on 04-28-2014 4:59 PM
Hi all,
I am trying to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.
As <SID>adm
I have downloaded the files and uncar'd them into my D:\usr\sap\SM1\SLL directory.
I set my environment variables: SUCDIR = D:\usr\sap\SM1\DVEBMGS02\sec, SNCLIB = D:\usr\sap\SM1\SLL\secgss.dll
I have maintained my Instance Profile with:
snc/enable = 1
snc/gssapi_lib = D:\usr\sap\SM1\SLL\secgss.dll
snc/identity/as = p:CN=SLLServiceSM1
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 0
snc/accept_insecure_r3int_rfc = 1
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
I have a user on the Active Directory: SLLServiceSM1
I ran through the steps:
D:\>set SECUDIR=D:\usr\sap\SM1\DVEBMGS02\sec
D:\>cd D:\usr\sap\SM1\SLL
D:\usr\sap\SM1\SLL>sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSM1@office.xxxxx.com (no errors)
D:\usr\sap\SM1\SLL>sapgenpse seclogin -p SAPSNCSKERB.pse -O SLLServiceSM1 (no errors)
D:\usr\sap\SM1\SLL>sapgenpse seclogin -l
(gives: running seclogin with USER="sm1adm" 0: CN=SLLServiceSM1@office.xxxxxx.com D:\usr\sap\SM1\DVEBMGS02\sec\SAPSNCSKERB.pse NOT readable for sm1adm NO readable SSO-Credentials available (total 1))
When I try to start SAP, it Stops and my trace reads:
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="SAPServiceSM1" NetWkstaUser="SAPServiceSM1"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=D:\usr\sap\SM1\SLL\secgss.dll
N File "D:\usr\sap\SM1\SLL\secgss.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N FileVersionInfo: D:\usr\sap\SM1\SLL\secgss.dll, FileVersion= 8.4.1.32
N SncInit(): found snc/identity/as=p:CN=SLLServiceSM1
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SLLServiceSM1"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
Any input would be greatly appreciated.
Thanks,
Diana
Turns out there was a conflict between me SAProuter SNC configuration on this server and the SNC for SSO. Once I set the SNC SSO environment variables as 'user' variables (left the SAProuter variables as 'system') everything was fine.
Thanks,
Diana
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Diana,
You did not tell if your SAP server is also running Windows.
If yes, the credentials should be set for the SAPService<SID> user.
In my company, I could successfully configure SNC Kerberos but it was not really easy for the first system... I have one difficulty because the SAP end users have windows users in a different windows domain than the SAP Servers.
Here is briefly what I have done to generate a working keytab pse.
I used the SAP Common Cryptolib instead of the NWSSO dll.
Create empty PS:
sapgenpse keytab –p SAPSNCSKERB.pse
Create entries in the keytab
sapgenpse keytab -x <kerberos user password> -nopsegen -a <kerberos user>@<SAP SERVER WINDOWS DOMAIN>
Create credentials for the SAP Widows Service user : SAPService<SID>
sapgenpse seclogin -p D:\usr\sap\<SID>DVEBMGSxx\sec\SAPSNCSKERB.pse -O SAPService<SID>
Verify credentials :
sapgenpse seclogin -l -O SAPService<SID>
When re-starting the system I get :
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
GetUserName()="SAPService<SID>" NetWkstaUser="SAPService<SID>"
SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
SncInit(): found snc/gssapi_lib=D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll
File "D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
SECUDIR="D:\usr\sap\<SID>\DVEBMGS57\sec" (from $SECUDIR)
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Secure Login Library
Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.9 pl40 (2.0 SP1 Patch 4) (Sep 27 2013) MT-safe
SncInit(): found snc/identity/as=p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN>
SncInit(): Accepting Credentials available, lifetime=Indefinite
SncInit(): Initiating Credentials available, lifetime=Indefinite
***LOG R1Q=> p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN> [thxxsnc.c 267]
SNC (Secure Network Communication) enabled
There may be a simpler way, but it worked for me !
Hope this helps...
Best Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.