on 06-23-2010 10:03 AM
Dear all,
I have enable the SNC - SSO function in SAP R/3 system but once I via the SAP GUI logon, it will show the error message "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name", please see the details as below;
Information: SAP server - Windows 2003 64 bit
Client - Windows 7 32 bit with SAP GUI 710 SP15
I have two questions on this issue, please see as below;
Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped
I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?
Q2. the SNC name in "SAP GUI Logon", once I via the GUI logon, the system show the error "SSPI u2u-problem: please add Service principal for targe target="p:username<at>domain name"
Please see my setting as below for details
SAP Server - Profile Setting
snc/enable = 1
snc/data_protection/use = 1
snc/gssapi_lib = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll
snc/accept_insecure_gui = U
snc/identity/as = p:<sid>adm@DomainName
User Maintain - SU01 SNC Name
SNC Name in SAP user account - p:DomainName\UserName ( p:ABC.AD\ALEX.LO )
Windows Server Environment Variables
- SNC_LIB = c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll
Client Side - SAP Logon
1. Select the item "Activate Secure Network Communication" in Network page of SAP GUI
2. Entry the SNC Name "p:alex.lo@DomainName" and select "Max Sec Setting Available"
Windows Server Environment Variables
- SNC_LIB = c:\Windows\System32\gsskrb5.dll
Please help me to resolve the error "SSPI u2u-problem: please add Service principal " and review the SNC name is correct or not, I'm no idea to resolve it, thank you!
Regards,
Alex
Edited by: Alex Lo - BCA on Jun 23, 2010 11:09 AM
Hi ..
This is a clear case of SPN's not registered or incorrectly registered on the Service account under which SAP services are running.
You can go to any Domain controller in the domain and then on the command prompt type adsiedit.msc.
connect to domain partition in the adsiedit.msc
Under domain partition look for the service account for the SAP service.
Right click on the Service account, click on the properties.
check the SERVICEPRINCIPLENAME attribute.
check if the spn's are registered or not.
if regietered make sure SPN's are correctly registered.
If not registerd, register correctly by clicking typing in the SPN box as SERVICEACCOUNTNAME/dontcare and then add
This should resolve the issue
Thanks
Zulfi _D
Edited by: Zulfi_D on Aug 2, 2011 11:36 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
> I have two questions on this issue, please see as below;
> Q1. Set the "snc/gssapi_lib" in SAP server, if set to use "gssapi32.dll", the SAP service can startup. When set to use "gsskrb5.dll" or "gx64krb5.dll", the SNC is failed and then SAP service cannot startup - message server stopped
>
> I should use the file "gssapi32.dll" or "gsskrb5.dll" or "gx64krb5.dll" in server?
Since your system seems to be a 64bit system you need to use the 64bit library (gx64krb5.dll). If the system is not coming up if you use that one please check the developer traces (dev_w0).
You get this error message because SNC is not active because a 64bit kernel can't load a 32bit library.
Markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Markus,
If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).
I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/
Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!
Regards,
Alex
> If I using the "gssapi32.dll", the system can startup and the SNC is successful but once using "gx64krb5.dll", the SAP service is cannot startup (message server stopped).
Yes, because the system will fail to load the library and deactivate SNC and so come up.
> I saw the SNC user guide and notes 352295, the SAP note mentioned the SNC Lib is the file "gssapi32.dll", but some online document mentioned 64bit Windows is use "gx64krb5.dll", the file "gx64krb5.dll" is download from this FTP site ftp://ftp.sap.com/pub/ietf-work/gssapi/gsskrb5/
>
> Would you like to tell me the SNC name of SAP Logon is "username@domainname", it is correct or not? Thanks!
Why not simply check the content of dev_w0 if you start the system with gx64krb5.dll? Then we will see exactly why the system is not coming up and can suggest something concrete instead of 'guessing' what may be wrong?
Markus
Hi Markus,
I have changed to use "gx64krb5.dll" in SAP profile setting and copy the dev_w0 log file, please kindly review as below; thanks!
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll <-- I download the gssapi "gx64krb5.dll" and save in this folder
N File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed
N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): Kerberos SSPI not usable with this User account
N STOP! -- initial call to gss_indicate_mechs() failed
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded
N [sncxxdl.0604]<<- SncInit()==SNCERR_INIT
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 230]
M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 232]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10468]
M PfStatDisconnect: disconnect statistics
M Entering TH_CALLHOOKS
M ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP
M TrThHookFunc: called for WP dump
M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP
M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm [thxxrun1.c 724]
M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed [thxxtool3.c 261]
M Entering ThSetStatError
M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)
M Entering ThReadDetachMode
M call ThrShutDown (1)...
M ***LOG Q02=> wp_halt, WPStop (Workproc 0 5704) [dpnttool.c 327]
Please see the Dev_w0 log file as below; once using the file "gssapi32.dll"
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll
N
N Wed Jun 23 12:44:37 2010
N File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter
N SncInit(): found snc/identity/as=p:alex.lo<at>zodiac.ad
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> 1& [thxxsnc.c 259]
M SNC (Secure Network Communication) enabled
Regards,
Alex
Hi Juan,
I have change to "username@DOMAINNAME <--UPPERCASE, but the errors still occur, same as before, please see the log as below;
N SncInit(): found snc/gssapi_lib=c:\gsskrb5\gx64krb5.dll
N File "c:\gsskrb5\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed <----please see from here
N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): Kerberos SSPI not usable with this User account
N STOP! -- initial call to gss_indicate_mechs() failed
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\gsskrb5\gx64krb5.dll not loaded
N [sncxxdl.0604]<<- SncInit()==SNCERR_INIT
N sec_avail = "false"
When I change to use the file "gssapi32.dll", the system can startup and the log as below;
N SncInit(): found snc/gssapi_lib=c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll
N File "c:\usr\sap\APP\SYS\exe\uc\NTAMD64\gssapi32.dll" dynamically loaded as GSS-API v2 library. <--the library is valid
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter
N SncInit(): found snc/identity/as=p:appadm<at>ZODIAC.AD
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Indefinite
M ***LOG R1Q=> 1& [thxxsnc.c 259]
M SNC (Secure Network Communication) enabled
M CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
Please advise, thanks for your help!
Regards,
Alex
Dear all,
One more question, I just review the SAP note 352295, am I need execute the command to define the Service principal via the tool "SETSPN.EXE"? I haven't do this action before, please advise, thanks!
SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11
Note Content
If you want to use gsskrb5.dll with Windows 2003 Active Directory, you MUST use gsskrb5.dll v1.0.8 or newer on all your servers and frontends and you will have to add a Service Principal to the Domain Service Account of your SAP AppServer in order to re-enable the rfc-1964 2-token Kerberos authentication which gsskrb5.dll needs to work. The Service Principal itself is not used, only the undocumented side-effect of re-enabling rfc-1964/rfc-4121 compliant authentication. Therefore the "hostname" part of the Service Principal name doesn't matter. (Win2K3sp2 seems to newly require that the Service Principal contains a slash character). You can use the Microsoft command line tool "SETSPN.EXE" to define the Service principal. If the Domain Service account of your SAP AppServer is "SAPServiceC11" in the NT4-style Domain "MYDOMAIN", you would type:
SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11
"SETSPN.EXE" is included on the Microsoft Windows installation CD in the Archive "\support\tools\support.cab"
Regards,
Alex
Dear all,
I want to execute the SETSPN command for SSO, would you know the following SETSPN commend should be execute in SAP R3 server or the AD domain server?
SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11
What is the parameter of SETSPN command?
the "SAPServiceC11" is SAP services account
the "dontcare" should be hostname?
the "MYDOMAIN" should be domain name.
Please correct me if I'm wrong, thanks!
Finally, I entry the following SETSPN command in SAP server
-- setspn -A appadm/QISAPP.zodiac.ad zodiac\appadm
Regards,
Alex
Hi Alex,
Please follow the steps below and it should hopefully resolve your SNC SSO problem.
1) set parameter snc/gssapi_lib = c:/windows/system32/gx64krb5.dll
(copy the file to that folder as well, download from note 352295 )
This is required as your server is 64-bit, gssapi32.dll will not work in my opinion regardless of whether the service starts with this mapping.
If your server is running on Intel Itanium, you will have to use gi64krb5.dll. Update the Windows Server Environment Variable.
At the bare minimum, you need to set the following parameters:
snc/enable = 1
snc/gssapi_lib = C:\windows\system32\gx64krb5.dll
snc/identity/as=p:SAPService<SAPSID>@<UPPERCASE_DNS_DOMAIN_NAME) - in your entry, you have listed this as <sid>adm. Are you using <sid>adm to start this service as well?
If yes, then you need to enter that id above if it makes sense. Also note, the domain name section is case sensitive and has to be entered in upper case.
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_start = 1
These settings will ensure that your accounts will still work if the SNC information has not been entered in the user accounts. You can change it once you have tested SSO successfully. Be careful when playing with these settings as there is more room for error out here.
3) Run this command in the command prompt on a domain controller or a member server with domain admin access.
SETSPN -A SAPService<SID>/dontcare MYDOMAIN\SAPService<SID>
Exactly as shown above except, the SAPService<SID> is case sensitive and is exactly the same id as entered in the profile parameter above. Replace MYDOMAIN with the UPPERCASE_DNS_DOMAIN_NAME entry you have used in the previous step. The 'dontcare' text doesnt really matter here so you can leave it the way it is.
-
Once the above 3 steps have been done correctly, you can restart the system. Now for the user side, in SU01 --> SNC tab
ensure that you are entering the userid in the following format:
p:%userid%@UPPERCASE_DNS_DOMAIN_NAME
I have found that the userid is also case sensitive. Check the Active Directory entry for the user ids.
-
Client Side - SAP Logon
Change the SNC name from your userid to the sapservice userid which you have entered in the parameter. i.e.
p:SAPService<SID>@UPPERCASE_DNS_DOMAIN_NAME
This should help resolve your SNC issues.
Regards
Aniket
User | Count |
---|---|
80 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.