Collaboration Technology Support Center - Microsoft - Collaboration Brief



Similar documents
Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Integration of SAP central user administration with Microsoft Active Directory

Download and Install Crystal Reports for Eclipse via the Eclipse Software Update Manager

How To Configure MDM to Work with Oracle ASM-Based Products

Configuring Distribution List in Compliant User Provisioning

Integration of Outlook Web Access (OWA) into SAP Enterprise Portal

How to Create Web Dynpro-Based iviews. Based on SAP NetWeaver 04 Stack 09. Jochen Guertler

Backup & Restore with SAP BPC (MS SQL 2005)

3 rd party Service Desk interface

Ronald Bueck SBO Product Definition

CREATING A PURCHASE ORDER STORE RECORD WEB SERVICE

Implementing Outlook Integration for SAP Business One

How to Set Up an Authorization for a Business Partner in Customer Relationship Management (CRM) Internet Sales: Sample Case

Sales Rush Sales Order Processing S01- Lean Baseline Package. SAP Lean Baseline Package Version: V1.500 Country: UK Language: EN Date: February 2006

SAP GRC Access Control: Background jobs for risk analysis and remediation (formerly Virsa Compliance Calibrator)

SAP CCMS Monitors Microsoft Windows Eventlog

SAP Master Data Governance- Hiding fields in the change request User Interface

Integrate Third Party Collaboration Tools in the SAP NetWeaver Portal. SAP NetWeaver Product Management

E-Recruiting Job Board Integration using XI

Posting Messages into XI

Global Transport Label - General Motors -

How to configure BusinessObjects Enterprise with Citrix Presentation Server 4.0

Business One in Action - How can we post bank fees and charges while posting Incoming or Outgoing Payment transactions?

prioritize XI messages on integration server

Integrating Easy Document Management System in SAP DMS

Performance Best Practices Guide for SAP NetWeaver Portal 7.3

Analyzing Sales Data for Choosing Forecast Strategies

Developing Applications for Integration between PI and SAP ERP in Different Network Domains or Landscapes

Methodology to Implement SAP Process Integration

Monitoring and Management of Landscapes with SAP NetWeaver Administrator. Dieter Krieger, SAP AG

Understanding HR Schema and PCR with an Example

Integration of Universal Worklist into Microsoft Office SharePoint

R/3 and J2EE Setup for Digital Signature on Form 16 in HR Systems

HR400 SAP ERP HCM Payroll Configuration

Enterprise Software - Applications, Technologies and Programming

Extract Archived Data from SAP ERP

How to Schedule Report Execution and Mailing

Process Archiving using NetWeaver Business Process Management

Utilities for downloading and uploading OO ABAP classes in XML format

Integration of SAP Netweaver User Management with LDAP

SAPFIN. Overview of SAP ERP Financials COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Single Sign-On between SAP Portal and SuccessFactors

How to Create a Support Message in SAP Service Marketplace

Workflow extended notifications

Maintaining Different Addresses and Ids for a Business Partner via CRM Web UI

Table of Contents. How to Find Database Index usage per ABAP Report and Creating an Index

How to Configure and Trouble Shoot Notification for Process Control 2.5

How To Balance In Sap Bw

How To Use the ESR Eclipse Tool with the Enterprise Service Repository

Third Party Digital Asset Management Integration

Budget Control by Cost Center

NetWeaver Business Client (NWBC) for Incentives and Commissions Management (ICM)

Alert Notification in SAP Supply Network Collaboration. SNC Extension Guide

Installation Guide Customized Installation of SQL Server 2008 for an SAP System with SQL4SAP.VBS

Problems with your Data Model in SAP NetWeaver MDM Do s and Don ts

TM111. ERP Integration for Order Management (Shipper Specific) COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP NetWeaver MDM 5.5 SP3 SAP Portal iviews Installation & Configuration. Ron Hendrickx SAP NetWeaver RIG Americas Foundation Team

Roster Configuration (Payroll) in SAP ECC 6.0 Tips & Tricks

Log Analysis Tool for SAP NetWeaver AS Java

UI Framework Simple Search in CRM WebClient based on NetWeaver Enterprise Search (ABAP) SAP Enhancement Package 1 for SAP CRM 7.0

Configuring Single Sign-on for SAP HANA

K in Identify the differences between the universe design tool and the information design tool

SAP Sales and Operations Planning Software Product (xsop)

Data Archiving in CRM: a Brief Overview

Sending Additional Files from SAP Netweaver PI to third Party System

Secure MobiLink Synchronization using Microsoft IIS and the MobiLink Redirector

AC200. Basics of Customizing for Financial Accounting: General Ledger, Accounts Receivable, Accounts Payable COURSE OUTLINE

Portfolio and Project Management 5.0: Excel Integration for Financial and Capacity Planning

How To Use the BPC Mass User Management Tool in BPC 10.0 NW

BW Workspaces Use Cases

ERP Quotation and Sales Order in CRM WebClient UI Detailed View. SAP Enhancement Package 1 for SAP CRM 7.0 CRM Sales - SFA

SAP NetWeaver BRM 7.3

SAP xapp Resource and Portfolio Management (SAP xrpm)

User Experience in Custom Apps

Sample Universe on Microsoft OLAP Cube

SAP SYSTEM MEASUREMENT GUIDE

Compliant, Business-Driven Identity Management using. SAP NetWeaver Identity Management and SBOP Access Control. February 2010

UI Framework Logo exchange without skin copy. SAP Enhancement Package 1 for SAP CRM 7.0

UI Framework Task Based User Interface. SAP Enhancement Package 1 for SAP CRM 7.0

USDL XG WP3 SAP use case. Kay Kadner

mysap ERP Talent Management Dr. Christian Acosta-Flamma

Business Requirements... 3 Analytics... 3 Typical Use Cases... 8 Related Content... 9 Copyright... 10

DATA ARCHIVING IN SAP R/3 ENTERPRISE. Georg Fischer PM Data Archiving SAP AG

Implementing SSO between the Enterprise Portal and the EPM Add-In

Service Level Reporting for Business Process Monitoring

Data Source Enhancement Using User Exit

SAP Sustainability Solutions: Achieving Customer Strategies

SAP Cloud Strategy - Timeless Software. Frank Stienhans on behalf of Kaj van de Loo SAP

How to Add an Attribute to a Case, Record and a Document in NW Folder Management (ex-records Management)

How to Configure Access Control for Exchange using PowerShell Cmdlets A Step-by-Step guide

Siteco Relies on SDN for its SAP CRM 5.0 Upgrade

ARCHIVING OF IDOCS IN SAP

Enabling Full-Text Search for Business Objects in mysap ERP

Consume an External Web Service in a Nutshell with good old ABAP

BC407 Reporting: QuickViewer, InfoSet Query and SAP Query

How-to-Guide: Middleware Settings for Download of IPC Configuration (KB) Data from R/3 to CRM System

Learning Series: SAP NetWeaver Process Orchestration, secure connectivity add-on 1c SFTP Adapter

How To... Call BEx Web Applications from SAP BusinessObjects Dashboards (Xcelsius) and vice versa

Transcription:

Collaboration Technology Support Center - Microsoft - Collaboration Brief February 2007 Single Sign-On to a Microsoft Exchange Cluster Summary Users of the SAP NetWeaver Portal can take advantage of Single Sign-On to Web based Microsoft backend systems such as Outlook Web Access using SAP s SSO22KerbMap Module. In a high availability environment one method for increasing availability for Exchange mailbox servers is to use an Exchange cluster. Since the SSO22KerbMap Module must be installed on the backend Exchange servers this whitepaper describes the configuration steps that are necessary to implement the SSO22KerbMap Module in an Exchange cluster. Applies to SAP NetWeaver Portal 6.0 SP9 or higher Microsoft Active Directory 2003 (forest functional level set to Windows Server 2003) Microsoft Exchange 2003 two-node cluster (active/passive) SSO22KerbMap Module Contact For feedback or questions you can contact the Collaboration Technology Support Center via the.net Technologies forum in the.net interoperability area of SDN. Please check the.net interoperability area in SDN for any updates or further information. Authors Bio André Fischer works at SAP AG in the Strategic Alliance Microsoft Team. He is also a member of the Collaboration Technology Support Center Microsoft (CTSC MS) that addresses various kinds of interoperability topics regarding SAP and Microsoft solutions. Before joining SAP three years ago, André has lent his talents as an SAP technology consultant for more than eight years, and has gained significant experience in both the SAP and the Microsoft solution stack. In the last two years, André has also specialized in single sign-on, SAP active directory integration, SAP Exchange Infrastructure BizTalk integration and knowledge management Microsoft Windows integration. Torsten Laier works at REALTECH AG in the IT Services Team for 6 years. He is responsible for the implementation and running of the Microsoft Active Directory Services, Microsoft Exchange 2003 Servers and Microsoft Cluster Servers. Single Sign-On to Exchange Server 2003 in a Cluster 1 of 11

Copyright 2004 SAP AG. All rights reserved. All other product and service names mentioned are the trademarks of their respective companies No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Exchange, Active Directory Services Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iseries, pseries, xseries, zseries, z/os, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mysap, mysap.com, xapps, xapp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. Single Sign-On to a Microsoft Exchange Cluster 2 of 11

Contents Introduction...4 The SSO22KerbMap Module...4 Integration scenario...4 How to Guide section...5 Step 1: Downloading the installation files... 5 Step 2: Installing the SSO22KerbMap Module on Each Node... 5 Copying the required files for the ISAPI filter to the local directories... 5 Determine the SPN used for constrained delegation... 6 Adapt the configuration file SSO22KerbMap.ini... 6 Configure the ISAPI Filter in the Internet Information Services Manager... 6 Step 3: Configure constrained delegation for each cluster node in Active Directory... 7 Step 3: Activation of the ISAPI Filter... 8 Result...9 Important Note...9 Conclusion...10 References...11 Single Sign-On to Exchange Server 2003 in a Cluster 3 of 11

Introduction The SSO22KerbMap Module is frequently used for the integration of Microsoft Exchange Server into a SAP NetWeaver Portal environment. As availability requirements for email have increased over the years so too did the need to guarantee Exchange availability. While front end servers can easily achieve high availability using a scale out strategy backend servers are single points of failure if no additional measures are taken to increase their availability. To achieve High Availability with Exchange Server it is therefore a common approach that customers decide to use clustering for their Exchange servers that are hosting the mailboxes. Using a Windows cluster with Exchange provides redundant servers so that if a node or a service on a node fails, the other node can assume the Exchange services. Since the SSO22KerbMap Module must be installed on each backend Exchange server that host mailboxes (see SAP Note 785343) this whitepaper describes the configuration steps that are necessary to implement the SSO22KerbMap Module in a Exchange cluster. The SSO22KerbMap Module A detailed description of the SSO22KerbMap Module can be found in the collaboration brief Using SAP Logon Tickets for SSO to Microsoft-based Web Applications. The ticket bridging mechanism leverages an enhancement of the implementation of the Kerberos protocol that has been introduced by Microsoft with Active Directory 2003. Using constrained delegation a service may request a (constrained) Kerberos ticket on behalf of a user for specified services only. Using protocol transition it is possible that the client may be authenticated using other methods than Kerberos. Based on this technology SAP has developed an ISAPI Filter called SSO22KerbMap Module. As described in SAP Note the SSO22KerbMap module has to be installed on the Exchange backend server, as the integrated Windows authentication is not supported for an Exchange front end server. Integration scenario REALTECH AG is using SAP NetWeaver Portal as their corporate portal. The portal can be accessed through the internet. Users can access their email through an integration of Outlook web access. In this extranet scenario, the SSO22KerbMap ISAPI module is used to acquire a Kerberos Ticket on behalf of the SAP Enterprise Portal user that is authenticated by the SAP Logon Ticket. REALTECH uses clustered Exchange servers to optimize the availability of their Exchange infrastructure. The clustered Exchange server can be accessed using the virtual server WDF-MX06. The active/passive two node cluster consists out of two physical nodes (WDF-EX03 and WDF-EX04). Single Sign-On to a Microsoft Exchange Cluster 4 of 11

How to Guide section The following How-To Guide section describes the steps necessary to configure the SSO22KerbMap module in an Exchange Cluster. The configuration steps can be summarized as follows: The SSO22KerbMap Module has to be installed in the Exchange virtual server on each cluster node. In contrast to a single server installation changes to the configuration have to be activated by moving the Exchange resources rather than using iisreset. Step 1: Downloading the installation files 1. Download the most recent version of the SSSO22KerbMap Module from SAP Service Marketplace at: http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSSOEXT -> SAPSSOEXT -> Windows Server on <Platform> -> SSO22Kerbmap_<PL>.SAR 2. Download the most recent version of the SAP Logon Ticket Toolkit (SAPSSOEXT) from SAP Service Marketplace at: http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSSOEXT -> SAPSSOEXT. 3. Download the most recent version of SAPSECULIB from SAP Service Marketplace at: http://service.sap.com/patches -> SAP Support Packages and Patches -> Entry by Application Group -> Additional Components -> SAPSECULIB. 4. Download the verify.pse file from the SAP Enterprise Portal at System Administration System Configuration Keystore Administration. Step 2: Installing the SSO22KerbMap Module on Each Node Step 2 includes the following tasks: 1. Copying the required files for the ISAPI filter to the local directories 2. Determine the SPN used for constrained delegation. 3. Adapt the configuration file SSO22KerbMap.ini 4. Configure the ISAPI Filter in the Internet Information Services Manager Copying the required files for the ISAPI filter to the local directories The following files that have been downloaded in step 1: SSO22KerbMap.dll SSO22KerbMap.pdb msvcr71.dll msvcp71.dll SSO22KerbMap.ini sapssoext.dll verify.pse are copied to the local directory C:\SSO22KerbMap on each cluster node. Single Sign-On to Exchange Server 2003 in a Cluster 5 of 11

Determine the SPN used for constrained delegation. 1. Log on as a domain administrator. 2. Use the command-line tool setspn.exe to list the configured Service Principal Names (SPN) for HOST for the LocalSystem account for each cluster node (here: WDF-EX03 and WDF-EX04). The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, doubleclick Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD. Comment [TL1]: Can be find in Microsoft Support-Tools setspn L WDF-EX03 Registered ServicePrincipalNames for CN=WDF- EX03,CN=Computers,DC=de,DC=realTech,DC=net: SMTPSVC/wdf-ex03.de.realtech.net SMTPSVC/WDF-EX03 HOST/WDF-EX03 HOST/wdf-ex03.de.realTech.net Adapt the configuration file SSO22KerbMap.ini The configuration file SSO22KerbMap.ini has to be adapted separately on each cluster node. On the first cluster node WDF-EX03 the configuration file SSO22KerbMap.ini contains the following entries: PseFile = C:\SSO22KerbMap\verify.pse LogLevel = 1 ServicePrincipalName = HOST/wdf-ex03.de.realTech.net FilterPriority = High SSO2AccountAttribute = userprincipalname On the second cluster node WDF-EX04 the configuration file SSO22KerbMap.ini contains the following entries: PseFile = C:\SSO22KerbMap\verify.pse LogLevel = 1 ServicePrincipalName = HOST/wdf-ex04.de.realTech.net FilterPriority = High SSO2AccountAttribute = userprincipalname Configure the ISAPI Filter in the Internet Information Services Manager Install the SSO22KerbMap Mapping Filter that means the SSO22KerbMap.dll as an ISAPI filter on the website the target application is running on, as follows: Single Sign-On to a Microsoft Exchange Cluster 6 of 11

Step 3: Configure constrained delegation for each cluster node in Active Directory Constrained delegation has to be configured for each cluster node separately. To do this the Trusted-to-Authenticate-for-Delegation flag has to be configured for both cluster nodes separately. In the following we describe the configuration steps for cluster node 1 (WDF-EX03): 1. Open the MMC Active directory Users and Computers. 2. Choose <Your Windows_2003_domain> and locate the computer account of the cluster node (here WDF-EX03). 3. Right-click the cluster node and choose Properties. 4. Select Delegation and Trust this computer for delegation to specified services Single Sign-On to Exchange Server 2003 in a Cluster 7 of 11

5. only. 6. Select Use any authentication protocol and choose Add. 7. Select Users or Computers and enter the cluster node that has been selected above as object name (here WDF-EX03). 8. Choose Check Names and OK. 9. Add the SPN for the HOST service type for your cluster node which 10. was determined in Step 2 Steps 1 to 10 have to be repeated with the node WDF-EX04. Replace the hostname WDF-EX03 with WDF-EX03 in the configuration steps described above. Step 3: Activation of the ISAPI Filter After the changes have been done one has to move the resources from the active node to the inactive node. In a clustered environment moving the resources will have a minimal impact on the users currently using the Exchange environments. Single Sign-On to a Microsoft Exchange Cluster 8 of 11

Result The following screenshot shows the integration of Outlook Web Access in REALTECH s corporate portal: Important Note Please check SAP Note 735639 SSO22KerbMap: Known issues before installing the SSO22KerbMap Module. At the time of writing of this whitepaper for each backend server that uses the SSO22KerbMap Module, the Microsoft Hotfix 907524 has to be installed to avoid a memory leak in Windows 2003 caused by Microsoft s lsass.exe. Single Sign-On to Exchange Server 2003 in a Cluster 9 of 11

Conclusion The SSO22KerbMap Module has to be installed in the Exchange virtual server on each cluster node. The setup of the SSO22KerbMap Module on a node of an Exchange Cluster is very similar to the setup for a single server. In contrast to a single server installation changes to the configuration have to be activated by moving the Exchange resources rather than using iisreset. Since the Exchange resources have to be moved between the cluster nodes in order to activate the changes the planning for a minimal downtime may have to be taken into account. Single Sign-On to a Microsoft Exchange Cluster 10 of 11

References Note 735639 - SSO22KerbMap: Known issues https://service.sap.com/sap/support/notes/735639 Note 785343 - SSO22KerbMap: Configuration for SSO for Outlook Web Access https://service.sap.com/sap/support/notes/785343 Step-by-Step Guide: SSO22KerbMap ISAPI Module Collaboration Brief Using SAP Logon Tickets for Single Sign on to Microsoft based web applications https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/47d0cd90-0201- 0010-4c86-f81b1c812e50 A memory leak occurs in the Lsass.exe process after you configure constrained delegation in Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;907524 Single Sign-On to Exchange Server 2003 in a Cluster 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information