Part I of this two-part blog post series explains how to setup Multi-Factor-Authentication (MFA) for SAP GUI with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory, AAD) and SAP Secure Login Service (SLS) for SAP GUI. In this scenario, SLS issues a short-lived X.509 client certificate after successful authentication of the user at the SAP Cloud Services Identity Authentication (IAS) tenant. The IAS tenant acts as a SAML 2.0 proxy and forwards the authentication request to the user’s Microsoft Entra ID tenant where MFA is enforced using Microsoft Entra Conditional Access (CA). With the X.509 client certificate, SAP GUI establishes a Secure Network Communications (SNC) connection to the SAP Application Server (AS) ABAP to single sign-on (SSO) the user.
This blog post describes an alternative MFA-solution for SAP GUI based on the Kerberos protocol. It uses Microsoft Entra Private Access (PA) instead of SLS and IAS to integrate with Entra ID and Entra CA. Entra PA, and its accomanying service Entra Internet Access, are unified under Global Secure Access (GSA) in the Microsoft Entra admin center. Both enforce an identity-centric Zero Trust Network Access (ZTNA) strategy. With ZTNA, access is granted per user to specific services or applications, whereas traditional technologies for secure network access, such as Virtual Private Networks (VPNs), grant access to an entire network. VPNs operate at the OSI network layer with protocols such as IPSec. A ZTNA solution like Entra PA runs on the application layer and requires a software application, the Microsoft Entra Global Secure Access (GSA) client, to be installed on the user’s devices. The GSA client implements an NDIS 6.0 lightweight filter (LWF) network driver to route any traffic to internal and external applications based on centrally defined access rules at the company’s Entra ID tenant level. GSA deeply integrates with Entra CA to secure the access with modern authentication methods to those apps, and can add further controls as needed, such as requiring MFA as presented in this tutorial, allowing access only from a device that fulfills corporate compliance requirements, or detecting sign-in risks like access from atypical locations.
Figure 1 shows the end-to-end authentication and data flow with PA. Although this blog post follows the same scenario as part I for a user accessing the on-premise SAP system with SAP GUI from a workstation connected to the same (corporate) network, this setup can also be applied to a remote access scenario where the workstation is only connected to the Internet and access to the internal SAP system must be secured.
Figure 1: SAP GUI MFA with Global Secure Access
The user Jane Smith logs on to her workstation with her local domain credentials. The workstation is joined to the local AD and to the Entra ID tenant (aka hybrid-joined). By logging in to the local domain, Jane’s workstation obtains a Kerberos ticket-granting ticket (TGT) from the AD Domain Controller (DC). The TGT is a special type of Kerberos ticket that can only be used to obtain other tickets from the DC’s Ticket Granting Service (TGS) for other kerberized resources and services such as the SAP system.Jane launches the SAP Logon pad and double-clicks on the system entry for the SAP system with SID A4H. SNC is enabled for this system with a service principal registered in AD using the recommended User Principal Name (UPN) KerberosA4H and Service Principal Name (SPN) SAP/A4H which uniquely identifies the SAP system in Kerberos service tickets for single sign-on (SSO) requested by users. The SAP system has SNC configured with the service principal’s credentials as described in steps 1 to 27 of this related blog post.SAP GUI processes the SNC-protected logon to the SAP system with SAP Secure Login Client (SLC). This requires a new Kerberos service ticket (ST) from the DC for Jane to single sign-on to the SAP system. Without PA, SLC would bypass Entra ID and request the ST for the SAP system from the DC with a Kerberos ticket-granting service request (TGS_REQ) message. With PA, the locally installed GSA client intercepts the SNC connection on port 3200 based on filter rules, called application segments, defined by GSA applications registered in the Entra ID tenant. These GSA apps represent the resources on the corporate network and control access to those internal apps by specifying the IP address or full-qualified domain name (FQDN), port number and transport layer protocol (TCP or UDP) of the network traffic that you want to intercept with PA. To secure SNC traffic to the SAP system A4H in figure 1, the GSA administrator registers the corresponding enterprise application SAP A4H with an application segment for its IP address 192.168.99.1, SNC port number 3200, and TCP as the transport protocol. The SAP A4H enterprise application is also configured as the target resource in the CA policy that enforces MFA for Jane Smith when she accesses this system. All Kerberos-related traffic (ports 88, 389, 464 and 123) to the DC (IP address 192.168.99.10) using transport protocols TCP and/or UDP gets intercepted based on the application segments defined by the second enterprise application in this scenario, “Domain Conroller”. All segments from “SAP A4H” and “Domain Controller” are published to the GSA client(s) on the corporate workstation(s) as the GSA forwarding profile that gets synchronized regularly by a local policy retrieval service.The GSA client forwards the SNC connection request via Entra PA service to the Entra ID tenant for authentication. With Entra Cloud Sync, Jane’s corporate user account and password hash in AD are securely synchronized to the Cloud, and she can SSO with her hybrid identity to her tenant from her hybrid-joined device.Upon successful authenication, Entra enforces the second authentication factor as defined by a CA policy that has the Global Secure Access application for the SAP A4H system defined as its target resource, and has a grant control set to Passwordless MFA which trigger MFA for every new login request to the SAP system.GSA client opens a new browser window on Jane’s workstation to start the MFA process using passwordless sign-in from Jane’s Authenticator app on her mobile device. Entra shows a message in the browser window that asks Jane to tap a number in her Authenticator app and complete the sign-in process by providing her PIN or biometric. No username or password is asked for at any time in the authentication flow.
Note: Jane authenticated at her hybrid-joined workstation in step 1 with her corporate username and password. If she would have used a stronger authentication method such as Windows Hello for Business that uses biometric data, Entra CA would consider this as strong enough and would not re-enforce authentication with Jane’s Authenticator app.Entra reports the successful completion of the MFA sign-in process back to the GSA client.SLC requests the ST for the SAP system with an TGS_REQ Kerberos message to the DC’s Ticket Granting Service (TGS) on port 88, which gets also intercepted by the GSA Client based on application segments defined by the “Domain Controller” enterprise application. GSA Client forwards the Kerberos TGS request to Entra PA.Since MFA has already been enforced and successfully completed by the previous SNC request, no further intervention from Entra CA is needed. Instead, Entra PA forwards the TGS request to the DC on the corporate network via the Entra private network connector. This agent establishes a secured tunnel from the corporate network over ports 80 and 443 to the Entra PA service and routes the in- and outbound network traffic to all private resources defined by the Global Secure Access enterprise applications. Similar to the SAP Cloud Connector, there is no need to open inbound ports through the corporate firewall because traffic flows both ways once the connection is established. For a test setup, one connector instance on the DC is sufficient. However, in a complex production landscape with more on-premise apps, multiple connector instances can be organized into connector groups for high availability and load balancing, with each group handling traffic to specific applications.Entra private network connector forwards the TGS request for Jane’s SAP Kerberos ticket to the TGS on the DC. It replies with a TGS_REP Kerberos response containing the ticket (for more details on the Kerberos protocol, see also this related blog post)The TGS_REP message gets forwarded to the SLC via Entra PA and the GSA Client.With the Kerberos ticket, SAP GUI and SLC can establish the SNC connection and single sign-on user Jane to the SAP system.Again, all traffic from the GSA client-controlled workstation on port 3200 is routed via Entra PA service and the private network connector on the DC.Entra private network connector routes SNC communication to the SAP system where Jane can be single signed-on. This requires that Jane’s user name in the Kerberos ticket (jsmith@corp.bestrun.com) is correctly mapped to her SAP user account (JSMITH).
Prerequisites
Similar to part I of this blog series, the following prerequisites should be met before starting to implement this scenario:
A Microsoft Entra ID P1 or P2 or Entra Suite tenant with an administrative user assigned to the Entra built-in roles Conditional Access Administrator, Security Administrator, or Global Administrator. The domain name of the Entra tenant used in this tutorial is bestruncorp.onmicrosoft.com. If you can get a free P2 trial tenant with a Microsoft 365 Developer license.A valid license for Microsoft Entra Private Access. You can request a 30-day trial license through the Microsoft 365 admin center.A valid SAP license for enabling SNC-based SSO on the backend system and using SLC on the user’s workstationA non-administrator account used for testing the scenario. In this tutorial, Jane Smith has the account with user name jsmith@corp.bestrun.com in AD, jsmith@bestruncorp.onmicrosoft.com in Entra ID, and JSMITH in the SAP system. Administrative access to an SAP Application Server ABAP for testing the scenario. The system should be configured for SNC following steps 1 to 27 as described in this related tutorial. If you don’t have a development system available you can easily setup one with the ABAP Cloud Developer Trial on Docker.Administrative access to an AD DC and a domain-joined workstation for simulating the corporate network. In my lab environment used for this tutorial, both systems run as Hyper-V VMs and are configure according to the table below:
System
Configuration
Domain Controller (DC)
Windows Server 2019 or laterActive Directory Domain Services (AD DS role). Installing the AD DS role and promoting a Windows Server to a domain controller is documented here. The domain name used in this tutorial is corp.bestrun.com (NetBIOS: CORP), but you can also choose any other name.Microsoft Entra Cloud Sync: Follow these steps to download and install the on-premises agent on the DC.
Workstation
Windows 10 Pro or later, hybrid-joinedSAP GUI 7.60 or laterSAP Secure Login Client 3.0
The GSA on-prem software components, the Microsoft Entra Private Network Connector and the Global Secure Access client, will be installed on the DC and workstation in the following steps.
Ready? Then let’s get started with activating PA for the Entra tenant 🚀
Activate Entra Private Access
StepDescriptionScreenshot1.1
Login as the administrator to the Domain Controller
1.2
Open to the Entra Admin Center at https://entra.microsoft.com and login as the tenant administrator. Select Global Secure Access from the navigation menu.
Click the Activate button.
Wait for the message that your tenant onboarding has completed successfully.
1.3
Select Connect -> Traffic Forwarding from the navigation menu.
Activate the switch for the Private access profile.
1.4Confirm the dialog box with OK.
Install the Microsoft Entra Private Network Connector
Upon successful activation of the PA profile in the tenant, download and install the Microsoft Entra Private Network Connector on the DC. The DC acts as the connector server for the PA service in this scenario. It runs the private network connector which you will download and install in the following steps for tunneling Kerberos and SNC network traffic to the SAP system and the DC.
StepDescriptionScreenshot2.1
Select Connect -> Connectors from the navigation menu.
Click the Download connector service button.
2.2Accept the terms to start the download.2.3
Double-click the download file (MicrosoftEntraPrivateNetworkConnectorInstaller.exe) to start the installation of the Private network connector.
Activate the checkbox to accept the license terms and click Install.
2.4
During the installation process you will be asked to login to your Entra ID tenant.
Login as the tenant administrator.
2.5After completion of the connector installation click Restart.2.6
After the DC has restarted, login to the Entra Admin Center as the tenant administrator.
Select Global Secure Access -> Connect -> Connectors to verify the status of the newly installed connector. It should be assigned to the Default connector group and in state Active.
Install the Global Secure Access client
Continue the GSA setup by installing the Global Secure Access client on the user’s workstation. For an automated deployment of the client in a larger production landscape, see the instructions here.
StepDescriptionScreenshot3.1Login as user Jane Smith (JSMITH) to the corp.bestun.com (CORP) domain from the workstation.3.2
Open to the Entra Admin Center and login as the tenant administrator.
Select Global Secure Access -> Connect -> Client download from the navigation menu.
Click Download Client for Windows 10/11.
3.3
Run the GlobalSecureAccessClient.exe installer.
Activate the license terms and conditions checkbox and click Install. Installing the GSA client requires local administrator rights.
3.4Upon successful installation, click Sign in.3.5Login to GSA with your test user’s Entra ID account (e.g. jsmith@bestruncorp.onmicrosoft.com)
Configure SAP for Private Access
Upon successful installation of the required software components in the corporate network, it is now time to configure the first GSA application representing the SAP system on-premise, and add the required application segment to it for SNC. You also need to grant access to the test user by assigning Jane Smith to the app.
StepDescriptionScreenshot4.1
As the tenant admin in the Entra Admin Center (https://entra.microsoft.com), go to Global Secure Access -> Applications -> Enterprise applications in the navigation menu.
Click New application.
4.2
Enter a name for the new Global Secure Access application, for example “SAP A4H”.
Click Add application segment.
4.3
Enter the following settings for the new application segment:
Destination type: IP addressIP address: The IP address of the SAP system in the corporate network, for example 192.168.99.1Ports: 32<NN>. Replace <NN> with the instance number of your SAP system, for example 3200Protocol: TCP
Click Apply.
4.4Click Save.4.5
Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.
Click on the name to select the newly created Global Secure Access application “SAP A4H” from the list.
4.6
Select Users and groups from the navigation menu.
Click Add user/group.
4.7
Click None Selected.
4.8
In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.
Click Select.
4.9
Click Assign.
Configure Kerberos for Private Access
Continue with the application setup for Entra PA by adding the “Domain Controller” GSA enterprise app to intercept Kerberos traffic to the DC.
StepDescriptionScreenshot5.1
Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.
Click New application.
5.2
Enter a name, for example “Domain Controller”.
Click Add application segment.
5.3
Enter the following settings for the new application segment:
Destination type: IP addressIP address: The IP address of the DC in the corporate network, for example 192.168.99.10Ports: 88Protocol: Select TCP and UDP
Click Apply.
5.4
Repeat the previous step for the following three application segments, which have all the destination type “IP address” and same IP address (your DC’s address, e.g. 192.168.99.10):
Ports: 389, Protocol: UDPPorts: 464, Protocol: TCP and UDPPorts: 123, Protocol: UDP
Click Save.
5.5
Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.
Click on the name to select the newly created Global Secure Access application “Domain Controller” from the list.
5.6
Select Users and groups from the navigation menu.
Click Add user/group.
5.7
Click None Selected.
5.8
In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.
Click Select.
5.9
Click Assign.
Configure MFA for SAP GUI with Entra Conditional Access
Setup MFA for the user in Entra by creating a CA policy and assigning it to the “SAP A4H” GSA application for the SAP system.
StepDescriptionScreenshot6.1
Select Global Secure Access -> Applications -> Enterprise applications from the navigation menu.
Click on the name to select the newly created Global Secure Access application “SAP A4H” from the list.
6.2From the enterprise application navigation menu, select Security -> Conditional Access.6.3Click New policy.6.4Enter a name for the new policy, for example “SAP GUI MFA”, and click on the link in the Users section.6.5Activate the checkbox for Users and groups6.6
In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.
Click Select.
6.7Click on the link in the Access controls -> Grant section.6.8
Keep the default selection for Grant access, and activate the checkbox for Require authentication strength.
From the drop-down box, select Passwordless MFA.
Click Select.
6.9
Switch to On in the Enable policy options.
Click Create.
Setup private DNS for Kerberos SSO
To support SSO with Kerberos, the GSA client must be able to resolve internal (private) DNS names with the corporate domain suffix (corp.bestrun.com in this setup).
StepDescriptionScreenshot7.1
Run the command ipconfig /all on the DC or workstation host to find the DNS suffix for your corporate network.
Copy the value (here corp.bestrun.com) of Primary Dns suffix from the output.
7.1
Select Global Secure Access -> Applications -> Quick Access from the navigation menu.
Switch to the Private DNS tab.
Activate the Enable Private DNS checkbox and click Add DNS suffix.
7.2
Paste the DNS suffix from step 7.1 for your corporate network in the DNS suffix field.
Click Add.
7.3Select Users and Groups from the navigation menu.7.4Click None Selected.
7.5
In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.
Click Select.
7.6Click Assign.
Setting up MFA with Phone Sign-in for the test user
Since you selected the Passwordless MFA option for the Required authentication strength in the previously created Conditional Access policy, you now need to setup the test user’s account accordingly. The following steps assume that there is no MFA authentication methods registered yet for the user. If so, make sure that Phone Sign-In is activated in the user’s Authenticator app. Otherwise just follow the next steps.
StepDescriptionScreenshot8.1
As the test user on the workstation, login to the My account portal at https://myaccount.microsoft.com.
On the Security info tile, click UPDATE INFO.
8.2Click Add sign-in method.8.3
Select Authenticator app from the drop-down list.
Click Add.
8.4Click Next.8.5Click Next.8.6On the user’s phone, launch the Authenticator app. Click + to add a new account.8.7
Select Work or school account.
Click Scan QR code.
8.8Scan the QR code displayed in the My access portal with your device camera.8.9
Go back to the My access portal.
Click Next.
8.10A random number is shown in the My access portal to approve the new account.8.11
A notification will pop-up in the Authenticator app. Enter the number shown in the previous step.
Click Yes.
8.12Upon successful approval, click Next.8.13
Select the newly added account in the Authenticator app.
Select Enable phone sign-in from the menu.
8.14Click Continue.8.15
Enter your test users domain password to authenticate with the Entra ID tenant.
Click Sign in.
8.16
Entra ID login will show a random number.
A few seconds later, the notification from the Authenticator app will pop-up.
Enter the number and click Yes.
8.17You have successfully enabled password-less MFA with phone sign-in for your test user’s account.
Configure SNC mapping for the user in the SAP system
Similar to Certificate-based SSO with SNC in part I of the blog series, Kerberos-based SSO to the SAP system also requires a mapping of the SAP user account to the user’s name in the corporate domain.
StepDescriptionScreenshot9.1
Login to the SAP backend with your SAP administrator user (e.g. DEVELOPER if you are using the Docker image).
Go to User Maintenance (SU01).
Enter your test user’s name (e.g. JSMITH).
Click Create User (F8) if the user account doesn’t exist. Otherwise, click Change (Shift+F6), and continue with step 9.4.
9.2
Enter the Last Name and First Name on the Address tab.
Switch to the Logon Data tab.
9.3
Enter a Password for the new user.
9.4
Switch to the SNC tab.
In the SNC name field, enter your test user’s name in the corporate AD domain following the format “p:CN=<user@domain-dns-suffix>”, e.g. “p:CN=JSMITH@CORP.BESTRUN.COM”.
Click Save.
Test the scenario
You are now ready to verify the scenario 🚀!
StepDescriptionScreenshot10.1Login as the test user jsmith to the local domain (CORP) on the workstation.10.2Hover over the GSA system tray icon to check that the status is “connected”.10.3Right-click on the GSA system tray icon and select Advanced diagnostics from the context menu.10.4Switch to the Health check tab. Ensure that the status bar shows that All checks are successful.10.5
Switch to the Forwarding profile tab and expand the Private access rules section.
Check that all rules defined by the application segments of the “SAP A4H” and “Domain Controller” GSA enterprise applications were synchronized by the local GSA policy retrieval service.
You also see additional rules for tunneling DNS on port 53 based on your Private DNS settings.
10.6
Switch to the Traffic tab.
Click Start collecting to record a trace of the intercepted SNC, Kerberos and DNS network traffic from the local workstation to the Entra PA service.
10.7
Start the SAP Logon Pad.
Right-click on your connection entry for the SAP system.
Select Properties from the context menu.
10.8
Switch to the Network tab.
Activate the checkbox for Activate Secure Network Communication.
Enter the SNC Name of your SAP backend. The name can be looked up on the backend with transaction RZ10 and the profile parameter snc/identity/as.
Choose Maximum security settings available.
Click OK.
10.9Right-click on the connection entry for the SAP system and select SNC Logon with Single Sign-On.10.10
SAP GUI now starts to establish the SNC connection, which gets intercepted by the GSA client (step 3 & 4 in figure 1) that requires the user to complete the multi-factor authentication process.
On the Global Secure Access Client window, click Sign in.
10.11
In the Entra ID login page, enter your test user’s corporate password.
Click Sign in.
10.12Entra Conditional Access now requires the second factor by prompting the user to enter the number shown on the login page in her Authenticator app on the mobile phone.10.13
The Authenticator app opens on the mobile phone. Upon successfully unlocking the app (e.g. with Face ID), the user has to enter the number shown in the previous step.
Click Yes.
10.14
The login process completes and the test user is successfully single signed-on to the SAP system.
10.15
To see the network traces, go back to the GSA Advanced diagnostics window. The Traffic tab shows the recorded network traffic over the tunneled connections to the DC (port 88) and the SAP system (port 3200).
With the user logged on in SAP GUI, the Connection status of the the tunneled SNC connection is still Active.
Congratulations on completing the tutorial for SAP GUI MFA with Entra Private Access 🏆🥇!
Part I of this two-part blog post series explains how to setup Multi-Factor-Authentication (MFA) for SAP GUI with Microsoft Entra ID (formerly known as Microsoft Azure Active Directory, AAD) and SAP Secure Login Service (SLS) for SAP GUI. In this scenario, SLS issues a short-lived X.509 client certificate after successful authentication of the user at the SAP Cloud Services Identity Authentication (IAS) tenant. The IAS tenant acts as a SAML 2.0 proxy and forwards the authentication request to the user’s Microsoft Entra ID tenant where MFA is enforced using Microsoft Entra Conditional Access (CA). With the X.509 client certificate, SAP GUI establishes a Secure Network Communications (SNC) connection to the SAP Application Server (AS) ABAP to single sign-on (SSO) the user.This blog post describes an alternative MFA-solution for SAP GUI based on the Kerberos protocol. It uses Microsoft Entra Private Access (PA) instead of SLS and IAS to integrate with Entra ID and Entra CA. Entra PA, and its accomanying service Entra Internet Access, are unified under Global Secure Access (GSA) in the Microsoft Entra admin center. Both enforce an identity-centric Zero Trust Network Access (ZTNA) strategy. With ZTNA, access is granted per user to specific services or applications, whereas traditional technologies for secure network access, such as Virtual Private Networks (VPNs), grant access to an entire network. VPNs operate at the OSI network layer with protocols such as IPSec. A ZTNA solution like Entra PA runs on the application layer and requires a software application, the Microsoft Entra Global Secure Access (GSA) client, to be installed on the user’s devices. The GSA client implements an NDIS 6.0 lightweight filter (LWF) network driver to route any traffic to internal and external applications based on centrally defined access rules at the company’s Entra ID tenant level. GSA deeply integrates with Entra CA to secure the access with modern authentication methods to those apps, and can add further controls as needed, such as requiring MFA as presented in this tutorial, allowing access only from a device that fulfills corporate compliance requirements, or detecting sign-in risks like access from atypical locations. Figure 1 shows the end-to-end authentication and data flow with PA. Although this blog post follows the same scenario as part I for a user accessing the on-premise SAP system with SAP GUI from a workstation connected to the same (corporate) network, this setup can also be applied to a remote access scenario where the workstation is only connected to the Internet and access to the internal SAP system must be secured.Figure 1: SAP GUI MFA with Global Secure Access The user Jane Smith logs on to her workstation with her local domain credentials. The workstation is joined to the local AD and to the Entra ID tenant (aka hybrid-joined). By logging in to the local domain, Jane’s workstation obtains a Kerberos ticket-granting ticket (TGT) from the AD Domain Controller (DC). The TGT is a special type of Kerberos ticket that can only be used to obtain other tickets from the DC’s Ticket Granting Service (TGS) for other kerberized resources and services such as the SAP system.Jane launches the SAP Logon pad and double-clicks on the system entry for the SAP system with SID A4H. SNC is enabled for this system with a service principal registered in AD using the recommended User Principal Name (UPN) KerberosA4H and Service Principal Name (SPN) SAP/A4H which uniquely identifies the SAP system in Kerberos service tickets for single sign-on (SSO) requested by users. The SAP system has SNC configured with the service principal’s credentials as described in steps 1 to 27 of this related blog post.SAP GUI processes the SNC-protected logon to the SAP system with SAP Secure Login Client (SLC). This requires a new Kerberos service ticket (ST) from the DC for Jane to single sign-on to the SAP system. Without PA, SLC would bypass Entra ID and request the ST for the SAP system from the DC with a Kerberos ticket-granting service request (TGS_REQ) message. With PA, the locally installed GSA client intercepts the SNC connection on port 3200 based on filter rules, called application segments, defined by GSA applications registered in the Entra ID tenant. These GSA apps represent the resources on the corporate network and control access to those internal apps by specifying the IP address or full-qualified domain name (FQDN), port number and transport layer protocol (TCP or UDP) of the network traffic that you want to intercept with PA. To secure SNC traffic to the SAP system A4H in figure 1, the GSA administrator registers the corresponding enterprise application SAP A4H with an application segment for its IP address 192.168.99.1, SNC port number 3200, and TCP as the transport protocol. The SAP A4H enterprise application is also configured as the target resource in the CA policy that enforces MFA for Jane Smith when she accesses this system. All Kerberos-related traffic (ports 88, 389, 464 and 123) to the DC (IP address 192.168.99.10) using transport protocols TCP and/or UDP gets intercepted based on the application segments defined by the second enterprise application in this scenario, “Domain Conroller”. All segments from “SAP A4H” and “Domain Controller” are published to the GSA client(s) on the corporate workstation(s) as the GSA forwarding profile that gets synchronized regularly by a local policy retrieval service.The GSA client forwards the SNC connection request via Entra PA service to the Entra ID tenant for authentication. With Entra Cloud Sync, Jane’s corporate user account and password hash in AD are securely synchronized to the Cloud, and she can SSO with her hybrid identity to her tenant from her hybrid-joined device.Upon successful authenication, Entra enforces the second authentication factor as defined by a CA policy that has the Global Secure Access application for the SAP A4H system defined as its target resource, and has a grant control set to Passwordless MFA which trigger MFA for every new login request to the SAP system.GSA client opens a new browser window on Jane’s workstation to start the MFA process using passwordless sign-in from Jane’s Authenticator app on her mobile device. Entra shows a message in the browser window that asks Jane to tap a number in her Authenticator app and complete the sign-in process by providing her PIN or biometric. No username or password is asked for at any time in the authentication flow. Note: Jane authenticated at her hybrid-joined workstation in step 1 with her corporate username and password. If she would have used a stronger authentication method such as Windows Hello for Business that uses biometric data, Entra CA would consider this as strong enough and would not re-enforce authentication with Jane’s Authenticator app.Entra reports the successful completion of the MFA sign-in process back to the GSA client.SLC requests the ST for the SAP system with an TGS_REQ Kerberos message to the DC’s Ticket Granting Service (TGS) on port 88, which gets also intercepted by the GSA Client based on application segments defined by the “Domain Controller” enterprise application. GSA Client forwards the Kerberos TGS request to Entra PA.Since MFA has already been enforced and successfully completed by the previous SNC request, no further intervention from Entra CA is needed. Instead, Entra PA forwards the TGS request to the DC on the corporate network via the Entra private network connector. This agent establishes a secured tunnel from the corporate network over ports 80 and 443 to the Entra PA service and routes the in- and outbound network traffic to all private resources defined by the Global Secure Access enterprise applications. Similar to the SAP Cloud Connector, there is no need to open inbound ports through the corporate firewall because traffic flows both ways once the connection is established. For a test setup, one connector instance on the DC is sufficient. However, in a complex production landscape with more on-premise apps, multiple connector instances can be organized into connector groups for high availability and load balancing, with each group handling traffic to specific applications.Entra private network connector forwards the TGS request for Jane’s SAP Kerberos ticket to the TGS on the DC. It replies with a TGS_REP Kerberos response containing the ticket (for more details on the Kerberos protocol, see also this related blog post)The TGS_REP message gets forwarded to the SLC via Entra PA and the GSA Client.With the Kerberos ticket, SAP GUI and SLC can establish the SNC connection and single sign-on user Jane to the SAP system.Again, all traffic from the GSA client-controlled workstation on port 3200 is routed via Entra PA service and the private network connector on the DC.Entra private network connector routes SNC communication to the SAP system where Jane can be single signed-on. This requires that Jane’s user name in the Kerberos ticket (jsmith@corp.bestrun.com) is correctly mapped to her SAP user account (JSMITH).PrerequisitesSimilar to part I of this blog series, the following prerequisites should be met before starting to implement this scenario:A Microsoft Entra ID P1 or P2 or Entra Suite tenant with an administrative user assigned to the Entra built-in roles Conditional Access Administrator, Security Administrator, or Global Administrator. The domain name of the Entra tenant used in this tutorial is bestruncorp.onmicrosoft.com. If you can get a free P2 trial tenant with a Microsoft 365 Developer license.A valid license for Microsoft Entra Private Access. You can request a 30-day trial license through the Microsoft 365 admin center.A valid SAP license for enabling SNC-based SSO on the backend system and using SLC on the user’s workstationA non-administrator account used for testing the scenario. In this tutorial, Jane Smith has the account with user name jsmith@corp.bestrun.com in AD, jsmith@bestruncorp.onmicrosoft.com in Entra ID, and JSMITH in the SAP system. Administrative access to an SAP Application Server ABAP for testing the scenario. The system should be configured for SNC following steps 1 to 27 as described in this related tutorial. If you don’t have a development system available you can easily setup one with the ABAP Cloud Developer Trial on Docker.Administrative access to an AD DC and a domain-joined workstation for simulating the corporate network. In my lab environment used for this tutorial, both systems run as Hyper-V VMs and are configure according to the table below:SystemConfigurationDomain Controller (DC)Windows Server 2019 or laterActive Directory Domain Services (AD DS role). Installing the AD DS role and promoting a Windows Server to a domain controller is documented here. The domain name used in this tutorial is corp.bestrun.com (NetBIOS: CORP), but you can also choose any other name.Microsoft Entra Cloud Sync: Follow these steps to download and install the on-premises agent on the DC.WorkstationWindows 10 Pro or later, hybrid-joinedSAP GUI 7.60 or laterSAP Secure Login Client 3.0The GSA on-prem software components, the Microsoft Entra Private Network Connector and the Global Secure Access client, will be installed on the DC and workstation in the following steps. Ready? Then let’s get started with activating PA for the Entra tenant 🚀Activate Entra Private AccessStepDescriptionScreenshot1.1Login as the administrator to the Domain Controller1.2 Open to the Entra Admin Center at https://entra.microsoft.com and login as the tenant administrator. Select Global Secure Access from the navigation menu.Click the Activate button.Wait for the message that your tenant onboarding has completed successfully.1.3Select Connect -> Traffic Forwarding from the navigation menu.Activate the switch for the Private access profile. 1.4Confirm the dialog box with OK.Install the Microsoft Entra Private Network ConnectorUpon successful activation of the PA profile in the tenant, download and install the Microsoft Entra Private Network Connector on the DC. The DC acts as the connector server for the PA service in this scenario. It runs the private network connector which you will download and install in the following steps for tunneling Kerberos and SNC network traffic to the SAP system and the DC.StepDescriptionScreenshot2.1Select Connect -> Connectors from the navigation menu.Click the Download connector service button.2.2Accept the terms to start the download.2.3Double-click the download file (MicrosoftEntraPrivateNetworkConnectorInstaller.exe) to start the installation of the Private network connector.Activate the checkbox to accept the license terms and click Install.2.4During the installation process you will be asked to login to your Entra ID tenant.Login as the tenant administrator.2.5After completion of the connector installation click Restart.2.6After the DC has restarted, login to the Entra Admin Center as the tenant administrator.Select Global Secure Access -> Connect -> Connectors to verify the status of the newly installed connector. It should be assigned to the Default connector group and in state Active.Install the Global Secure Access clientContinue the GSA setup by installing the Global Secure Access client on the user’s workstation. For an automated deployment of the client in a larger production landscape, see the instructions here. StepDescriptionScreenshot3.1Login as user Jane Smith (JSMITH) to the corp.bestun.com (CORP) domain from the workstation.3.2Open to the Entra Admin Center and login as the tenant administrator.Select Global Secure Access -> Connect -> Client download from the navigation menu.Click Download Client for Windows 10/11.3.3Run the GlobalSecureAccessClient.exe installer.Activate the license terms and conditions checkbox and click Install. Installing the GSA client requires local administrator rights. 3.4Upon successful installation, click Sign in.3.5Login to GSA with your test user’s Entra ID account (e.g. jsmith@bestruncorp.onmicrosoft.com)Configure SAP for Private AccessUpon successful installation of the required software components in the corporate network, it is now time to configure the first GSA application representing the SAP system on-premise, and add the required application segment to it for SNC. You also need to grant access to the test user by assigning Jane Smith to the app.StepDescriptionScreenshot4.1As the tenant admin in the Entra Admin Center (https://entra.microsoft.com), go to Global Secure Access -> Applications -> Enterprise applications in the navigation menu.Click New application.4.2Enter a name for the new Global Secure Access application, for example “SAP A4H”.Click Add application segment.4.3Enter the following settings for the new application segment:Destination type: IP addressIP address: The IP address of the SAP system in the corporate network, for example 192.168.99.1Ports: 32<NN>. Replace <NN> with the instance number of your SAP system, for example 3200Protocol: TCPClick Apply.4.4Click Save.4.5Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.Click on the name to select the newly created Global Secure Access application “SAP A4H” from the list.4.6Select Users and groups from the navigation menu.Click Add user/group.4.7Click None Selected.4.8In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.Click Select.4.9Click Assign.Configure Kerberos for Private AccessContinue with the application setup for Entra PA by adding the “Domain Controller” GSA enterprise app to intercept Kerberos traffic to the DC.StepDescriptionScreenshot5.1Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.Click New application. 5.2Enter a name, for example “Domain Controller”.Click Add application segment. 5.3Enter the following settings for the new application segment:Destination type: IP addressIP address: The IP address of the DC in the corporate network, for example 192.168.99.10Ports: 88Protocol: Select TCP and UDPClick Apply.5.4Repeat the previous step for the following three application segments, which have all the destination type “IP address” and same IP address (your DC’s address, e.g. 192.168.99.10):Ports: 389, Protocol: UDPPorts: 464, Protocol: TCP and UDPPorts: 123, Protocol: UDPClick Save.5.5Click on Global Secure Access -> Applications -> Enterprise applications in the navigation menu.Click on the name to select the newly created Global Secure Access application “Domain Controller” from the list.5.6Select Users and groups from the navigation menu.Click Add user/group.5.7Click None Selected.5.8In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.Click Select.5.9Click Assign.Configure MFA for SAP GUI with Entra Conditional AccessSetup MFA for the user in Entra by creating a CA policy and assigning it to the “SAP A4H” GSA application for the SAP system.StepDescriptionScreenshot6.1Select Global Secure Access -> Applications -> Enterprise applications from the navigation menu.Click on the name to select the newly created Global Secure Access application “SAP A4H” from the list.6.2From the enterprise application navigation menu, select Security -> Conditional Access.6.3Click New policy.6.4Enter a name for the new policy, for example “SAP GUI MFA”, and click on the link in the Users section.6.5Activate the checkbox for Users and groups6.6In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.Click Select.6.7Click on the link in the Access controls -> Grant section.6.8Keep the default selection for Grant access, and activate the checkbox for Require authentication strength.From the drop-down box, select Passwordless MFA.Click Select.6.9Switch to On in the Enable policy options.Click Create.Setup private DNS for Kerberos SSOTo support SSO with Kerberos, the GSA client must be able to resolve internal (private) DNS names with the corporate domain suffix (corp.bestrun.com in this setup). StepDescriptionScreenshot7.1Run the command ipconfig /all on the DC or workstation host to find the DNS suffix for your corporate network.Copy the value (here corp.bestrun.com) of Primary Dns suffix from the output. 7.1Select Global Secure Access -> Applications -> Quick Access from the navigation menu.Switch to the Private DNS tab.Activate the Enable Private DNS checkbox and click Add DNS suffix.7.2Paste the DNS suffix from step 7.1 for your corporate network in the DNS suffix field.Click Add.7.3Select Users and Groups from the navigation menu.7.4Click None Selected.7.5In the Search field, enter the name of your test user, e.g. Jane Smith, and select the user from the results by activating the checkbox.Click Select.7.6Click Assign.Setting up MFA with Phone Sign-in for the test userSince you selected the Passwordless MFA option for the Required authentication strength in the previously created Conditional Access policy, you now need to setup the test user’s account accordingly. The following steps assume that there is no MFA authentication methods registered yet for the user. If so, make sure that Phone Sign-In is activated in the user’s Authenticator app. Otherwise just follow the next steps. StepDescriptionScreenshot8.1As the test user on the workstation, login to the My account portal at https://myaccount.microsoft.com.On the Security info tile, click UPDATE INFO.8.2Click Add sign-in method.8.3Select Authenticator app from the drop-down list.Click Add.8.4Click Next.8.5Click Next.8.6On the user’s phone, launch the Authenticator app. Click + to add a new account.8.7Select Work or school account.Click Scan QR code.8.8Scan the QR code displayed in the My access portal with your device camera.8.9Go back to the My access portal.Click Next.8.10A random number is shown in the My access portal to approve the new account.8.11A notification will pop-up in the Authenticator app. Enter the number shown in the previous step.Click Yes.8.12Upon successful approval, click Next.8.13Select the newly added account in the Authenticator app.Select Enable phone sign-in from the menu.8.14Click Continue.8.15Enter your test users domain password to authenticate with the Entra ID tenant.Click Sign in.8.16Entra ID login will show a random number.A few seconds later, the notification from the Authenticator app will pop-up.Enter the number and click Yes.8.17You have successfully enabled password-less MFA with phone sign-in for your test user’s account.Configure SNC mapping for the user in the SAP systemSimilar to Certificate-based SSO with SNC in part I of the blog series, Kerberos-based SSO to the SAP system also requires a mapping of the SAP user account to the user’s name in the corporate domain.StepDescriptionScreenshot9.1Login to the SAP backend with your SAP administrator user (e.g. DEVELOPER if you are using the Docker image).Go to User Maintenance (SU01).Enter your test user’s name (e.g. JSMITH).Click Create User (F8) if the user account doesn’t exist. Otherwise, click Change (Shift+F6), and continue with step 9.4.9.2Enter the Last Name and First Name on the Address tab.Switch to the Logon Data tab.9.3Enter a Password for the new user.9.4Switch to the SNC tab.In the SNC name field, enter your test user’s name in the corporate AD domain following the format “p:CN=<user@domain-dns-suffix>”, e.g. “p:CN=JSMITH@CORP.BESTRUN.COM”.Click Save.Test the scenarioYou are now ready to verify the scenario 🚀!StepDescriptionScreenshot10.1Login as the test user jsmith to the local domain (CORP) on the workstation.10.2Hover over the GSA system tray icon to check that the status is “connected”.10.3Right-click on the GSA system tray icon and select Advanced diagnostics from the context menu.10.4Switch to the Health check tab. Ensure that the status bar shows that All checks are successful.10.5Switch to the Forwarding profile tab and expand the Private access rules section.Check that all rules defined by the application segments of the “SAP A4H” and “Domain Controller” GSA enterprise applications were synchronized by the local GSA policy retrieval service.You also see additional rules for tunneling DNS on port 53 based on your Private DNS settings. 10.6Switch to the Traffic tab.Click Start collecting to record a trace of the intercepted SNC, Kerberos and DNS network traffic from the local workstation to the Entra PA service.10.7Start the SAP Logon Pad. Right-click on your connection entry for the SAP system.Select Properties from the context menu.10.8Switch to the Network tab.Activate the checkbox for Activate Secure Network Communication.Enter the SNC Name of your SAP backend. The name can be looked up on the backend with transaction RZ10 and the profile parameter snc/identity/as.Choose Maximum security settings available.Click OK.10.9Right-click on the connection entry for the SAP system and select SNC Logon with Single Sign-On.10.10SAP GUI now starts to establish the SNC connection, which gets intercepted by the GSA client (step 3 & 4 in figure 1) that requires the user to complete the multi-factor authentication process.On the Global Secure Access Client window, click Sign in.10.11In the Entra ID login page, enter your test user’s corporate password.Click Sign in.10.12Entra Conditional Access now requires the second factor by prompting the user to enter the number shown on the login page in her Authenticator app on the mobile phone.10.13The Authenticator app opens on the mobile phone. Upon successfully unlocking the app (e.g. with Face ID), the user has to enter the number shown in the previous step.Click Yes.10.14The login process completes and the test user is successfully single signed-on to the SAP system.10.15To see the network traces, go back to the GSA Advanced diagnostics window. The Traffic tab shows the recorded network traffic over the tunneled connections to the DC (port 88) and the SAP system (port 3200).With the user logged on in SAP GUI, the Connection status of the the tunneled SNC connection is still Active.Congratulations on completing the tutorial for SAP GUI MFA with Entra Private Access 🏆🥇! Read More Technology Blogs by Members articles
#SAP
#SAPTechnologyblog
