on 04-14-2016 1:13 AM
I have a very similar problem to the one posted below from a few years ago but has been unanswered.
We have a .Net4.0 web app running on IIS7.5. It runs in a corporate environment (with Kerberos/Windows Auth) and needs to connect into an SAP backend using RFC via the .Net Connector. I'm trying to use SNC and delegate/impersonate the users through the web app.
The web app (IIS) is configured very similar to the instructions here:
I'm using a service account for my app pool have it setup with unconstrained delegation. It has a SPN to my webserver. I think my delegation is configured correctly because I have tested it connecting to other IIS servers and I'm able to pass my user's Kerberos information.
In my web app, I have the SNC configuration set as so:
RfcConfigParameters.SncMode = "1";
RfcConfigParameters.SncLibraryPath = @"C:\qgsskrb5.dll";
RfcConfigParameters.SncPartnerName = "p:sap@sub.contoso.com";
RfcConfigParameters.SncMyName, "p:myId@sub.contoso.com";
The SNC library we are using was taken from a SAP GUI client. When I run my web app locally, it is able to connect into SAP. However, when I deploy the app to my webserver and try to connect through it, i get the following error:
GSS-API(maj): No valid credentials provided (or available)
GSS-API(min): No Kerberos SSPI credentials available for requested name="p:myId@sub.contoso.com"
I'm guessing there is a delegation problem in the SNC connection but I'm having troubles determining why.
Any help would be much appreciated!
We are having a similar problem.
We have a customer Web Application solution running on an IIS server for which we require SNC-based SSO connection for RFC via .Net Connector 3.0
In our experience the gx64krb5.dll works effectively.
However, the customer has recently upgraded and only sapcrypto.dll library works for sso integration.
This works for us with a direct RFC connection, but does not appear to support Kerberos delegation.
Can anyone confirm whether they have successfully employed sapcrypto.dll with Kerberos delegation for SSO for RFC integration?
The specific error message we are getting is:
LOCATION CPIC (TCP/IP) with Unicode ERROR GSS-API(maj): No credentials were supplied Unable to establish the security context target="p:S=SL-ABAP-TRD@SITE.XXX.COM.AU" TIME Mon Jun 27 09:55:59 2016 RELEASE 721 COMPONENT SNC (Secure Network Communication) VERSION 6 RC -4 MODULE sncxxall.c LINE 3604 DETAIL SncPEstablishContext SYSTEM CALL gss_init_sec_context COUNTER 8
Regards
Richard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
While working to find a sapcrypto.dll, I've done some more traces on the original qgsskrb5.dll solution and finding something interesting.
When I remote desktop onto the web server and run the .Net app (web app), it is able to successfully connect using SNC. I ran a wireshark trace and I can see the server doing TGS-REQ for my ntid as well as the sapid used by SNC (SncPartnerName).
However, when I try accessing the web site outside of the RDP (remote desktop), I get the error in my first post. When doing the wireshark trace, I dont see the same TGS-REQ for the SncPartnerName. Instead, it seems to be looking up LDAP, and its not even the same request.
On the RDP, the TGS-REQ body contains:
sname - name-type: KRB5-NT-PRINCIPAL
sname - name-string: sapid (SncPartnerName)
On the non-RDP, the TGS-REQ body contains:
sname - name-type: KRB5-NT-SRV-INST
sname - name-string: LDAP ...
This is making me think the problem is indeed with the delegation. The fact that I was able to successfully connect when in RDP shows that the qgsskrb5 is working correctly, no? If so, would there be any other parameter needed in SNC to allow a delegated connection?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for your response Markus. We have been able to use the qgsskrb5.dll library successfully by impersonating via Kerberos authentication and getting the user's MYSAPSSO tokens. With this we use RFC to make the call into SAP.
Our problem is that the Kerberos based service providing the MYSAPSSO token is being decomissioned. But we would like to continue using the existing RFCs. Would you know if sapcrypto could be used with RFC?
Many thanks for your time and help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello John,
this is not an issue of NCo, it's within SNC. However, the qgsskrb5.dll is no longer the library to use (has been deprecated) and is only there for compatibility reasons. It wraps some libraries of Windows, which changed in the various Windows versions. Therefore, it could be that the webserver is running on a newer Windows version with a library version that does not fit. Alternatively, it could be that the WebServer process is not running with the identity associated with p:myId@sub.contoso.com.
However, the approach to chose nowadays is to use sapcrypto.dll, which is also shipped with the latest SAPGui clients, for which you will also get support from SAP.
Best regards,
Markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.