The previous chapters in this paper provide you with the information you need to understand the business requirements, and the specifications for implementing solutions that address the two Contoso scenarios (enabling UNIX workstations to authenticate to the Microsoft® Active Directory® directory service, and configuring the SAP R/3 Application Server to authenticate to Active Directory). This chapter provides prescriptive guidance on how to implement the solutions. The prerequisites and implementation guidance in this chapter can be verified by following the guidance in Chapter 6, "Testing the Solution." On This PageTools and TemplatesThe Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code. Note These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment. When you run the installer file, the resulting folder structure will look similar to the one that appears in Figure 5.1, depending on where you install it.  Figure 5.1. The Tools and Templates folder structure This guide assumes that you have installed the Tools and Templates into the default location of %UserProfile%\My Documents\Identity and Access Management Tools and Templates. If you use a different installation location, ensure that you use the same path in all the steps in this document. Note The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information. Folder: UNIXTable 5.1. The UNIX Folder krb5.conf | This sample file demonstrates how to configure the Kerberos version 5 authentication protocol on Sun Solaris version 9 workstations. | pam.conf | This sample file demonstrates how to configure the PAM service to support the Kerberos version 5 protocol. |
Integrating UNIX Workstations with Active DirectoryThe Contoso example integrates UNIX workstations and applications with the Microsoft Identity and Access Management Platform, which requires migrating Solaris 9 workstation local user accounts to Active Directory. To do this, Contoso must first create UNIX user and workstation accounts in Active Directory, and then configure the Solaris 9 workstations to use the Kerberos protocol. This protocol allows you to use the Key Distribution Center (KDC) in Microsoft Windows Server™ 2003 to authenticate the Solaris 9 accounts you use Microsoft Windows® credentials. The high-level tasks you will need to perform to implement this scenario are: | • | Create accounts for UNIX workstations and users in Active Directory. | | • | Configure UNIX workstations to use the Kerberos protocol for user logon. |
Implementation PrerequisitesTo implement the following prescriptive guidance, you need to ensure that the following prerequisites have been met. | • | Install and configure the Active Directory portion of the Contoso infrastructure as described in the "Platform and Infrastructure" paper in this series. | | • | Ensure that the UNIX workstations have Domain Name System (DNS) configured to resolve the Windows Server 2003 domain names. Open the /etc/resolv.conf file and verify that it contains lines similar to those in the following table. Table 5.2. Windows Server 2003 Domain Names domain | na.corp.contoso.com | nameserver | 10.1.11.32 | search | na.corp.contoso.com |
| | • | Ensure that the UNIX workstations receive IP addresses leased from the Dynamic Host Configuration Protocol (DHCP) server in your domain. | | • | Install the Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 product (normally bundled with Solaris 9) on the UNIX workstations. | | • | Ensure that the UNIX workstation clocks are all in sync with the Active Directory domain controllers. |
Implementation OverviewThis scenario can be implemented with the following two main activities. | • | UNIX Account Creation | | • | UNIX Workstation Configuration |
UNIX Account CreationContoso performed the following tasks to create user accounts in Active Directory that matched the user accounts in the Solaris 9 workstations. You can tailor these tasks to the requirements of your organization. | • | Task 1: Add UNIX User Accounts to Active Directory | | • | Task 2: Create UNIX Workstation Accounts in Active Directory | | • | Task 3: Generate Keytab Files for the UNIX Workstations |
Caution The user accounts in Active Directory must exactly match the user account names in the UNIX workstations, which are case-sensitive. Task 1: Add UNIX User Accounts to Active DirectoryComplete the following steps to accomplish this task. To add a UNIX user account to Active Directory 1. | Open the Microsoft Management Console (MMC) for Active Directory Users and Computers with user privileges to manage user accounts. | 2. | In the console tree, click the Users organizational unit (OU). | 3. | Right-click the Users OU, point to New, and then click User. | 4. | In the New Object-User dialog box, type the following information (leave all other information at the default values). First name: <Solaris_User_First name> Last name: <Solaris_User_Last name> User logon name: <Solaris_User_UNIX_Account_Name> User logon name (pre-Windows 2000): <Solaris_User_UNIX_Account_Name> | 5. | Click Next. | 6. | In the New Object-User dialog box, type the following information. Password: <Alphanumeric_Password> Confirm password: <Alphanumeric_Password> | 7. | Click Next, and then click Finish. |
Task 2: Create UNIX Workstation Accounts in Active DirectoryComplete the following steps to create an account in Active Directory to represent a Solaris 9 workstation. To create a UNIX workstation account in Active Directory 1. | Open the Active Directory Users and Computers MMC with user privileges to manage user accounts. | 2. | Right-click na.corp.contoso.com, point to New, and then click Organization Unit. | 3. | In the New Object-Organizational Unit dialog box, type Solaris Workstations and then click OK. | 4. | Right-click Solaris Workstations, point to New, and then click User. | 5. | In the New Object-User dialog box, type the following information (leave all other information at the default values). First name: <Solaris_Workstation_Name> User logon name: <Solaris_Workstation_Name> User logon name (pre-Windows 2000): <Solaris_Workstation_Name> | 6. | In the New Object–User dialog box, click Next, and then type the following information: Password: <Alphanumeric_Password> Confirm password: <Alphanumeric_Password> | 7. | In the same dialog box, clear the User must change password at next logon check box, and select the Password never expires check box. | 8. | Click Next, and then click Finish. |
Task 3: Generate Keytab Files for the UNIX WorkstationsUse the ktpass.exe utility to create keytab files for the UNIX workstations. The keytab file contains the key that the Kerberos version 5 protocol uses to encrypt ticket requests. Note The ktpass.exe utility is included with the Support Tools on the Windows Server 2003 product CD. Complete the following steps to create keytab files for the UNIX workstations. To generate a keytab file for a UNIX workstation 1. | Log on to the domain controller as Administrator. | 2. | Click Start, click Run, type cmd and then press ENTER to open the command prompt. | 3. | At the command prompt, run the ktpass utility with the command line switches specified in this step with the following modifications. | • | Use the name of the Solaris workstation created in task 2, step 5 for <Solaris_Workstation_Name>. NA.CORP.CONTOSO.COM and na.corp.contoso.com represent the domain in which the Solaris workstation computer account was created. | | • | Use the password created in task 2, step 6 for password as shown in the following example. Note Some of the lines in the following code have been displayed
on multiple lines for better readability.
ktpass -princ
host/<Solaris_Workstation_Name>.na.corp.contoso.com@
NA.CORP.CONTOSO.COM -mapuser <Solaris_Workstation_Name>
-pass password -out <Solaris_Workstation_Name>.keytab |
| 4. | Press ENTER, and the following output should appear. Note Some of the lines in the following code have been displayed
on multiple lines for better readability.
Targeting domain controller: GRNCDC01.na.corp.contoso.com
Successfully mapped host/
Solaris_Workstation_Name.na.corp.contoso.com to
Solaris_Workstation_Name.
Key created.
Output keytab to Solaris_Workstation_Name.keytab:
Keytab version: 0x502
keysize 79 host/ Solaris_Workstation_Name.na.corp.contoso.com@
NA.CORP.CONTOSO.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3
etype 0x3 (DES-CBC-MD5) keylength 8 (0x0e9bd5da314f5bad)
Account Solaris_Workstation_Name has been set for
DES-only encryption. |
UNIX Workstation ConfigurationContoso performed the following tasks to configure the Kerberos version 5 protocol on UNIX workstations. You can tailor these tasks to fit the requirements of your organization. | • | Task 1: Install the keytab File on the UNIX Workstation | | • | Task 2: Configure the pam.conf File | | • | Task 3: Configure the krb5.conf File | | • | Task 4: Delete User Passwords on the UNIX Workstation |
Task 1: Install the Keytab File on the UNIX WorkstationComplete the following steps to accomplish this task. To install the keytab file on the UNIX Workstation 1. | Use File Transfer Protocol (FTP) to send the keytab file created on the domain controller to the Solaris 9 operating system running on the UNIX workstation. Important Because you are going to exchange data between a computer running Windows Server 2003 and a Solaris 9 host, ensure that the transfer mode is set to binary for the FTP session. | 2. | Log on to the UNIX workstation as root. | 3. | Verify that DNS is installed. The /etc/resolv.conf file should include the following information. domain na.corp.contoso.com
nameserver 10.1.103.13 | 4. | At the # prompt, type ktutil and then press ENTER. | 5. | At the ktutil: command prompt, type rkt Solaris_Workstation_Name.keytab and then press ENTER. | 6. | At the ktutil: command prompt, type list, press ENTER, and the following output should appear. ktutil: list
slot KVNO Principal
1 3 host/ffl-na-sun-01.na.corp.contoso.com@NA.CORP.CONTOSO.COM | 7. | At the ktutil: command prompt, type wkt /etc/krb5/krb5.keytab and then press ENTER. | 8. | At the ktutil: command prompt, type q and then press ENTER. |
Task 2: Configure the pam.conf FileComplete the following steps to configure the pam.conf file, which is a Pluggable Authentication Module (PAM) architecture configuration file that Contoso will use to enable the Kerberos version 5 protocol authentication. To configure the pam.conf file 1. | Log on to the UNIX workstation as root | 2. | Make a backup by copying the default /etc/pam.conf file and renaming the backup file /etc/pam.conf.old The Tools and Templates folder that downloads with this paper contains an example of a pam.conf file that is used on the UNIX workstation to enable authentication using the Kerberos version 5 protocol. | 3. | Copy the provided file to the UNIX workstation or modify the existing /etc/pam.conf file to match the following information in the configuration file. #
# PAM configuration
#
#
# Contoso's pam.conf to enable Kerberos
#
# Authentication
#
other auth sufficient pam_krb5.so.1
other auth sufficient pam_unix.so.1 try_first_pass
#
# Password
#
other password sufficient pam_krb5.so.1
other password sufficient pam_unix.so.1
#
# Account
#
other account optional pam_krb5.so.1
other account optional pam_unix.so.1
#
# session
#
other session optional pam_krb5.so.1
other session optional pam_unix.so.1 |
Task 3: Configure the krb5.conf FileThe krb5.conf file is used to set the defaults for the Kerberos protocol on the UNIX workstation. Contoso modified this file to point to the KDC in Windows Server 2003 and na.corp.contoso.com in the Windows Server 2003 realm. Complete the following steps to configure this file according to your organization's needs. To configure the krb5.conf file 1. | Log on to the UNIX workstation as root | 2. | Make a backup by copying the default /etc/krb5/krb5.conf file and then rename the backup file /etc/krb5/krb5.conf.old | 3. | Customize the krb5.conf file in the Tools and Templates folder that downloads with this paper for your environment, and then copy it to the /etc/krb5/krb5.conf file on the UNIX workstation. An example of information contained in this configuration file that Contoso used follows: Note Some of the lines in the following code have been displayed
on multiple lines for better readability.
[libdefaults]
default_realm = NA.CORP.CONTOSO.COM
[realms]
NA.CORP.CONTOSO.COM = {
kdc = ffl-na-dc-01.na.corp.contoso.com
admin_server = ffl-na-dc-01.na.corp.contoso.com
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.na.corp.contoso.com = NA.CORP.CONTOSO.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated
# no more
# often than the period, and less often if the KDC is
# not used# frequently.
period = 1d
# how many versions of kdc.log to keep around
# (kdc.log.0, kdc.log.1, ...)
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1
/SEAM/@AB2PageView/1195
} | 4. | Confirm that the UNIX workstation system clock is synchronized with the domain controller clock. Run the date command on the UNIX system, and run the time command on the Windows domain controller. After accounting for any difference in time zone settings, adjust the time on the UNIX system to within 5 minutes of the time reported by the domain controller. Important This is a Kerberos version 5 protocol requirement. The system clocks cannot be more than 5 minutes out of synchronization. |
Task 4: Delete User Passwords on the UNIX WorkstationIf there is an existing UNIX account on the workstation with the same name as the Active Directory user account, then the password information in the /etc/shadow file should be removed because it will no longer be used. Complete the following steps to accomplish this task. To delete Active Directory user passwords on the UNIX workstation 1. | Log on to the UNIX workstation as root | 2. | Open the /etc/shadow file in a text editor. | 3. | Find the entry for the Active Directory user, and then delete the entire line for it. |
The UNIX workstation is now configured to user the Kerberos protocol to authenticate users against Active Directory. Microsoft recommends validating the implementation by running the tests described in the "Validate the Implementation Prerequisites" section for integrating the UNIX workstation with Active Directory Scenario portion of Chapter 6, "Testing the Solution." Integrating SAP R/3 Application Server Authentication by Using the Kerberos ProtocolContoso wants to use its investment in the Windows Server 2003 Active Directory infrastructure to implement single sign on (SSO) to the SAP R/3 Application Server. To do this, the authentication process between the SAP front-end applications and the SAP R/3 Application Server must be configured to use the Kerberos version 5 protocol. Implementation PrerequisitesFor these implementation details to work correctly, you need to have the basic Contoso infrastructure implemented as defined in the following chapters in the "Platform and Infrastructure" paper in this series, Chapter 4, "Designing the Infrastructure" and Chapter 5, "Implementing the Infrastructure," including: | • | An intranet Microsoft Active Directory® directory service forest. The forest should contain the provided Contoso OUs, groups, and users. |
Before performing the tasks in this section, you must also complete the following: | • | Ensure that the SAP R/3 Application Server has user accounts in the SAP system. | | • | Ensure that an Active Directory account exists for each SAP user account in the intranet Active Directory for account mapping and SSO purposes. |
Implementation OverviewThis scenario can be implemented by completing the following two activities. | • | SAP R/3 Server Configuration | | • | Configuring the SAP GUI Client on Windows XP |
SAP R/3 Server ConfigurationThe following tasks in this section configure the SAP R/3 Application Server to use the Kerberos version 5 protocol. You can tailor these tasks to the requirements of your organization. | • | Task 1: Create a SAP Service Account to Run the SAP R/3 Application Server Process | | • | Task 2: Establish a Service Principal Name (SPN) for the SAP User Account | | • | Task 3: Add a SAP User Account to the Local Administrators Group | | • | Task 4: Install the Kerberos version 5 Protocol | | • | Task 5: Configure SNC on the SAP R/3 Server to Use the Kerberos version 5 Protocol | | • | Task 6: Map the SAP R/3 Application Server User Accounts to Active Directory |
Task 1: Create a SAP Service Account to Run the SAP R/3 Application Server ProcessComplete the following steps to accomplish this task. To create a SAP service account in Active Directory 1. | Open the Active Directory Users and Computers MMC with user privileges to manage user accounts. | 2. | In the console tree, right-click the Users OU, point to New, and then click User. | 3. | In the New Object-User dialog box, type the following information. First name: SAP Last name: Logon User logon name: sapacct@na.corp.contoso.com User logon name (pre-Windows 2000): sapacct Note Do not change any other default value information in this dialog box. | 4. | Click Next, and then in the New Object-User dialog box, type the following information: Password: <Alphanumeric_Password> Confirm password: <Alphanumeric_Password> |
Task 2: Establish an SPN for the SAP User AccountComplete the following steps to accomplish this task. To establish an SPN for the SAP user account 1. | Locate the setspn.exe utility on the Windows 2003 Server Resource Kit CD or download it from the Windows 2000 Resource Kit Tool: Setspn.exe page. | 2. | While logged on as a domain administrator, type the following at the command prompt: SETSPN -A SAPService/<host computer name> NA\sapacct Note This task is necessary on Windows Server 2003 because the KDC will invoke the Kerberos user2user protocol for any account that does not have an SPN. Because the SPN is not actually used by the SAP client when requesting Kerberos service tickets for the SAP R/3 Application Server, the only part of the SPN that must be correct is the principal name of the SAP service user account. |
Task 3: Add a SAP Service Account to the Local Administrators GroupComplete the following steps to accomplish this task. To add a SAP service account to the Local Administrators group 1. | Open the Computer Management MMC with domain administration privileges on the SAP R/3 Application Server. | 2. | In the console tree, double-click System Tools, click Local Users and Groups, and then click Groups. | 3. | Right-click the Administrators group, and then click Add to Group. | 4. | In the Administrator Properties dialog box, click Add. | 5. | In the Select Users, Computers or Group dialog box, go to the Enter the object names to select (examples) box, and then type sapacct@na.corp.contoso.com |
Task 4: Install the Kerberos Version 5 ProtocolThe next task is to install the Kerberos version 5 protocol component on the SAP R/3 Application Server by completing the following steps. Note There is a version of the gsskrb5.dll binary file included with the SAP installation media, but a newer version available from SAP must be used in Windows Server 2003 and Microsoft Windows® XP environments. SAP note number 352295 has more information about why this version of the .dll file is needed, and also attaches the newer version so that it can be downloaded. You can access SAP notes by using your SAP account and connect to OSS or directly go to the SAP Service Marketplace page of the SAP Web site. To install the Kerberos version 5 protocol on the SAP R/3 Application Server 1. | Log on to the SAP R/3 Application Server as sapacct@na.corp.contoso.com | 2. | Copy the Gsskrb5.dll file to %windir%\system32. | 3. | Click Control Panel, and then click System. | 4. | Click the Advanced tab, click Environment Variables, and then in the Environment Variables dialog box, under the System variables, click New. | 5. | In the New System Variable dialog box, type the following information. Variable Name: SNC_LIB Variable Value: %windir%\system32\gsskrb5.dll Note These variable values define the location for the Gsskrb5.dll file. |
Task 5: Configure SNC to Use the Kerberos Version 5 ProtocolAfter you complete the previous tasks you are ready to configure the Secure Network Communication (SNC) functionality in the SAP R/3 Application Server to use the Kerberos version 5 protocol for authentication. You can download the SNC User's Guide from the SAP Web site. Complete the following steps to accomplish this task. To configure the SNC to use the Kerberos version 5 authentication protocol 1. | Log on to the SAP R/3 Application Server as sapacct@na.corp.contoso.com. Note The SAP R/3 Application Server system is case-sensitive. For this reason, you must log on by typing the logon name of the user account in Active Directory exactly as it appears here. | 2. | Open the <SAP R/3 Web Server Drive:>\MBS\MBS_D00.pfl file by using Notepad.exe, and then add the following parameters to the end of the file. #language
zcsa/system_language = EN
#Kerberos
snc/enable =1
snc/accept_insecure_cpic =1
snc/accept_insecure_gui =1
snc/accept_insecure_r3int_rfc =1
snc/accept_insecure_rfc =1
snc/data_protection/max =1
snc/data_protection/min =1
snc/data_protection/use =1
# Location of the dll used for kerberos
snc/gssapi_lib = C:\windows\system32\gsskrb5.dll
snc/permit_insecure_start =1
# The Windows User Account used to run SAP Server
snc/identity/as = p:sapacct@na.corp.contoso.com
snc/r3int_rfc_secure = 0 Note The parameters in this file are case-sensitive. For example, the value of the parameter snc/identity/as =p:sapacct@na.corp.contoso.com is case-sensitive and must match the case of the user logon name in Active Directory. The exact location of the Windows installation should be used in place of C:\Windows in the snc/gssapi_lib parameter. A line feed [empty line] should be added at the end of the configuration file MBS_D00.pfl. If an empty line is not present, warnings are generated while running the MBS. Substitute the actual directory used for the Windows installation if different from "C:\Windows." | 3. | Double-click <SAP R/3 Web Server Drive>\MBS\runmbs.cmd to start the SAP MBS System. |
Task 6: Map the SAP R/3 User Accounts to Active DirectoryAfter configuring the SAP R/3 Application Server to use the Kerberos protocol, you can map the SAP R/3 Web server user accounts to the user accounts in Active Directory. Contoso has Windows accounts for all of the company's SAP R/3 Web server users. You can tailor the steps in this task to meet the needs of your organization. To map the SAP R/3 Server user sap1 to Active Directory account sap1@NA.CORP.CONTOSO.COM 1. | Log on to the SAP R/3 Application Server as Administrator | 2. | Type the Transaction Code SU01 to go to the User Maintenance: Initial Screen. | 3. | In the User box, type sap1 the name of the SAP R/3 Application Server user. | 4. | Click the User Names menu, click Change to make the Maintain User screen appear, and then click the SNC tab. | 5. | In the SNC Name text box, type p:sap1@NA.CORP.CONTOSO.COM Note Remember, SAP R/3 Web server user information is case-sensitive. Mapping the SAP R/3 Web server to this Active Directory account name for the user logon sap1 in the domain NA.CORP.CONTOSO.COM must exactly match this logon name in Active Directory. | 6. | Select the Unsecure Communication permitted (user-specific) check box. | 7. | Click Save on the menu bar to preserve these changes. | 8. | To verify that the canonical name is valid, click the User Names menu, click Display, and then click the SNC tab. | 9. | On the SNC Data property sheet, a check mark should appear next to the message Canonical name determined. |
This concludes the tasks for configuring SSO on the SAP R/3 Application Server. Configuring the SAP GUI Client on Windows XPContoso wants to configure its Microsoft Windows XP clients to use the Kerberos protocol instead of the default authentication process to log on to the SAP R/3 Application Server. To do this, the SAP graphical user interface (GUI) front-end application needs to be modified to create a logon profile that will recognize the Kerberos protocol. Users in the environment will then use this profile to connect to the SAP R/3 Application Server. Contoso performed the following tasks in this section to configure the SAP GUI front-end application to use the Kerberos protocol. You can tailor these tasks to fit the needs of your organization. | • | Task 1: Install the Kerberos version 5 Protocol in the SAP GUI Front-end Application | | • | Task 2: Configure the Kerberos version 5 Protocol Logons for Users | | • | Task 3: Log On to the SAP R/3 Application Server By Using the Kerberos Protocol |
Task 1: Install the Kerberos Protocol in the SAP GUI Front-End ApplicationComplete the following steps to accomplish this task. Note The SAP installation media includes the gsskrb5.dll binary. To install the Kerberos protocol in the SAP GUI front-end application 1. | Log on to the Windows XP client as the Local Administrator. | 2. | Copy the Gsskrb5.dll file to %windir%\system32. | 3. | Click Control Panel, and then click System. | 4. | Click the Advanced tab, click Environment Variables, and then in the Environment Variables dialog box, under System variables, click New. | 5. | In the New System Variable dialog box, type the following information. Variable Name: SNC_LIB Variable Value: %windir%\system32\gsskrb5.dll Note These variable values define the location for the Gsskrb5.dll file. |
Task 2: Configure Kerberos Version 5 Protocol Logons for UsersComplete the following steps to accomplish this task. To configure a Kerberos version 5 protocol logon for user sap1@NA.CORP.CONTOSO.COM 1. | Log on to the Windows XP Client as the Local Administrator. | 2. | Open SAPlogon, and then click New. | 3. | On the New Entry screen, enter the following information. Description: <My_Name_For_Kerberos_Connection> Application Server: <Fully Qualified Domain Name_For SAP R/3_Application_Server> System number: 00 Enable SAP System: R/3 | 4. | Click Advanced, and then in the Advanced Options pane, select the Enable Secure Network Communication check box, and in the SNC Name box, type p:sapacct@na.corp.contoso.com Note This is the Active Directory user with the logon name sapacct in the domain na.corp.contoso.com who will run the SAP System. Because the SAP R/3 Application Server is case-sensitive, the user name for this must match the user account name in Active Directory. | 5. | Select the Max. available option. |
Task 3: Log On to the SAP R/3 Web Server by Using the Kerberos ProtocolComplete the following steps to accomplish this task. To log on to the SAP R/3 Application Server by using the Kerberos protocol 1. | Log on to the Windows XP client as sap1@na.corp.contoso.com | 2. | Open SAPlogon. | 3. | On the SAP Logon 620 screen, select <My_Name_For_Kerberos_Connection>, and then click Logon. These steps should log you on to the SAP R/3 Application Server system without being asked for logon credentials. |
This completes the configuration tasks for the Contoso SAP R/3 Application Server to use the Kerberos version 5 protocol. The Windows workstations that connect to the SAP front-end applications can also now use the Kerberos protocol. After Contoso implements the authentication component of the solution, users at Contoso will log on to Active Directory from their workstations, and then use their Active Directory credentials to access the SAP front-end applications.
| |
