Hi comunity, i have problem to add and use a secondary (trusted) domain, for SSO with Kerberos.  (conf. for the 1 domain is working fine)

See my attachment to see all the step that i try to do.

i follow also the

Option 1& Option 2: Irrespective of the trust existence between the domains, when we have more than one Microsoft Domain to integrate into our Kerberos/SPNego implementation, it is necessary to create a Keytab for every one of these domains. Such configuration is required because the SAP AS ABAP server has to be configured to trust every one of these domains.

But how i can generate this keytab?

Same info: prinicipal domain (working fine SEAT.IT)

Secondary domain (ITALIAONLINE.LOCAL)

In RZ10 into profile istance there is this configuration:

snc/enable = 1

snc/data_protection/min = 1

snc/data_protection/max = 3

snc/data_protection/use = 3

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_r3int_rfc = 1

snc/r3int_rfc_insecure = 0

snc/r3int_rfc_qop = 3

snc/permit_insecure_start = 1

snc/identity/as = p:sr3qa1p1-SAP@SEAT.IT // my first domain that is working fine

snc/gssapi_lib = /opt/quest/lib/libvas-gssapi64.so

In sap i have set with su01 the user to logon with SNC:  user is D9992

When i try to logon (into sap system S09) with a user that is into a second trusted domain, I receive:

To check the Kerberos ticket I have launch into machine the executable Kerbtray.exe and the info are:

I have read same forum (https://scn.sap.com/thread/955731) this is similar to my problem

Inside I thy to execute by SE38 same check report that I report below (I thing is all ok)

The question is :

Considering that the row snc/identity/as = p:sr3qa1p1-SAP@SEAT.IT is unique and I cannot have 2 row… (one for domain) but the secondary domain is trusted there are some addiction command that I must do?

Best Regards,

Andrea Preziuso