- SAP Community
- Products and Technology
- Additional Q&A
- SNC - GSS/API Kerberos related errors
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
SNC - GSS/API Kerberos related errors
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 07-28-2014 8:17 AM
Hello Experts,
I had initially raised another message for SSO , but that was with SAP Cryptolib, but after confirmation from SAP, we cannot go for a NW SSO2.0 license, thus we are looking at alternative methods like kerberos.
I am trying to get SNC (SSO) on the SAPGUI working after migrating from Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase .
Currently we are testing on the target LINUX [RHEL 6.4 ] server, against a Windows AD domain.
I was following the realtech document and it was a very good starting point.
The OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO.
Kinit works fine with the Linux server getting authenticated at the Windows AD [via root]
[root@orsapbisbx01 ~]# kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_0
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
[root@orsapbisbx01 ~]#
Kinit via sbadm
--------------------------
orsapbisbx01:sbqadm 51> kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_500
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
Klist shows us the
Klist shows us the ticket [ both via root / sbqadm]
--------------------------------------------------------------------------------
orsapbisbx01:sbqadm 54> klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Valid starting Expires Service principal
07/23/14 18:01:01 07/24/14 04:01:06 krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
renew until 07/30/14 18:01:01
orsapbisbx01:sbqadm 55
SNC Is correctly initialized ,as seen in the dev_w* traces
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N UserId="sbqadm" (500), envvar USER="sbqadm"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.
N The SNC-Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=09h 30m 53s
M SNC (Secure Network Communication) enabled
A
On the Front end, I have done the below settings
In the SAPGUI
-----------------------
Under the SNC tab, the SNC name is as below
SNC Name: p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
On the SAP server, the SNC name is typed as below under the SNC tab of user account properties?
On the front end system
-------------------------------------
I'm using the "gsskrb5.dll" library, which I moved into the directory %windir%\system32
After that I had to add the system variable SNC_LIB with the value "gsskrb5.dll". I tried both manually as well as via the installer from SAP Note 595341 alternatively.
Inspite of all these settings, the ABAP stack doesnt authenticate the users, the All I get is a funny error popup "SAP System Message: S".
The corresponding errors are noticed in the ABAP stack dev_w* work process traces.
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3364]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No key table entry found for SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
Additionally I have verified using Kerbtray.exe on the frontend that the kerberos ticket on the Linux server is also received at the front end .
Ticket
-->krbtgt/<MYDOMAIN.COM>
|
-->Service Principal [krbtgt/<MYDOMAIN.COM>@MYDOMAIN.COM
Service Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Target Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Is there something wrong with my configuration , I feel the issue is at the front end, do I need to change my snc/gssapi_lib library [ as we are on RHEL 6.4 ] , since we are using /usr/lib64/snckrb5.so , which was compiled for linux from the snc adapter downloaded from SCN.
Any help will be greatly appreciated , as we have started going in circles after nearly 2 weeks of configuration.
Regards
Prashant Vijaydas
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear All,
Update
=========
We are able to get the kerberos authentication perfectly at the OS level and also get the kerberos TGT ticket successfully.But SSO in itself fails.
We tried to replace the SNC Adapter we downloaded and compiled from SDN for Linux with the Linux specific libraries
i.e. replaced /usr/lib64/snckrb5.so with libgssapi_krb5.so & also the RHEL 6 specific /lib64/libgssglue.so.1 , but this has not helped in spite of changes to the Kerberos Library files.
Also I retried the same configuration with SIDADM as well, to rule out issues as SAPServiceSID doesnt exist in Unix systems , but we have run into the same error , we get the error popup "SAP System Message: S".
We continue to get the below error messages in our dev_w* work process traces
Tue Jul 29 23:44:59 2014
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3364]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No key table entry found for SBQADM/<hostname.mydomain.com>@<MYDOMAIN.COM>
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=00221982BAFF1ED485F6A0D2AB080DA5}_{conn-id=00000000000000000000000000000000}_0
Any help will be greatly appreciated.
Regards
Prashant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi All,
We were able to fix the problem ,
Our error was due a conflict between the windows AD and the Linux server's encryption types
GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No key table entry found for SBQADM/<hostname.mydomain.com>@<MYDOMAIN.COM>
As per the link below
As per the Windows 2008 R2 help documentation, windows only supports the below encryption types
http://technet.microsoft.com/en-us/library/cc753771.aspx
[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
We had tried generating the keytab file with both AES 256-SHA1 & the RC4-HMAC-NT.
And also mentioned the same details in oru krb5.conf file as well
[libdefaults]
default_realm = RADISYS.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
default_tgs_enctypes = RC4-HMAC
default_tkt_enctypes = RC4-HMAC
However our ktpass command on the Windows AD had mentioned that DES encryption type be not selected for the AD user.
ktpass -princ SBQADM/<Fully Qualified Hostname>.mydomain.com@MYDOMAIN.COM -mapuser MYDOMAIN\SBQADM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set -DESONLY -pass na8Exe12 -out sbq.keytab
However , after the keytab was generated, the SBQADM user's settings revealed that the DES encryption was still selected. But we didnt realize this as the keytab file did not show us this at all.
The keytab shows us encyrption type as ARCFOUR-HMAC and nowhere does it mention that DES- encryption is selected.
orsapbisbx01:sbqadm 52> klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
Valid starting Expires Service principal
08/01/14 00:39:30 08/01/14 10:39:30 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 08/08/14 00:39:30, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
orsapbisbx01:sbqadm 53>
But after we got the error via kvno check , we realized the problem.
orsapbisbx01:sbqadm 56> /usr/bin/kvno -k /etc/krb5.keytab SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
kvno: KDC has no support for encryption type while getting credentials for SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
When we cross checked the user SBQADM on the AD , there was a checkbox with the option DES encryption checked. This was causing the problem. The moment , we unchecked this option on the AD for the user and regenerated the Kerberos ticket via kinit ,the kvno was able to validate the kerberos ticket validity and the encryption type.
The SSO started working as well for us.
Posting this , so that this may be helpful for somebody as I had worked nearly for 2 weeks on this over and over again, in circles and can understand how frustrating this can be.
Cheers
Prashant Vijaydas
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Alexander,
I cross checked my screenshots and this looks to be a typo, the correct command should be
-crypto RC4-HMAC-NT , please also ensure to change +DESONLY to -DESONLY as this -Releases restriction on an account for DES only encryption.
The Resulting klist file is as below
orsapbisbx01:sbqadm 52> klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
Valid starting Expires Service principal
08/01/14 00:39:30 08/01/14 10:39:30 krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
renew until 08/08/14 00:39:30, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
orsapbisbx01:sbqadm 53>
Hope this helps.
Regards
Prashant
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear, I have exactly the same error on Aix 7.1 64bit, could you please share with me the solution or libraries that you usage at server and client side.
We have many implementation of this kind of auth on RHEL and Suse, this is the first on Aix, I'm unable to compile de snckrb5.so library used on Linux because of missing license of XLC compiler. All other steps are OK, AD User, setspn, ktpass, get ticket, sap profile, gsskrb5.dll on clients, etc.
Many thx in advance
Ruben
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Kerberos Error when task "deploy" from db-deployer in Technology Q&A
- Quick Start guide for PLM system integration 3.0 Implementation in Product Lifecycle Management Blogs by SAP
- SAP Document and Reporting Compliance - 'Colombia' - Contingency Process in Technology Blogs by SAP
- CIG transaction tracker handling in Technology Q&A
- Quick Start guide for PLM system integration 3.0 Implementation/Installation in Enterprise Resource Planning Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.