cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SNC Error in SSO

Former Member

on ‎08-27-2010 4:23 PM

0 Kudos

Hi

We implemented SAP Single Sign on last year using Kerberos and it was working beautifully until last Friday.

Since Last friday, we are getting a weird error on our development system( We are lucky that it has not started happening on our Production systems)...

Sapgui 710 [Build 9003] Tue Aug 24 16:27:16 2010

: 'SAP System Message:

Security Network Layer (SNC) error

Our configuration is:

snc/enable 1

snc/gssapi_lib /lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

snc/identity/as p:SAPservice/sapdev.<domain_name>@<i5_REALM>

snc/accept_insecure_gui 1

snc/accept_insecure_rfc 1

snc/accept_insecure_r3int_rfc 1

snc/permit_insecure_start 1

Now the funny part is that we know what the fix is..We have to advance our PC clocks on the PC to maybe a couple of minutes ahead and then it lets us log into the system.

The Work process trace file shows us the following :

N Sun Aug 22 10:45:10 2010

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3357]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): Clock skew too great <<<<<<========================

N Unable to establish the security context

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 976]

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 981]

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 10631]

Looking at it, someone will wonder that its the clcok skew and that its off.

But we have looked at the iSeries clock, the domain controller clock and the PC clcok, which are all within minutes of each other. The iseries is synced to the domain using CHGNTPA every 60 minutes using (*MAXADJ).

Also Our domain controller setting for Kerberos Policy for Maximum tolerance for computer clock synchronization is set to 5 minutes.

Now it even get's more interesting. We have three SAP systems on the same lpar configured for SAP SNC SSO.

one of them works and two of them gies us this error. When we advance our PC times by only a couple of minutes, then these two also start working.

So that make us believe, it must be something within the SAP application, as all three share the same OS configuration.(time, REALMS, krb5 settings etc). The one that works is a BI system and is at SPS 15, but the two that give us trouble are at SPS11.

Any advise on where i should look further inside SAP??? System i??

I am all stumped...

Thanks in advance for all your help.

Abhi

Edited by: ABHI GUPT on Aug 27, 2010 11:23 AM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎01-16-2013 10:52 AM
0 Kudos

Hi Team,

I'm currently doing SSO setup, my Active directory is Windowser server 2008 r2 and my SAP server is Linux. Do you know any document i can use for this setup? Currently im following http://www.realtech.com/wInternational/pdf/consulting/Whitepaper/SAP_Single_Sign-On_und_Secure_Conne...

however its still not work.

Please help.

Show replies
Show replies
martin_eberle
Explorer
‎04-26-2013 1:00 PM
0 Kudos

Hi Joshua

Do you still need any input?

Which Linux version to you have?

Martin

Former Member
‎12-16-2013 4:41 AM
0 Kudos

Hi All

Any solution to the original problem??? I am also facing the same issue with SNC.

Regards

Khurram Qureshi

former_member192334
Participant
‎12-23-2010 11:09 AM
0 Kudos

Hello Abhi

I have now a customer with the SAME error and the same situation that you explained. Always SSO was well working...but from last weekend... we get the same error...

Did you found any explanation or solution?

Thanks and regards

Javier

Show replies
Show replies
Former Member
‎12-23-2010 11:13 AM
0 Kudos

Hi Javier,

you should sync the times of the i5 & Windows server and the clients ... I think 5 minutes are allowed ...

then it should work - otherwise, Kerberos cannot work ...

Regards

Volker Gueldenpfennig, consolut international ag

http://www.consolut.com http://www.4soi.de http://www.easymarketplace.de

former_member192334
Participant
‎01-13-2011 9:16 AM
0 Kudos

Hello Volker

The thing is the difference between the clocks is lower than 5 minutes.... So , I don't understand why we get this error

Curiously, this configurarion was well working during a long long time, and... the problems appears since change to winter-time. (month september)?

After this we matched again the clocks (iseries, windows server, and PCs) but the threshold for 5 minutes is not well working.

Any suggestion?

Thanks a lot

Javier

Ask a Question