cancel
Showing results for 
Search instead for 
Did you mean: 

Could't acquire ACCEPTING credentials for name="p:CN=SLLServiceSM1"

Former Member
0 Kudos

Hi all,

I am trying to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.

As <SID>adm

I have downloaded the files and uncar'd them into my D:\usr\sap\SM1\SLL directory.

I set my environment variables: SUCDIR = D:\usr\sap\SM1\DVEBMGS02\sec, SNCLIB = D:\usr\sap\SM1\SLL\secgss.dll

I have maintained my Instance Profile with:

snc/enable = 1

snc/gssapi_lib = D:\usr\sap\SM1\SLL\secgss.dll

snc/identity/as = p:CN=SLLServiceSM1

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/accept_insecure_r3int_rfc = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I have a user on the Active Directory: SLLServiceSM1

I ran through the steps:

D:\>set SECUDIR=D:\usr\sap\SM1\DVEBMGS02\sec

D:\>cd D:\usr\sap\SM1\SLL

D:\usr\sap\SM1\SLL>sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSM1@office.xxxxx.com (no errors)

D:\usr\sap\SM1\SLL>sapgenpse seclogin -p SAPSNCSKERB.pse -O SLLServiceSM1 (no errors)

D:\usr\sap\SM1\SLL>sapgenpse seclogin -l  

(gives:  running seclogin with USER="sm1adm" 0: CN=SLLServiceSM1@office.xxxxxx.com D:\usr\sap\SM1\DVEBMGS02\sec\SAPSNCSKERB.pse NOT readable for sm1adm NO readable SSO-Credentials available (total 1))

When I try to start SAP, it Stops and my trace reads:

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceSM1"  NetWkstaUser="SAPServiceSM1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=D:\usr\sap\SM1\SLL\secgss.dll

N    File "D:\usr\sap\SM1\SLL\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N    FileVersionInfo: D:\usr\sap\SM1\SLL\secgss.dll, FileVersion= 8.4.1.32

N  SncInit():   found snc/identity/as=p:CN=SLLServiceSM1

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SLLServiceSM1"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

Any input would be greatly appreciated.

Thanks,

Diana

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Turns out there was a conflict between me SAProuter SNC configuration on this server and the SNC for SSO. Once I set the SNC SSO environment variables as 'user' variables (left the SAProuter variables as 'system') everything was fine.

Thanks,

Diana

Former Member
0 Kudos

Hi Diana,

I'm seeing the exact same error while trying to configure SSO using Kerberos. Can you please explain to me how you set the SNC SSO environment variables as 'user' variables (left the SAProuter variables as 'system') ??

Thanks,

Brian

Former Member
0 Kudos

Hi Brian. This what I am referring to.

Former Member
0 Kudos

Thank you Diana!

Answers (1)

Answers (1)

Former Member
0 Kudos

Hello Diana,

You did not tell if your SAP server is also running Windows.

If yes, the credentials should be set for the SAPService<SID> user.

In my company, I could successfully configure SNC Kerberos but it was not really easy for the first system... I have one difficulty because the SAP end users have windows users in a different windows domain than the SAP Servers.

Here is briefly what I have done to generate a working keytab pse.

I used the SAP Common Cryptolib instead of the NWSSO dll.

Create empty PS:

sapgenpse keytab –p SAPSNCSKERB.pse


Create entries in the keytab

sapgenpse keytab -x <kerberos user password> -nopsegen -a <kerberos user>@<SAP SERVER WINDOWS DOMAIN>

Create credentials for the SAP Widows  Service user : SAPService<SID>

sapgenpse seclogin -p D:\usr\sap\<SID>DVEBMGSxx\sec\SAPSNCSKERB.pse -O SAPService<SID>

Verify credentials :

sapgenpse seclogin -l -O SAPService<SID>

When re-starting  the system I get :

SncInit(): Initializing Secure Network Communication (SNC)

       PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

       GetUserName()="SAPService<SID>"  NetWkstaUser="SAPService<SID>"

SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

SncInit(): found  snc/gssapi_lib=D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll

   File "D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

   SECUDIR="D:\usr\sap\<SID>\DVEBMGS57\sec" (from $SECUDIR)

   The internal Adapter for the loaded GSS-API mechanism identifies as:

   Internal SNC-Adapter (Rev 1.0) to Secure Login Library

   Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.9 pl40 (2.0 SP1 Patch 4) (Sep 27 2013) MT-safe

SncInit():   found snc/identity/as=p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN>

SncInit(): Accepting  Credentials available, lifetime=Indefinite

SncInit(): Initiating Credentials available, lifetime=Indefinite

***LOG R1Q=> p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN> [thxxsnc.c    267]

SNC (Secure Network Communication) enabled

There may be a simpler way, but it worked for me !

Hope this helps...

Best Regards,

Olivier

Former Member
0 Kudos

Hi,

Yes, this is all Windows servers...same domain.

Thanks,

Diana