Hi,
I'm doing preparations for implementation of SSO for Java EP based on Kerberos authentication (following SAP Note 1488409) and I'm looking for some confirmation..
As far as I know service accounts cannot share the same SPN. This is OK when you have systems landscape where all the instances have different hostnames.
Things complicate when we have two scenarios:
1. Two (or more) systems' instances are on the same hostname
2. System consists of two (or more) instances distributed across two (or more) hosts and for the access the 3rd party load balancer is used.
Each service user should identify each Java instance, and SPN for them should be unique, therefore following is not acceptable:
| Service User | SPN |
|---|---|
| j2ee-JC08-devqahost (where JC08 is DEV system instance) | HTTP/devqahost.domain.com |
| j2ee-JC03-devqahost (where JC08 is QA system instance) | HTTP/devqahost.domain.com |
| j2ee-JC34-prdhost1 | HTTP/portal.domain.com (where portal.domain.com is load balancer) |
| j2ee-J35-prdhost2 | HTTP/portal.domain.com (where portal.domain.com is load balancer) |
So the question is.. What's the best way to resolve this? Should I create virtual hostnames for the systems that all of them could be identified as different hostnames? How to proceed with the load balancer in use, as far as I know the load balancer hostname will be user for Kerberos auth, not hostnames of the SAP system?
Thanks for your suggestions.
Kind regards,
K