This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.
Why do we need SSO ?
By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again
There are different teams involved for this set up ( This may change based on your organization structure)
1) System administrator needs to install Kerberos Client on Hana server
2) Active Directory & Service account set up is done by of Identity Management Administrator
3) Hana Administrator needs to set up the configuration & user creation
Note: I have greyed out server names & service account names in screen shots for security reasons
Kerberos Client Installation:
Please make sure that the Kerberos client & libraries are installed on the Hana Database server
Creation of service account:
Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot
The SPN needs to have the following syntax:
hdb/ <Domain Name >@Kerberos realm name
<Domain Name>: fully qualified domain name of the host
Generating a key Tab :
ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>
<PRINCIPAL> = KRB5_NT_PRINCIPAL
<CRYPTOGRAPHIC TYPE> = RC4-HMAC-NT
Using the above syntax key tab file is generated
Hana Admin configuration:
Login as root & update the krb5.conf file. This is located at /etc/krb5.conf
Entries in the file
[libdefaults]
default_realm= <realm>
[realms]
<realm>={ kdc=<kdc_name>}
Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.
Realm is your domain name in uppercase letters, such as DOMAIN_NAME.
Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator
Import the key tab which was generated into Hana Box.
Make sure the permissions are changed
Creation of user in HANA:
This can be done via GUI screen or via sql syntax
CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;
Please assign the appropriate role to this user
While configuring the user in Hana studio , Please check the authentication by OS user as shown below
