cancel
Showing results for 
Search instead for 
Did you mean: 

SAP GUI Error "SAP System Message: S"

Former Member
0 Kudos

Hi all,

I'm trying to implement SSO between SAP GUI and an ABAP system.  Eventually, the SSO will include AS Java and ABAP WebGUI as well.

So far I have deploy the SSO Server on an AS Java 7.3 system.  The SSO Server has the root certificate and the user CA certificate configured.  The Login Module is SecureLoginModuleLDAP.  The Login Module in the NetWeaver Administrator is configured for my MS AD.

On the ABAP system, I have configured the ABAP instance profile as described in http://scn.sap.com/docs/DOC-29687.  I have created the PSE for SNC manually and modified the SNC name for my test user in SU01.

On the client side, I have the SSO Client and SAP GUI installed.  When I login with my MS AD user, I can see the Kerberos Token activated.  I can also authenticate myself on the MS AD using the SSO Client and obtain a certificate.  SNC_LIB points to <Library path>\secgss.dll.  SSF_LIBRARY_PATH points to <Library path>\secssf.dll.

The problem is that when I try to logon to the ABAP system using SNC with the SAP GUI, I have an error message saying "SAP System Message: S".  There is also a few entries in SM21; "Delete session 001 after error 044".

This does not seem like a popular error on SCN as I did not find much past cases.

Any help will be much appreciated.

Cheers

Accepted Solutions (1)

Accepted Solutions (1)

tim_alsop
Active Contributor
0 Kudos

I suggest you check in the work process log (e.g. dev_w0) for the error reason. Look for error message at the time of the attempted logon.

Thanks,

Tim

Former Member
0 Kudos

Hi Tim,

I went through the trace in the dev_w* log.  SNC was initialized successfully.

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

G  GetWritePermissionForShm( pLocation = 281, pEnforce = 0 )

G  RelWritePermissionForShm( pLocation = 277, pEnforce = 0 )

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\EBG\DVEBMGS00\SLL\secgss.dll

N

N Fri Jul 20 11:27:39 2012

N    File "E:\usr\sap\EBG\DVEBMGS00\SLL\secgss.dll" dynamically loaded as GSS-AP

N

N Fri Jul 20 11:27:40 2012

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=EBG, OU=LAB, O=CLOCKWORK, C=CA

N

N Fri Jul 20 11:27:41 2012

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=Indefinite

M  ***LOG R1Q=> p:CN=EBG, OU=LAB, O=CLOCKWORK, C=CA [thxxsnc.c    266]

M  SNC (Secure Network Communication) enabled

Anyway, I think I have resovled the "SAP System Message: S" issue.

When I installed the SSO Client on my computer, it creates the system variable SNC_LIB automatically and point it to "C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\secgss.dll".

When I went through the documentation in http://help.sap.com/saphelp_nw73ehp1/helpdata/en/b4/a040e5f0fe4ceeb7a4d6144f4d0f28/content.htm, it suggests another secgss.dll in a different location.

I compared the version of these two *.dll files and their versions are different.  The one that comes with the SSO Client is a newer release.

After I have changed the path for the SNC_LIB, the "SAP System Message: S" error disappears.  Now I get a different error but that's a different issue.

Cheers

frane_milicevic
Active Participant
0 Kudos

Hi Verono,

please send me a screenshot of the Secure Login Client UI (like the screenshot from Matthias)?

--> I want to see the entries available.

What is exactly the use case you want to archieve?

If you have configured Secure Login Server to provide X.509 user certificates, are you able to get a certificate on the client side (Secure Login Client)?

Thanx,

Frane

Former Member
0 Kudos

Hi Frane,

Please refer to the screenshots below. 

The use case that I want to achieve is to use a Microsoft Active Directory for authentication.  After users are authenticated, they can be single sign-on to AS ABAP system and AS Java.

I think the certificate that I see in the SSO Client is obtained from the SSO Server, so I believe the SSO Server was configured properly to provide X.509 user certificate to the SSO Client.

Thanks,

Verono

Former Member
0 Kudos

Hi all,

I have resolved my problem.

First of all, when the SSO Client was installed, the Kerberos option was chosen as default.  I noticed that the example provided by Matthias in http://scn.sap.com/docs/DOC-29687.  There was only a X.509 certificate present in the SSO Client, whereas in my screenshots above there were both the Kerberos and the X.509 certificate.  I uninstalled the SSO Client and re-installed it using the custom install option and uncheck the Kerberos option.

Now, when I log in using the SSO Client I could only see my X.509 certificate verified against my Microsoft Active Directory.  When I log on to my ABAP system with SNC enable, I encountered another error.  "GSS-API(min): A2210223:Server does not trust my certificate path target".

I have misunderstood the PKI requirement of this exercise.  I generate the SNC PSE using the ABAP system instead of using the SSO Server.  I then generated an SAP server certificate in the SSO Server under Server Configuration > Certificate Management with my SNC name defined in the profile parameter snc/identity/as.  This certificate was then imported to my ABAP system using STRUST.

After the system was restarted, I was able to single sign-on to the ABAP system using SNC.

Cheers

frane_milicevic
Active Participant
0 Kudos

Hi Verono,

o.k. thank you for the positive feedback 🙂

Have fun with testing 🙂

Best regards,

Frane

manna_das
Contributor
0 Kudos

Hello Verono,

We are also facing the same issue, the only difference is our SAP Message is F, can you tell what have u changed in SNC_LIB.

OS Win 7, 64 BIT,

WIN GUI 7.20

Thanks in advance.

Kind Regards

Manna Das

Former Member
0 Kudos

Hi Manna,

Have you reviewed the dev_w0 as suggested by Tim above?

What I had done was changing the path of SNC_LIB in the system variable to point to the correct version of the secgss.dll.  This was the root cause of my issue but you should probably review the dev_w* trace to see exactly what is causing the error.

manna_das
Contributor
0 Kudos

Hello Verono,

Thanks for the reply. We have also resolved the problem by deleting SNC_LIB entry from System Variable.

Kind Regards

Manna Das

Answers (1)

Answers (1)

Kaempfer
Advisor
Advisor
0 Kudos

Hi,

I am a litte bit confused. You are describing that you are using the certificate version of SAP NW SSO but you talk only about a "Kerberos token".

Do you see a certificate at secure login client (the picture shows a available certificate) or only a Kerberos token?

Regards

Matthias

Former Member
0 Kudos

Hi Mattias,

I do see both the certificate in the Secure Login client with my MS Active Directory user as well as the Kerberos token.

Regards,

Verono