Quantcast
Channel: SCN : Blog List - SAP HANA Developer Center
Viewing all articles
Browse latest Browse all 676

My Experience while Integrating SAP Hana with Windows Active Directory in a Cloud

$
0
0

PURPOSE

 

I had been keeping SAP Hana instance for few months on AWS (Amazon Web Services). I never did any thing excited with it until I was asked to demonstrate something for an University assingment (bco6181) . There, I just thought I could try integrating SAP Hana instance with Windows Active Directory for single sign on. Unfortunately, I was not successful but I completed the configuration to most extent. It was a good experience and an effort that I can not forget. 

 

Note: Please note I followed following guide to perform these steps

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/303bf0c3-ad5c-3010-df84-882747341e88?overridelayout=true

 

 

INFRASTRUCTURE


My infrastructure included following

 

SAP HANA Instance - HANA - Rev 48

Windows Server 2008 R2 - DC (Domain Controller) - and hosted AD (Active Directory) services.

Windows Server 2008 R2 - CLIENT  - and SAP Hana studio installed.

 

One VPC (Virtual Private Cloud) - 10.0.0.0/24 - Above machines (instances) were given specific ip address in given range and they were networked together.

 

HANA - 10.0.0.10 - Kerbrose Client

DC - 10.0.0.11 - Kerbrose Server

CLIENT - 10.0.0.12 - Hana Studio Installed

 

Please see following video to confirm the configuration and connectivity between these machines

 


I did not show two things in the above video for security reasons. When you create instance in VPC then it is bounded to default security group and network ACL (access list). New instances will not talk to each other until you change the incoming and outgoing rules in this security group. You can play with security group and allow only specific protocols. In my case, I did following:

 

Security Group: hana-access

 

Anything between machines - allow

RDP access to Windows Machine from my home IP address - allow

SSH access from my home IP address - allow

 

 

All three machines were talking to each other. You could see that DNS was working fine and as they were able to ping each other with their hostnames. In HANA instance, I had to edit /etc/resolv.conf and add these lines (instead of lines provided by AWS instance template)

 

search TESTDOMAIN.COM

nameserver 10.0.0.11

 

I also made sure that timing on all three machine were synced and correct (one of the requirement for Kerberos authentication)

 

 

CREATING SPN & KEYTAB FILE - DC

 

Created a domain user HANASSO to register spn (service principal name) and later created KEYTAB File. Please see following video

 

 

IMPORTING KEYTAB FILE TO HANA

 

I used winscp to copy the keytab file from DC to HANA

 

CREATING KEYTAB FILE & CONFIGURING KRB5.CONF - HANA

 

I created the keytab file (/etc/krb5.keytab) on HANA instance and then tested authentication by creating a kerberos ticket against DC. It worked. Please see following video:

 

 

CREATING USER ON DC and HANA

 

I created the user "angads" on Windows domain controller (authentication server) and then log on to machine CLIENT. Later, I created the user "angads" on HANA by using SQL command in Hana Studio

 

create user "angads" identified externally as "angads@TESTDOMAIN.COM"

 

I gave this user similar roles and access as SYSTEM

 

TESTING WITH HANA STUDIO

 

Here, I felt really disappointed as despite so much hard work I was unable to get HANA studio authenticated using logged on user credentials. Please video below:

 

 

I searched for that error and posted on scn but did not get any reply. I also tried to contact HANA experts via social media but still no success. So, if you can help me then please comment.

 

Anyway, my wife always says "everything happens for a good cause". Later, I used this setup for different presentation in which I learnt and demonstrate connecting SAP Visual Intelligence to HANA Analytical model. I have shared my experience in my next blog here


Viewing all articles
Browse latest Browse all 676

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>