Now that I stopped to think about this, I think I'm missing the big picture. As I understand it you are trying to configure Kerberos SSO to the SAP backend system going through Web Dispatcher. As far as I'm aware AES256-CTS-HMAC-SHA1-96 is used only for Kerberos. SPNEGO, which is the Kerberos implementation of NetWeaver Application Server, uses the cipher if it is available and configured. In case you are using Web Dispatcher to access your SAP backend system, the SPNEGO implementation in the NetWeaver Application Server is still used meaning that Web Dispatcher is only forwarding the requests/responses to/from the NetWeaver Application Server. How did you determine that AES256-CTS-HMAC-SHA1-96 isn't used in case you go through the Web Dispatcher? Regardless, a suitable cipher that is capable of SSL/TLS needs to be selected for Web Dispatcher assuming you have configured SSL in Web Dispatcher. I haven't configured SPNEGO in a landscape where Web Dispatcher is used so I'm not exactly sure what steps are required. I know for a fact that the Web Dispatcher DNS alias needs to be added as SPN for the service account that is used by SPNEGO. As far as I know the way it works is that if SPNEGO is enabled, the SAP backend system requests authentication from the client, e.g. the browser. The client then provides the Kerberos token which is then verified by the SAP backend system. I really don't see how the cipher used on the Web Dispatcher would make any difference, maybe others know better. How have you configured the Web Dispatcher? Is SSL terminated, is it using End-to-End SSL or is SSL re-encrypted by Web Dispatcher? Have you tried the ROUTER protocol in the Web Dispatcher, does it make a difference? I'm not saying you should use the ROUTER protocol since it has considerable limitations but in order to figure out what is going on.
↧