Collaboration Technology Support Center - Microsoft - Collaboration Brief

(1)

February 2007

Single Sign-On to a Microsoft Exchange

Cluster

Summary

Users of the SAP NetWeaver Portal can take advantage of Single Sign-On to Web based Microsoft backend systems such as Outlook Web Access using SAP’s

SSO22KerbMap Module. In a high availability environment one method for increasing availability for Exchange mailbox servers is to use an Exchange cluster. Since the SSO22KerbMap Module must be installed on the backend Exchange servers this whitepaper describes the configuration steps that are necessary to implement the SSO22KerbMap Module in an Exchange cluster.

Applies to

SAP NetWeaver Portal 6.0 SP9 or higher

Microsoft Active Directory 2003 (forest functional level set to Windows Server 2003)

Microsoft Exchange 2003 two-node cluster (active/passive)

SSO22KerbMap Module

Contact

For feedback or questions you can contact the Collaboration Technology Support Center via the .NET Technologies forum in the .NET interoperability area of SDN. Please check the .NET interoperability area in SDN for any updates or further information.

Authors Bio

André Fischer works at SAP AG in the Strategic Alliance Microsoft Team.

He is also a member of the Collaboration Technology Support Center – Microsoft (CTSC – MS) that addresses various kinds of interoperability topics regarding SAP and Microsoft solutions. Before joining SAP three years ago, André has lent his talents as an SAP technology consultant for more than eight years, and has gained significant experience in both the SAP and the Microsoft solution stack. In the last two years, André has also specialized in single sign-on, SAP active directory integration, SAP Exchange Infrastructure BizTalk integration and knowledge management Microsoft Windows integration.

Torsten Laier works at REALTECH AG in the IT Services Team for 6

(2)

All other product and service names mentioned are the trademarks of their respective companies No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Exchange, Active Directory Services Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

(3)

Introduction

The SSO22KerbMap Module is frequently used for the integration of Microsoft Exchange Server into a SAP NetWeaver Portal environment. As availability requirements for eMail have increased over the years so too did the need to guarantee Exchange availability. While front end servers can easily achieve high availability using a scale out strategy backend servers are single points of failure if no additional measures are taken to increase their availability.

To achieve High Availability with Exchange Server it is therefore a common approach that customers decide to use clustering for their Exchange servers that are hosting the mailboxes. Using a Windows cluster with Exchange provides redundant servers so that if a node or a service on a node fails, the other node can assume the Exchange services. Since the SSO22KerbMap Module must be installed on each backend Exchange server that host mailboxes (see SAP Note 785343) this whitepaper describes the configuration steps that are necessary to implement the SSO22KerbMap Module in a Exchange cluster.

The SSO22KerbMap Module

A detailed description of the SSO22KerbMap Module can be found in the collaboration brief “Using SAP Logon Tickets for SSO to Microsoft-based Web Applications”.

The ticket bridging mechanism leverages an enhancement of the implementation of the Kerberos protocol that has been introduced by Microsoft with Active Directory 2003. Using constrained delegation a service may request a (constrained) Kerberos ticket on behalf of a user for specified services only. Using protocol transition it is possible that the client may be authenticated using other methods than Kerberos. Based on this

technology SAP has developed an ISAPI Filter called SSO22KerbMap Module. As described in SAP Note the SSO22KerbMap module has to be installed on the Exchange backend server, as the integrated Windows authentication is not supported for an Exchange front end server.

Integration scenario

REALTECH AG is using SAP NetWeaver Portal as their corporate portal. The portal can be accessed through the internet. Users can access their email through an integration of Outlook web access. In this extranet scenario, the SSO22KerbMap ISAPI module is used to acquire a Kerberos Ticket on behalf of the SAP Enterprise Portal user that is authenticated by the SAP Logon Ticket.

(5)

How to Guide section

The following How-To Guide section describes the steps necessary to configure the SSO22KerbMap module in an Exchange Cluster.

The configuration steps can be summarized as follows:

The SSO22KerbMap Module has to be installed in the Exchange virtual server on each cluster node. In contrast to a single server installation changes to the configuration have to be activated by moving the Exchange resources rather than using iisreset.

Step 1: Downloading the installation files

1. Download the most recent version of the SSSO22KerbMap Module from SAP Service Marketplace at:

http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSSOEXT ->

SAPSSOEXT -> Windows Server on <Platform> -> SSO22Kerbmap_<PL>.SAR 2. Download the most recent version of the SAP Logon Ticket Toolkit

(SAPSSOEXT) from SAP Service Marketplace at:

http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSSOEXT ->

SAPSSOEXT.

3. Download the most recent version of SAPSECULIB from SAP Service Marketplace at:

http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSECULIB.

4. Download the verify.pse file from the SAP Enterprise Portal at System Administration → System Configuration → Keystore Administration. Step 2: Installing the SSO22KerbMap Module on Each Node Step 2 includes the following tasks:

1. Copying the required files for the ISAPI filter to the local directories 2. Determine the SPN used for constrained delegation.

3. Adapt the configuration file SSO22KerbMap.ini

4. Configure the ISAPI Filter in the Internet Information Services Manager

Copying the required files for the ISAPI filter to the local directories

The following files that have been downloaded in step 1:

SSO22KerbMap.dll SSO22KerbMap.pdb msvcr71.dll msvcp71.dll SSO22KerbMap.ini sapssoext.dll verify.pse

(6)

Determine the SPN used for constrained delegation.

1. Log on as a domain administrator.

2. Use the command-line tool setspn.exe to list the configured Service Principal Names (SPN) for HOST for the LocalSystem account for each cluster node (here: WDF-EX03 and WDF-EX04). The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.

setspn –L WDF-EX03

Registered ServicePrincipalNames for CN=WDF-EX03,CN=Computers,DC=de,DC=realTech,DC=net: SMTPSVC/wdf-ex03.de.realtech.net

SMTPSVC/WDF-EX03 HOST/WDF-EX03

HOST/wdf-ex03.de.realTech.net

Adapt the configuration file SSO22KerbMap.ini

The configuration file SSO22KerbMap.ini has to be adapted separately on each cluster node. On the first cluster node WDF-EX03 the configuration file SSO22KerbMap.ini contains the following entries:

PseFile = C:\SSO22KerbMap\verify.pse

LogLevel = 1

ServicePrincipalName = HOST/wdf-ex03.de.realTech.net

FilterPriority = High

SSO2AccountAttribute = userPrincipalName

On the second cluster node WDF-EX04 the configuration file SSO22KerbMap.ini contains the following entries:

PseFile = C:\SSO22KerbMap\verify.pse

LogLevel = 1

ServicePrincipalName = HOST/wdf-ex04.de.realTech.net

FilterPriority = High

SSO2AccountAttribute = userPrincipalName

Configure the ISAPI Filter in the Internet Information Services Manager

Install the SSO22KerbMap Mapping Filter that means the SSO22KerbMap.dll as an ISAPI filter on the website the target application is running on, as follows:

(7)

Step 3: Configure constrained delegation for each cluster node in Active Directory

Constrained delegation has to be configured for each cluster node separately. To do this the Trusted-to-Authenticate-for-Delegation flag has to be configured for both cluster nodes separately.

In the following we describe the configuration steps for cluster node 1 (WDF-EX03):

1. Open the MMC Active directory Users and Computers.

2. Choose <Your Windows_2003_domain> and locate the computer account of the cluster node (here WDF-EX03).

3. Right-click the cluster node and choose Properties.

(8)

5. only.

6. Select Use any authentication protocol and choose Add.

7. Select Users or Computers and enter the cluster node that has been selected above as object name (here WDF-EX03).

8. Choose Check Names and OK.

9. Add the SPN for the HOST service type for your cluster node which 10. was determined in Step 2

Steps 1 to 10 have to be repeated with the node WDF-EX04. Replace the hostname WDF-EX03 with WDF-EX03 in the configuration steps described above.

Step 3: Activation of the ISAPI Filter

After the changes have been done one has to move the resources from the active node to the inactive node.

(9)

Result

The following screenshot shows the integration of Outlook Web Access in REALTECH’s corporate portal:

Important Note

Please check SAP Note 735639 SSO22KerbMap: Known issues before installing the SSO22KerbMap Module.

(10)

Conclusion

(11)

References

Note 735639 - SSO22KerbMap: Known issues https://service.sap.com/sap/support/notes/735639

Note 785343 - SSO22KerbMap: Configuration for SSO for Outlook Web Access https://service.sap.com/sap/support/notes/785343

Step-by-Step Guide: SSO22KerbMap ISAPI Module Collaboration Brief “Using SAP Logon Tickets for Single Sign on to Microsoft based web applications”

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/47d0cd90-0201-0010-4c86-f81b1c812e50

A memory leak occurs in the Lsass.exe process after you configure constrained delegation in Windows Server 2003

Collaboration Technology Support Center - Microsoft - Collaboration Brief

Single Sign-On to a Microsoft Exchange

Cluster

Summary

Applies to

Contact

Authors Bio

Contents

Introduction

The SSO22KerbMap Module

Integration scenario

How to Guide section

Result

Important Note

Conclusion

References