Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Setting up SSO with SNC/Kerberos

I'm trying to setup SSO for SAPGui with backend ECC5 on Windows 2003. I have followed the section of the install guide called SAP WebAS 6.40 SR1 because I can't find a ECC5 version so possibly what I am trying to do is not possible?

Steps that I did...

1. I've downloaded the gsskrb5.dll and put in c:\windows\system32

2. Added the profile parameters:

snc/enable = 1

snc/identity/as = p:SAPServiceIDS{at symbol}sscit.com.au

snc/gssapi_lib = C:\WINDOWS\system32\gsskrb5.dll

3. I'm still using the local account at this stage because I'm not sure how to create a domain account that can start the sap instance on this machine. I also have played with Service Principle but again I'm not sure really what I am doing.

So anyhow, after I made the parameter changes and restarted the sap instance the dispatcher soon failed with the following errors in all the wp logs...

rdisp/reinitialize_code_page -> 0

M icm/accept_remote_trace_level -> 0

M rdisp/no_hooks_for_sqlbreak -> 0

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll

N File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.

N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed

N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): Kerberos SSPI not usable with this User account

N STOP! -- initial call to gss_indicate_mechs() failed

M *** ERROR => ErrISetSys: error info too large [err.c 931]

M Wed Oct 08 10:06:29 2008

M LOCATION SAP-Server redback_IDS_11 on host redback (wp 15)

M ERROR GSS-API(maj): Miscellaneous Failure

M GSS-API(min): Kerberos SSPI not usable with this User account

M STOP! -- initial call to gss_indicate_mechs() failed

M TIME Wed Oct 08 10:06:29 2008

M RELEASE 640

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -1

M MODULE sncxxdl.c

M LINE 452

M DETAIL SncPDLInit(

M SYSTEM CALL gss_indicate_mechs

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;

M ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;

M ;;;;STOP! -- initial call to gss_indicate_mechs() failed

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:\WINDOWS\system32\gsskrb5.dll not loaded

N [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 223]

M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 225]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9461]

I also tried the gsstest and got the following log file...

TEST: acquiring default initiating credentials (simple)

RESULT OK

TEST: acquiring default initiating credentials (query)

RESULT OK

TEST: acquiring initiating credentials (gss_name_t)

RESULT OK

TEST: acquiring initiating credentials (printable name)

RESULT OK

TEST: acquiring initiating credentials (can. printable name)

RESULT OK

TEST: acquiring accepting credentials for target (printable name)

for identity "SAPServiceIDS{at symbol}sscit.com.au"

Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)

gss_display_status(0x00070000,GSS_S_GSS_CODE) =

"No valid credentials provided (or available)"

gss_display_status(0x1360000d,GSS_S_MECH_CODE) =

"SSPI::AccSctx#1()==Logon attempt failed"

RESULT NOT ok (rc=1)

-


TEST: acquiring accepting credentials for target (can. printable name)

Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)

gss_display_status(0x00070000,GSS_S_GSS_CODE) =

"No valid credentials provided (or available)"

gss_display_status(0x1360000d,GSS_S_MECH_CODE) =

"SSPI::AccSctx#1()==Logon attempt failed"

RESULT NOT ok (rc=1)

-


Note: I've changed the @'s to {at symbol} to get message posted.

I hope somebody is able to help me progress past this.

Thank you.

Not what you were looking for? View more on this topic or Ask a question