cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with .Net web app (IIS) using SNC and delegation for SSO

Former Member
0 Kudos

I have a very similar problem to the one posted below from a few years ago but has been unanswered.

We have a .Net4.0 web app running on IIS7.5. It runs in a corporate environment (with Kerberos/Windows Auth) and needs to connect into an SAP backend using RFC via the .Net Connector. I'm trying to use SNC and delegate/impersonate the users through the web app.

The web app (IIS) is configured very similar to the instructions here:

http://blogs.msdn.com/b/chiranth/archive/2014/04/17/setting-up-kerberos-authentication-for-a-website...

I'm using a service account for my app pool have it setup with unconstrained delegation. It has a SPN to my webserver. I think my delegation is configured correctly because I have tested it connecting to other IIS servers and I'm able to pass my user's Kerberos information.

In my web app, I have the SNC configuration set as so:

RfcConfigParameters.SncMode = "1";

RfcConfigParameters.SncLibraryPath = @"C:\qgsskrb5.dll";

RfcConfigParameters.SncPartnerName = "p:sap@sub.contoso.com";

RfcConfigParameters.SncMyName, "p:myId@sub.contoso.com";

The SNC library we are using was taken from a SAP GUI client. When I run my web app locally, it is able to connect into SAP. However, when I deploy the app to my webserver and try to connect through it, i get the following error:


GSS-API(maj): No valid credentials provided (or available)

GSS-API(min): No Kerberos SSPI credentials available for requested name="p:myId@sub.contoso.com"

I'm guessing there is a delegation problem in the SNC connection but I'm having troubles determining why.

Any help would be much appreciated!

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

We are having a similar problem.

We have a customer Web Application solution running on an IIS server for which we require SNC-based SSO connection for RFC via .Net Connector 3.0

In our experience the gx64krb5.dll works effectively.

However, the customer has recently upgraded and only sapcrypto.dll library works for sso integration.

This works for us with a direct RFC connection, but does not appear to support Kerberos delegation.

Can anyone confirm whether they have successfully employed sapcrypto.dll with Kerberos delegation for SSO for RFC integration?


The specific error message we are getting is:

LOCATION CPIC (TCP/IP) with Unicode ERROR GSS-API(maj): No credentials were supplied Unable to establish the security context target="p:S=SL-ABAP-TRD@SITE.XXX.COM.AU" TIME Mon Jun 27 09:55:59 2016 RELEASE 721 COMPONENT SNC (Secure Network Communication) VERSION 6 RC -4 MODULE sncxxall.c LINE 3604 DETAIL SncPEstablishContext SYSTEM CALL gss_init_sec_context COUNTER 8

Regards

Richard

Former Member
0 Kudos

While working to find a sapcrypto.dll, I've done some more traces on the original qgsskrb5.dll solution and finding something interesting.

When I remote desktop onto the web server and run the .Net app (web app), it is able to successfully connect using SNC. I ran a wireshark trace and I can see the server doing TGS-REQ for my ntid as well as the sapid used by SNC (SncPartnerName).

However, when I try accessing the web site outside of the RDP (remote desktop), I get the error in my first post. When doing the wireshark trace, I dont see the same TGS-REQ for the SncPartnerName. Instead, it seems to be looking up LDAP, and its not even the same request.

On the RDP, the TGS-REQ body contains:

  sname - name-type: KRB5-NT-PRINCIPAL

  sname - name-string: sapid (SncPartnerName)

On the non-RDP, the TGS-REQ body contains:

sname - name-type: KRB5-NT-SRV-INST

sname - name-string: LDAP ...

This is making me think the problem is indeed with the delegation. The fact that I was able to successfully connect when in RDP shows that the qgsskrb5 is working correctly, no? If so, would there be any other parameter needed in SNC to allow a delegated connection?

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi John,

from NCo layer there is no such parameter existing. There might be some configuration needed in the SNC product, but for this I can't help.

Best regards,

Markus

Former Member
0 Kudos

Thank you for your response Markus. We have been able to use the qgsskrb5.dll library successfully by impersonating via Kerberos authentication and getting the user's MYSAPSSO tokens. With this we use RFC to make the call into SAP.

Our problem is that the Kerberos based service providing the MYSAPSSO token is being decomissioned. But we would like to continue using the existing RFCs. Would you know if sapcrypto could be used with RFC?

Many thanks for your time and help.

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello John,

certainly, sapcrypto.dll can be used with RFC as well.

Best regards,

Markus

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello John,

this is not an issue of NCo, it's within SNC. However, the qgsskrb5.dll is no longer the library to use (has been deprecated) and is only there for compatibility reasons. It wraps some libraries of Windows, which changed in the various Windows versions. Therefore, it could be that the webserver is running on a newer Windows version with a library version that does not fit. Alternatively, it could be that the WebServer process is not running with the identity associated with p:myId@sub.contoso.com.

However, the approach to chose nowadays is to use sapcrypto.dll, which is also shipped with the latest SAPGui clients, for which you will also get support from SAP.

Best regards,

Markus

Former Member
0 Kudos

Sorry, duplicate post. My response below.