My Experience While Integrating SAP HANA with Windows Active Directory in a Private Virtual Cloud
I had been keeping SAP Hana instance for few months on AWS (Amazon Web Services). I never did any thing excited with it until I was asked to demonstrate something for an University assingment (bco6181) . There, I just thought I could try integrating SAP Hana instance with Windows Active Directory for single sign on. Unfortunately, I was not successful but I completed the configuration to most extent. It was a good experience and an effort that I can not forget.
Note: Please note I followed following guide to perform these steps
My infrastructure included following
SAP HANA Instance - HANA - Rev 48
Windows Server 2008 R2 - DC (Domain Controller) - and hosted AD (Active Directory) services.
Windows Server 2008 R2 - CLIENT - and SAP Hana studio installed.
One VPC (Virtual Private Cloud) - 10.0.0.0/24 - Above machines (instances) were given specific ip address in given range and they were networked together.
HANA - 10.0.0.10 - Kerbrose Client
DC - 10.0.0.11 - Kerbrose Server
CLIENT - 10.0.0.12 - Hana Studio Installed
Please see following video to confirm the configuration and connectivity between these machines
I did not show two things in the above video for security reasons. When you create instance in VPC then it is bounded to default security group and network ACL (access list). New instances will not talk to each other until you change the incoming and outgoing rules in this security group. You can play with security group and allow only specific protocols. In my case, I did following:
Security Group: hana-access
Anything between machines - allow
RDP access to Windows Machine from my home IP address - allow
SSH access from my home IP address - allow
All three machines were talking to each other. You could see that DNS was working fine and as they were able to ping each other with their hostnames. In HANA instance, I had to edit /etc/resolv.conf and add these lines (instead of lines provided by AWS instance template)
I also made sure that timing on all three machine were synced and correct (one of the requirement for Kerberos authentication)
CREATING SPN & KEYTAB FILE - DC
Created a domain user HANASSO to register spn (service principal name) and later created KEYTAB File. Please see following video
IMPORTING KEYTAB FILE TO HANA
I used winscp to copy the keytab file from DC to HANA
CREATING KEYTAB FILE & CONFIGURING KRB5.CONF - HANA
I created the keytab file (/etc/krb5.keytab) on HANA instance and then tested authentication by creating a kerberos ticket against DC. It worked. Please see following video:
CREATING USER ON DC and HANA
I created the user "angads" on Windows domain controller (authentication server) and then log on to machine CLIENT. Later, I created the user "angads" on HANA by using SQL command in Hana Studio
create user "angads" identified externally as "angads@TESTDOMAIN.COM"
I gave this user similar roles and access as SYSTEM
TESTING WITH HANA STUDIO
Here, I felt really disappointed as despite so much hard work I was unable to get HANA studio authenticated using logged on user credentials. Please video below:
I searched for that error and posted on scn but did not get any reply. I also tried to contact HANA experts via social media but still no success. So, if you can help me then please comment.
Anyway, my wife always says "everything happens for a good cause". Later, I used this setup for different presentation in which I learnt and demonstrate connecting SAP Visual Intelligence to HANA Analytical model. I will soon share my experience in next blog.