB5 error code 109"
-1765328274 KRB5PLACEHOLD_110
"KRB5 error code 110"
-1765328273 KRB5PLACEHOLD_111
"KRB5 error code 111"
-1765328272 KRB5PLACEHOLD_112
"KRB5 error code 112"
-1765328271 KRB5PLACEHOLD_113
"KRB5 error code 113"
-1765328270 KRB5PLACEHOLD_114
"KRB5 error code 114"
-1765328269 KRB5PLACEHOLD_115
"KRB5 error code 115"
-1765328268 KRB5PLACEHOLD_116
"KRB5 error code 116"
-1765328267 KRB5PLACEHOLD_117
"KRB5 error code 117"
-1765328266 KRB5PLACEHOLD_118
"KRB5 error code 118"
-1765328265 KRB5PLACEHOLD_119
"KRB5 error code 119"
-1765328264 KRB5PLACEHOLD_120
"KRB5 error code 120"
-1765328263 KRB5PLACEHOLD_121
"KRB5 error code 121"
-1765328262 KRB5PLACEHOLD_122
"KRB5 error code 122"
-1765328261 KRB5PLACEHOLD_123
"KRB5 error code 123"
-1765328260 KRB5PLACEHOLD_124
"KRB5 error code 124"
-1765328259 KRB5PLACEHOLD_125
"KRB5 error code 125"
July 2023
56
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
-1765328258 KRB5PLACEHOLD_126
"KRB5 error code 126"
-1765328257 KRB5PLACEHOLD_127
"KRB5 error code 127"
-1765328256 KRB5_ERR_RCSID
"$Id: krb5_err.et 19934 2007-09-13 23:49:00Z tlyu $"
-1765328255 KRB5_LIBOS_BADLOCKFLAG
"Invalid flag for file lock mode"
-1765328254 KRB5_LIBOS_CANTREADPWD
"Cannot read password"
-1765328253 KRB5_LIBOS_BADPWDMATCH
"Password mismatch"
-1765328252 KRB5_LIBOS_PWDINTR
"Password read interrupted"
-1765328251 KRB5_PARSE_ILLCHAR
"Illegal character in component name"
-1765328250 KRB5_PARSE_MALFORMED
"Malformed representation of principal"
-1765328249 KRB5_CONFIG_CANTOPEN
"Can't open/find Kerberos configuration file"
-1765328248 KRB5_CONFIG_BADFORMAT
"Improper format of Kerberos configuration file"
-1765328247 KRB5_CONFIG_NOTENUFSPACE
"Insufficient space to return complete information"
-1765328246 KRB5_BADMSGTYPE
"Invalid message type specified for encoding"
-1765328245 KRB5_CC_BADNAME
"Credential cache name malformed"
-1765328244 KRB5_CC_UNKNOWN_TYPE
"Unknown credential cache type"
-1765328243 KRB5_CC_NOTFOUND
"Matching credential not found"
-1765328242 KRB5_CC_END
"End of credential cache reached"
-1765328241 KRB5_NO_TKT_SUPPLIED
"Request did not supply a ticket"
-1765328240 KRB5KRB_AP_WRONG_PRINC
"Wrong principal in request"
-1765328239 KRB5KRB_AP_ERR_TKT_INVALID
"Ticket has invalid flag set"
-1765328238 KRB5_PRINC_NOMATCH
"Requested principal and ticket don't match"
-1765328237 KRB5_KDCREP_MODIFIED
"KDC reply did not match expectations"
-1765328236 KRB5_KDCREP_SKEW
"Clock skew too great in KDC reply"
-1765328235 KRB5_IN_TKT_REALM_MISMATCH
"Client/server realm mismatch in initial ticket request"
-1765328234 KRB5_PROG_ETYPE_NOSUPP
"Program lacks support for encryption type"
-1765328233 KRB5_PROG_KEYTYPE_NOSUPP
"Program lacks support for key type"
-1765328232 KRB5_WRONG_ETYPE
"Requested encryption type not used in message"
-1765328231 KRB5_PROG_SUMTYPE_NOSUPP
"Program lacks support for checksum type"
-1765328230 KRB5_REALM_UNKNOWN
"Cannot find KDC for requested realm"
-1765328229 KRB5_SERVICE_UNKNOWN
"Kerberos service unknown"
-1765328228 KRB5_KDC_UNREACH
"Cannot contact any KDC for requested realm"
-1765328227 KRB5_NO_LOCALNAME
"No local name found for principal name"
-1765328226 KRB5_MUTUAL_FAILED
"Mutual authentication failed"
-1765328225 KRB5_RC_TYPE_EXISTS
"Replay cache type is already registered"
-1765328224 KRB5_RC_MALLOC
"No more memory to allocate (in replay cache code)"
-1765328223 KRB5_RC_TYPE_NOTFOUND
"Replay cache type is unknown"
-1765328222 KRB5_RC_UNKNOWN
"Generic unknown RC error"
-1765328221 KRB5_RC_REPLAY
"Message is a replay"
-1765328220 KRB5_RC_IO
-1765328219 KRB5_RC_NOIO
"Replay I/O operation failed XXX"
"Replay cache type does not support non-volatile
storage"
-1765328218 KRB5_RC_PARSE
"Replay cache name parse/format error"
-1765328217 KRB5_RC_IO_EOF
"End-of-file on replay cache I/O"
-1765328216 KRB5_RC_IO_MALLOC
"No more memory to allocate (in replay cache I/O code)"
-1765328215 KRB5_RC_IO_PERM
"Permission denied in replay cache code"
-1765328214 KRB5_RC_IO_IO
"I/O error in replay cache i/o code"
July 2023
57
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
-1765328213 KRB5_RC_IO_UNKNOWN
"Generic unknown RC/IO error"
-1765328212 KRB5_RC_IO_SPACE
"Insufficient system space to store replay information"
-1765328211 KRB5_TRANS_CANTOPEN
"Can't open/find realm translation file"
-1765328210 KRB5_TRANS_BADFORMAT
"Improper format of realm translation file"
-1765328209 KRB5_LNAME_CANTOPEN
"Can't open/find lname translation database"
-1765328208 KRB5_LNAME_NOTRANS
"No translation available for requested principal"
-1765328207 KRB5_LNAME_BADFORMAT
"Improper format of translation database entry"
-1765328206 KRB5_CRYPTO_INTERNAL
"Cryptosystem internal error"
-1765328205 KRB5_KT_BADNAME
"Key table name malformed"
-1765328204 KRB5_KT_UNKNOWN_TYPE
"Unknown Key table type"
-1765328203 KRB5_KT_NOTFOUND
"Key table entry not found"
-1765328202 KRB5_KT_END
"End of key table reached"
-1765328201 KRB5_KT_NOWRITE
"Cannot write to specified key table"
-1765328200 KRB5_KT_IOERR
"Error writing to key table"
-1765328199 KRB5_NO_TKT_IN_RLM
"Cannot find ticket for requested realm"
-1765328198 KRB5DES_BAD_KEYPAR
"DES key has bad parity"
-1765328197 KRB5DES_WEAK_KEY
"DES key is a weak key"
-1765328196 KRB5_BAD_ENCTYPE
"Bad encryption type"
-1765328195 KRB5_BAD_KEYSIZE
"Key size is incompatible with encryption type"
-1765328194 KRB5_BAD_MSIZE
"Message size is incompatible with encryption type"
-1765328193 KRB5_CC_TYPE_EXISTS
"Credentials cache type is already registered."
-1765328192 KRB5_KT_TYPE_EXISTS
"Key table type is already registered."
-1765328191 KRB5_CC_IO
"Credentials cache I/O operation failed XXX"
-1765328190 KRB5_FCC_PERM
"Credentials cache permissions incorrect"
-1765328189 KRB5_FCC_NOFILE
"No credentials cache found"
-1765328188 KRB5_FCC_INTERNAL
"Internal credentials cache error"
-1765328187 KRB5_CC_WRITE
-1765328186 KRB5_CC_NOMEM
"Error writing to credentials cache"
"No more memory to allocate (in credentials cache
code)"
-1765328185 KRB5_CC_FORMAT
"Bad format in credentials cache"
-1765328184 KRB5_CC_NOT_KTYPE
"No credentials found with supported encryption types"
-1765328183 KRB5_INVALID_FLAGS
"Invalid KDC option combination (library internal error)"
-1765328182 KRB5_NO_2ND_TKT
"Request missing second ticket"
-1765328181 KRB5_NOCREDS_SUPPLIED
"No credentials supplied to library routine"
-1765328180 KRB5_SENDAUTH_BADAUTHVERS
"Bad sendauth version was sent"
-1765328179 KRB5_SENDAUTH_BADAPPLVERS
"Bad application version was sent (via sendauth)"
-1765328178 KRB5_SENDAUTH_BADRESPONSE
-1765328177 KRB5_SENDAUTH_REJECTED
"Bad response (during sendauth exchange)"
"Server rejected authentication (during sendauth
exchange)"
-1765328176 KRB5_PREAUTH_BAD_TYPE
"Unsupported preauthentication type"
-1765328175 KRB5_PREAUTH_NO_KEY
"Required preauthentication key not supplied"
-1765328174 KRB5_PREAUTH_FAILED
"Generic preauthentication failure"
-1765328173 KRB5_RCACHE_BADVNO
"Unsupported replay cache format version number"
-1765328172 KRB5_CCACHE_BADVNO
"Unsupported credentials cache format version number"
-1765328171 KRB5_KEYTAB_BADVNO
"Unsupported key table format version number"
-1765328170 KRB5_PROG_ATYPE_NOSUPP
"Program lacks support for address type"
July 2023
58
Single Sign-On with SAP HANA® Database using Kerberos and Microsoft Active Directory
-1765328169 KRB5_RC_REQUIRED
"Message replay detection requires rcache parameter"
-1765328168 KRB5_ERR_BAD_HOSTNAME
"Hostname cannot be canonicalized"
-1765328167 KRB5_ERR_HOST_REALM_UNKNOWN
"Cannot determine realm for host"
"Conversion to service principal undefined for name
type"
-1765328166 KRB5_SNAME_UNSUPP_NAMETYPE
-1765328165 KRB5KRB_AP_ERR_V4_REPLY
-1765328164 KRB5_REALM_CANT_RESOLVE
"Initial Ticket response appears to be Version 4 error"
"Cannot resolve network address for KDC in requested
realm"
-1765328163 KRB5_TKT_NOT_FORWARDABLE
"Requesting ticket can't get forwardable tickets"
-1765328162 KRB5_FWD_BAD_PRINCIPAL
"Bad principal name while trying to forward credentials"
-1765328161 KRB5_GET_IN_TKT_LOOP
"Looping detected inside krb5_get_in_tkt"
-1765328160 KRB5_CONFIG_NODEFREALM
"Configuration file does not specify default realm"
-1765328159 KRB5_SAM_UNSUPPORTED
"Bad SAM flags in obtain_sam_padata"
-1765328158 KRB5_SAM_INVALID_ETYPE
"Invalid encryption type in SAM challenge"
-1765328157 KRB5_SAM_NO_CHECKSUM
"Missing checksum in SAM challenge"
-1765328156 KRB5_SAM_BAD_CHECKSUM
"Bad checksum in SAM challenge"
-1765328155 KRB5_KT_NAME_TOOLONG
-1765328154 KRB5_KT_KVNONOTFOUND
"Keytab name too long"
"Key version number for principal in key table is
incorrect"
-1765328153 KRB5_APPL_EXPIRED
"This application has expired"
-1765328152 KRB5_LIB_EXPIRED
"This Krb5 library has expired"
-1765328151 KRB5_CHPW_PWDNULL
"New password cannot be zero length"
-1765328150 KRB5_CHPW_FAIL
"Password change failed"
-1765328149 KRB5_KT_FORMAT
"Bad format in keytab"
-1765328148 KRB5_NOPERM_ETYPE
"Encryption type not permitted"
-1765328147 KRB5_CONFIG_ETYPE_NOSUPP
"No supported encryption types (config file error?)"
-1765328146 KRB5_OBSOLETE_FN
"Program called an obsolete, deleted function"
-1765328145 KRB5_EAI_FAIL
"unknown getaddrinfo failure"
-1765328144 KRB5_EAI_NODATA
"no data available for host/domain name"
-1765328143 KRB5_EAI_NONAME
"host/domain name not found"
-1765328142 KRB5_EAI_SERVICE
"service name unknown"
-1765328141 KRB5_ERR_NUMERIC_REALM
"Cannot determine realm for numeric host address"
-1765328140 KRB5_ERR_BAD_S2K_PARAMS
"Invalid key generation parameters from KDC"
-1765328139 KRB5_ERR_NO_SERVICE
"service not available"
-1765328138 KRB5_CC_READONLY
"Ccache function not supported: read-only ccache type"
-1765328137 KRB5_CC_NOSUPP
"Ccache function not supported: not implemented"
-1765328136 KRB5_DELTAT_BADFORMAT
"Invalid format of Kerberos lifetime or clock skew string"
-1765328135 KRB5_PLUGIN_NO_HANDLE
"Supplied data not handled by this plugin"
-1765328134 KRB5_PLUGIN_OP_NOTSUPP
"Plugin does not support the operaton"
July 2023
59
SAP Note 1837331
