10 Replies Latest reply: Aug 2, 2011 11:36 PM by Zulfi Dehqani RSS

SNC Single Sign-On - SSPI u2u problem error

Alex Lo
Currently Being Moderated

Dear all,

 

I have enable the SNC - SSO function in SAP R/3 system but once I via the SAP GUI logon, it will show the error message "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name", please see the details as below;

 

Information: SAP server - Windows 2003 64 bit

                    Client - Windows 7 32 bit with SAP GUI 710 SP15

 

I have two questions on this issue, please see as below;

Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped

 

I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?

 

Q2. the SNC name in "SAP GUI Logon", once I via the GUI logon, the system show the error  "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name"

 

Please see my setting as below for details

 

SAP Server - Profile Setting

snc/enable = 1

snc/data_protection/use = 1                                  

snc/gssapi_lib = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

snc/accept_insecure_gui = U

snc/identity/as = p:<sid>adm@DomainName

 

User Maintain - SU01 SNC Name

SNC Name in SAP user account - p:DomainName\UserName ( p:ABC.AD\ALEX.LO )

 

Windows Server Environment Variables

- SNC_LIB = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

 

Client Side - SAP Logon

1. Select the item "Activate Secure Network Communication" in Network page of SAP GUI

2. Entry the SNC Name "p:alex.lo@DomainName" and select "Max Sec Setting Available"

 

Windows Server Environment Variables

- SNC_LIB = c:\Windows\System32\gsskrb5.dll

 

Please help me to resolve the error  "SSPI u2u-problem: please add Service principal " and review the SNC name is correct or not, I'm no idea to resolve it, thank you!

 

Regards,

Alex

 

Edited by: Alex Lo - BCA on Jun 23, 2010 11:09 AM

  • Re: SNC Single Sign-On - SSPI u2u problem error
    Markus Doehr
    Currently Being Moderated

    > I have two questions on this issue, please see as below;

    > Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped

    >

    > I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?

     

    Since your system seems to be a 64bit system you need to use the 64bit library (gx64krb5.dll). If the system is not coming up if you use that one please check the developer traces (dev_w0).

     

    You get this error message because SNC is not active because a 64bit kernel can't load a 32bit library.

     

     

     

    Markus

    • Re: SNC Single Sign-On - SSPI u2u problem error
      Alex Lo
      Currently Being Moderated

      Hi Markus,

       

      If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).

       

      I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/

       

      Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!

       

      Regards,

      Alex

      • Re: SNC Single Sign-On - SSPI u2u problem error
        Markus Doehr
        Currently Being Moderated

        > If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).

         

        Yes, because the system will fail to load the library and deactivate SNC and so come up.

         

        >  I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/

        >

        > Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!

         

        Why not simply check the content of dev_w0 if you start the system with gx64krb5.dll? Then we will see exactly why the system is not coming up and can suggest something concrete instead of 'guessing' what may be wrong?

         

         

         

        Markus

        • Re: SNC Single Sign-On - SSPI u2u problem error
          Alex Lo
          Currently Being Moderated

          Hi Markus,

           

          I have changed to use "gx64krb5.dll" in SAP profile setting and copy the dev_w0 log file, please kindly review as below; thanks!

           

           

          N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

          N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

          N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

          N  SncInit(): found  snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll   <-- I download the gssapi "gx64krb5.dll" and save in this folder

          N    File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

          N  *** ERROR => SncPDLInit(): gss_indicate_mechs() failed

          N   [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT  [sncxxdl.c 452]

          N        GSS-API(maj): Miscellaneous Failure

          N        GSS-API(min): Kerberos SSPI not usable with this User account

          N      STOP! -- initial call to gss_indicate_mechs() failed

          N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded

          N   [sncxxdl.0604]<<- SncInit()==SNCERR_INIT

          N           sec_avail = "false"

          M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c    230]

          M  *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c    232]

          M  in_ThErrHandle: 1

          M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   10468]

          M  PfStatDisconnect: disconnect statistics

          M  Entering TH_CALLHOOKS

          M  ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP

          M  TrThHookFunc: called for WP dump

          M  ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

          M  *** ERROR => ThrSaveSPAFields: no valid thr_wpadm [thxxrun1.c   724]

          M  *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed [thxxtool3.c  261]

          M  Entering ThSetStatError

          M  ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

          M  Entering ThReadDetachMode

          M  call ThrShutDown (1)...

          M  ***LOG Q02=> wp_halt, WPStop (Workproc 0 5704) [dpnttool.c   327]

           

           

          Please see the Dev_w0 log file as below; once using the file "gssapi32.dll"

           

          N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

          N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

          N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

          N  SncInit(): found  snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

          N Wed Jun 23 12:44:37 2010

          N    File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library.

          N    The internal Adapter for the loaded GSS-API mechanism identifies as:

          N    Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter

          N  SncInit():   found snc/identity/as=p:alex.lo<at>zodiac.ad

          N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

          N  SncInit(): Initiating Credentials available, lifetime=Indefinite

          M  ***LOG R1Q=> 1& [thxxsnc.c    259]

          M  SNC (Secure Network Communication) enabled

           

          Regards,

          Alex

          • Re: SNC Single Sign-On - SSPI u2u problem error
            Juan Reyes
            Currently Being Moderated

            Kerberos SSPI not usable with this User account

             

            whats the value of parameter snc/identity/as ?

             

            It should be p:user <at> DOMAIN IN UPPERCASE.

             

            Regards

            Juan

            • Re: SNC Single Sign-On - SSPI u2u problem error
              Alex Lo
              Currently Being Moderated

              Hi Juan,

               

              I have change to "username@DOMAINNAME <--UPPERCASE, but the errors still occur, same as before, please see the log as below;

               

              N  SncInit(): found  snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll

              N    File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

              N  *** ERROR => SncPDLInit(): gss_indicate_mechs() failed                             <----please see from here

              N   [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT  [sncxxdl.c 452]

              N        GSS-API(maj): Miscellaneous Failure

              N        GSS-API(min): Kerberos SSPI not usable with this User account

              N      STOP! -- initial call to gss_indicate_mechs() failed

              N  *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded

              N   [sncxxdl.0604]<<- SncInit()==SNCERR_INIT

              N           sec_avail = "false"

               

              When I change to use the file "gssapi32.dll", the system can startup and the log as below;

               

              N  SncInit(): found  snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

              N    File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library.  <--the library is valid

              N    The internal Adapter for the loaded GSS-API mechanism identifies as:

              N    Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter

              N  SncInit():   found snc/identity/as=p:appadm<at>ZODIAC.AD

              N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

              N  SncInit(): Initiating Credentials available, lifetime=Indefinite

              M  ***LOG R1Q=> 1& [thxxsnc.c    259]

              M  SNC (Secure Network Communication) enabled

              M  CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

               

              Please advise, thanks for your help!

               

              Regards,

              Alex

              • Re: SNC Single Sign-On - SSPI u2u problem error
                Alex Lo
                Currently Being Moderated

                Dear all,

                 

                One more question, I just review the SAP note 352295, am I need execute the command to define the Service principal via the tool "SETSPN.EXE"? I haven't do this action before, please advise, thanks!

                 

                SETSPN -A SAPServiceC11/dontcare  MYDOMAIN\SAPServiceC11

                 

                Note Content

                 

                If you want to use gsskrb5.dll with Windows 2003 Active Directory, you MUST use gsskrb5.dll v1.0.8 or newer on all your servers and frontends and you will have to add a Service Principal to the Domain Service Account of your SAP AppServer  in order to re-enable the rfc-1964 2-token Kerberos authentication which gsskrb5.dll needs to work.  The Service Principal itself is not used, only the undocumented side-effect of re-enabling rfc-1964/rfc-4121 compliant authentication.  Therefore the "hostname" part of the Service Principal name doesn't matter. (Win2K3sp2 seems to newly require that the Service Principal contains a slash character).  You can use the Microsoft command line tool "SETSPN.EXE" to define the Service principal.  If the Domain Service account of your SAP AppServer is "SAPServiceC11" in the NT4-style Domain "MYDOMAIN", you would type:

                    SETSPN -A SAPServiceC11/dontcare  MYDOMAIN\SAPServiceC11

                 

                "SETSPN.EXE" is included on the Microsoft Windows installation CD in the Archive "\support\tools\support.cab"

                 

                Regards,

                Alex

                • Re: SNC Single Sign-On - SSPI u2u problem error
                  Alex Lo
                  Currently Being Moderated

                  Dear all,

                   

                  I want to execute the SETSPN command for SSO, would you know the following SETSPN commend should be execute in SAP R3 server or the AD domain server?

                   

                  SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

                   

                  What is the parameter of SETSPN command?

                   

                  the "SAPServiceC11" is SAP services account

                  the "dontcare" should be hostname?

                  the "MYDOMAIN" should be domain name.

                   

                  Please correct me if I'm wrong, thanks!

                   

                  Finally, I entry the following SETSPN command in SAP server

                   

                  -- setspn -A appadm/QISAPP.zodiac.ad zodiac\appadm

                   

                  Regards,

                  Alex

                  • Re: SNC Single Sign-On - SSPI u2u problem error
                    Aniket Shah
                    Currently Being Moderated

                    Hi Alex,

                     

                    Please follow the steps below and it should hopefully resolve your SNC SSO problem.

                     

                    1) set parameter snc/gssapi_lib = c:/windows/system32/gx64krb5.dll

                    (copy the file to that folder as well, download from note 352295 )

                    This is required as your server is 64-bit, gssapi32.dll will not work in my opinion regardless of whether the service starts with this mapping. 

                    If your server is running on Intel Itanium, you will have to use gi64krb5.dll. Update the Windows Server Environment Variable.

                     

                    At the bare minimum, you need to set the following parameters:

                     

                    snc/enable = 1

                     

                    snc/gssapi_lib = C:\windows\system32\gx64krb5.dll

                     

                    snc/identity/as=p:SAPService<SAPSID>@<UPPERCASE_DNS_DOMAIN_NAME) - in your entry, you have listed this as <sid>adm. Are you using <sid>adm to start this service as well?

                    If yes, then you need to enter that id above if it makes sense. Also note, the domain name section is case sensitive and has to be entered in upper case.

                     

                    snc/accept_insecure_cpic = 1

                    snc/accept_insecure_gui = 1

                    snc/accept_insecure_rfc = 1

                    snc/accept_insecure_start = 1

                     

                    These settings will ensure that your accounts will still work if the SNC information has not been entered in the user accounts. You can change it once you have tested SSO successfully. Be careful when playing with these settings as there is more room for error out here.

                     

                    3) Run this command in the command prompt on a domain controller or a member server with domain admin access.

                     

                    SETSPN -A SAPService<SID>/dontcare MYDOMAIN\SAPService<SID>

                     

                    Exactly as shown above except, the SAPService<SID> is case sensitive and is exactly the same id as entered in the profile parameter above. Replace MYDOMAIN with the UPPERCASE_DNS_DOMAIN_NAME entry you have used in the previous step. The 'dontcare' text doesnt really matter here so you can leave it the way it is.

                     

                    -


                    Once the above 3 steps have been done correctly, you can restart the system. Now for the user side, in SU01 --> SNC tab

                     

                    ensure that you are entering the userid in the following format:

                     

                    p:%userid%@UPPERCASE_DNS_DOMAIN_NAME

                     

                    I have found that the userid is also case sensitive. Check the Active Directory entry for the user ids.

                     

                    -


                     

                    Client Side - SAP Logon

                     

                    Change the SNC name from your userid to the sapservice userid which you have entered in the parameter. i.e.

                    p:SAPService<SID>@UPPERCASE_DNS_DOMAIN_NAME

                     

                    This should help resolve your SNC issues.

                     

                     

                    Regards

                     

                    Aniket

  • Re: SNC Single Sign-On - SSPI u2u problem error
    Zulfi Dehqani
    Currently Being Moderated

    Hi ..

     

     

    This is a clear case of SPN's not registered or incorrectly registered on the Service account under which SAP services are running.

     

    You can go to any Domain controller in the domain and then on the command prompt type adsiedit.msc.

    connect to domain partition in the adsiedit.msc

    Under domain partition  look for the service account for the SAP service.

    Right click on the Service account, click on the properties.

    check the SERVICEPRINCIPLENAME attribute.

    check if the spn's are registered or not.

    if regietered make sure SPN's are correctly registered.

    If not registerd, register correctly by clicking typing in the SPN box as  SERVICEACCOUNTNAME/dontcare  and then add

     

     

    This should resolve the issue

     

     

    Thanks

     

    Zulfi _D

     

    Edited by: Zulfi_D on Aug 2, 2011 11:36 PM

Actions