cancel
Showing results for 
Search instead for 
Did you mean: 

SNC Single Sign-On - SSPI u2u problem error

Former Member
0 Kudos

Dear all,

I have enable the SNC - SSO function in SAP R/3 system but once I via the SAP GUI logon, it will show the error message "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name", please see the details as below;

Information: SAP server - Windows 2003 64 bit

Client - Windows 7 32 bit with SAP GUI 710 SP15

I have two questions on this issue, please see as below;

Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped

I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?

Q2. the SNC name in "SAP GUI Logon", once I via the GUI logon, the system show the error "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name"

Please see my setting as below for details

SAP Server - Profile Setting

snc/enable = 1

snc/data_protection/use = 1

snc/gssapi_lib = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

snc/accept_insecure_gui = U

snc/identity/as = p:<sid>adm@DomainName

User Maintain - SU01 SNC Name

SNC Name in SAP user account - p:DomainName\UserName ( p:ABC.AD\ALEX.LO )

Windows Server Environment Variables

- SNC_LIB = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

Client Side - SAP Logon

1. Select the item "Activate Secure Network Communication" in Network page of SAP GUI

2. Entry the SNC Name "p:alex.lo@DomainName" and select "Max Sec Setting Available"

Windows Server Environment Variables

- SNC_LIB = c:\Windows\System32\gsskrb5.dll

Please help me to resolve the error "SSPI u2u-problem: please add Service principal " and review the SNC name is correct or not, I'm no idea to resolve it, thank you!

Regards,

Alex

Edited by: Alex Lo - BCA on Jun 23, 2010 11:09 AM

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi ..

This is a clear case of SPN's not registered or incorrectly registered on the Service account under which SAP services are running.

You can go to any Domain controller in the domain and then on the command prompt type adsiedit.msc.

connect to domain partition in the adsiedit.msc

Under domain partition look for the service account for the SAP service.

Right click on the Service account, click on the properties.

check the SERVICEPRINCIPLENAME attribute.

check if the spn's are registered or not.

if regietered make sure SPN's are correctly registered.

If not registerd, register correctly by clicking typing in the SPN box as SERVICEACCOUNTNAME/dontcare and then add

This should resolve the issue

Thanks

Zulfi _D

Edited by: Zulfi_D on Aug 2, 2011 11:36 PM

markus_doehr2
Active Contributor
0 Kudos

> I have two questions on this issue, please see as below;

> Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped

>

> I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?

Since your system seems to be a 64bit system you need to use the 64bit library (gx64krb5.dll). If the system is not coming up if you use that one please check the developer traces (dev_w0).

You get this error message because SNC is not active because a 64bit kernel can't load a 32bit library.

Markus

Former Member
0 Kudos

Hi Markus,

If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).

I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/

Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!

Regards,

Alex

markus_doehr2
Active Contributor
0 Kudos

> If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).

Yes, because the system will fail to load the library and deactivate SNC and so come up.

> I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/

>

> Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!

Why not simply check the content of dev_w0 if you start the system with gx64krb5.dll? Then we will see exactly why the system is not coming up and can suggest something concrete instead of 'guessing' what may be wrong?

Markus

Former Member
0 Kudos

Hi Markus,

I have changed to use "gx64krb5.dll" in SAP profile setting and copy the dev_w0 log file, please kindly review as below; thanks!

N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll <-- I download the gssapi "gx64krb5.dll" and save in this folder

N File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed

N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): Kerberos SSPI not usable with this User account

N STOP! -- initial call to gss_indicate_mechs() failed

N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded

N [sncxxdl.0604]<<- SncInit()==SNCERR_INIT

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10468]

M PfStatDisconnect: disconnect statistics

M Entering TH_CALLHOOKS

M ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP

M TrThHookFunc: called for WP dump

M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm [thxxrun1.c 724]

M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed [thxxtool3.c 261]

M Entering ThSetStatError

M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

M Entering ThReadDetachMode

M call ThrShutDown (1)...

M ***LOG Q02=> wp_halt, WPStop (Workproc 0 5704) [dpnttool.c 327]

Please see the Dev_w0 log file as below; once using the file "gssapi32.dll"

N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

N

N Wed Jun 23 12:44:37 2010

N File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter

N SncInit(): found snc/identity/as=p:alex.lo<at>zodiac.ad

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=Indefinite

M ***LOG R1Q=> 1& [thxxsnc.c 259]

M SNC (Secure Network Communication) enabled

Regards,

Alex

JPReyes
Active Contributor
0 Kudos

Kerberos SSPI not usable with this User account

whats the value of parameter snc/identity/as ?

It should be p:user <at> DOMAIN IN UPPERCASE.

Regards

Juan

Former Member
0 Kudos

Hi Juan,

I have change to "username@DOMAINNAME <--UPPERCASE, but the errors still occur, same as before, please see the log as below;

N SncInit(): found snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll

N File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed <----please see from here

N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): Kerberos SSPI not usable with this User account

N STOP! -- initial call to gss_indicate_mechs() failed

N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded

N [sncxxdl.0604]<<- SncInit()==SNCERR_INIT

N sec_avail = "false"

When I change to use the file "gssapi32.dll", the system can startup and the log as below;

N SncInit(): found snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll

N File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library. <--the library is valid

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter

N SncInit(): found snc/identity/as=p:appadm<at>ZODIAC.AD

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=Indefinite

M ***LOG R1Q=> 1& [thxxsnc.c 259]

M SNC (Secure Network Communication) enabled

M CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

Please advise, thanks for your help!

Regards,

Alex

Former Member
0 Kudos

Dear all,

One more question, I just review the SAP note 352295, am I need execute the command to define the Service principal via the tool "SETSPN.EXE"? I haven't do this action before, please advise, thanks!

SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

Note Content

If you want to use gsskrb5.dll with Windows 2003 Active Directory, you MUST use gsskrb5.dll v1.0.8 or newer on all your servers and frontends and you will have to add a Service Principal to the Domain Service Account of your SAP AppServer in order to re-enable the rfc-1964 2-token Kerberos authentication which gsskrb5.dll needs to work. The Service Principal itself is not used, only the undocumented side-effect of re-enabling rfc-1964/rfc-4121 compliant authentication. Therefore the "hostname" part of the Service Principal name doesn't matter. (Win2K3sp2 seems to newly require that the Service Principal contains a slash character). You can use the Microsoft command line tool "SETSPN.EXE" to define the Service principal. If the Domain Service account of your SAP AppServer is "SAPServiceC11" in the NT4-style Domain "MYDOMAIN", you would type:

SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

"SETSPN.EXE" is included on the Microsoft Windows installation CD in the Archive "\support\tools\support.cab"

Regards,

Alex

Former Member
0 Kudos

Dear all,

I want to execute the SETSPN command for SSO, would you know the following SETSPN commend should be execute in SAP R3 server or the AD domain server?

SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

What is the parameter of SETSPN command?

the "SAPServiceC11" is SAP services account

the "dontcare" should be hostname?

the "MYDOMAIN" should be domain name.

Please correct me if I'm wrong, thanks!

Finally, I entry the following SETSPN command in SAP server

-- setspn -A appadm/QISAPP.zodiac.ad zodiac\appadm

Regards,

Alex

Former Member
0 Kudos

Hi Alex,

Please follow the steps below and it should hopefully resolve your SNC SSO problem.

1) set parameter snc/gssapi_lib = c:/windows/system32/gx64krb5.dll

(copy the file to that folder as well, download from note 352295 )

This is required as your server is 64-bit, gssapi32.dll will not work in my opinion regardless of whether the service starts with this mapping.

If your server is running on Intel Itanium, you will have to use gi64krb5.dll. Update the Windows Server Environment Variable.

At the bare minimum, you need to set the following parameters:

snc/enable = 1

snc/gssapi_lib = C:\windows\system32\gx64krb5.dll

snc/identity/as=p:SAPService<SAPSID>@<UPPERCASE_DNS_DOMAIN_NAME) - in your entry, you have listed this as <sid>adm. Are you using <sid>adm to start this service as well?

If yes, then you need to enter that id above if it makes sense. Also note, the domain name section is case sensitive and has to be entered in upper case.

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_start = 1

These settings will ensure that your accounts will still work if the SNC information has not been entered in the user accounts. You can change it once you have tested SSO successfully. Be careful when playing with these settings as there is more room for error out here.

3) Run this command in the command prompt on a domain controller or a member server with domain admin access.

SETSPN -A SAPService<SID>/dontcare MYDOMAIN\SAPService<SID>

Exactly as shown above except, the SAPService<SID> is case sensitive and is exactly the same id as entered in the profile parameter above. Replace MYDOMAIN with the UPPERCASE_DNS_DOMAIN_NAME entry you have used in the previous step. The 'dontcare' text doesnt really matter here so you can leave it the way it is.

-


Once the above 3 steps have been done correctly, you can restart the system. Now for the user side, in SU01 --> SNC tab

ensure that you are entering the userid in the following format:

p:%userid%@UPPERCASE_DNS_DOMAIN_NAME

I have found that the userid is also case sensitive. Check the Active Directory entry for the user ids.

-


Client Side - SAP Logon

Change the SNC name from your userid to the sapservice userid which you have entered in the parameter. i.e.

p:SAPService<SID>@UPPERCASE_DNS_DOMAIN_NAME

This should help resolve your SNC issues.

Regards

Aniket