This blog will give you details on setting up Single sign on (SSO) with SAP Hana using Kerberos.

Why do we need SSO ?

By enabling SSO, users can directly login from BO ( or any Front end Application) & access Hana database without providing login credentials again

There are different teams involved for this set up ( This may change based on your organization structure)

1) System administrator needs to install Kerberos Client on Hana server

2) Active Directory & Service account set up is done by of Identity Management Administrator

3) Hana Administrator needs to set  up  the configuration & user creation

Note: I have greyed out server names & service account names in screen shots for security reasons

Kerberos Client Installation:

Please make sure that the Kerberos client & libraries are installed on the Hana Database server

 

Creation of service account:

Identity Management Administrator will need to create a service user & a Service Principal Name( SPN) for each host on the system . For scale out box, we need to create 1 SPN for each host . Please find screen shot

The SPN needs to have the following syntax:

hdb/ <Domain Name >@Kerberos realm name

<Domain Name>: fully qualified domain name of the host

Generating a key Tab :

ktpass -princ hdb/ <servername.Domain Name>@ <REALM> -mapuser  <Domain>\<serviceuser> -pass <password> -out <keytabfile >.keytab -ptype<PRINCIPAL> -crypto <CRYPTOGRAPHIC TYPE>

<PRINCIPAL> = KRB5_NT_PRINCIPAL

<CRYPTOGRAPHIC TYPE> = RC4-HMAC-NT

Using the above syntax key tab file is generated

Hana Admin configuration:

Login  as root & update the krb5.conf file. This is located at /etc/krb5.conf

Entries in the file

[libdefaults]

default_realm= <realm>

[realms]

<realm>={ kdc=<kdc_name>}

Where <realm> and <kdc name>are the names of your Kerberos realm and KDC.

Realm is your domain name in uppercase letters, such as DOMAIN_NAME.

Note : if you are not aware of the above parameters like realm , KDC Name , Domain Name please contact your Active directory Adminstrator

Import the key tab which was generated into Hana Box.

Make sure the permissions are changed

 

Creation of  user  in HANA:

This can be done via GUI screen or via sql syntax

CREATE USER Kiran IDENTIFIED EXTERNALLY AS ‘Kiran@Realm’ ;

Please assign the appropriate role to this user

While configuring the user in Hana studio , Please check the authentication by OS user as shown below