cancel
Showing results for 
Search instead for 
Did you mean: 

SSO - Windows 2008 Domain to RHEL 5.2 Authentication

Former Member
0 Kudos

Hi All

I have been searching for the proper documentation for mapping the SAP Users with Windows Domain users, but could'nt get the correct documentation so far. I got one but it was for windows 2000 from Realtech.

All our SAP Systems run on Red Hat Linux Enterprise 5.2 and all our users are to be mapped from Windows 2008 Domain controller to SAP.

Can anyone please throw some light on how to map the sap users to windows users and what are the steps that we need to follow to setup the Application server on linux level?

We followed to set-up the Service Principal Name for sap system and the tickets are getting generated, after I enabled the SNC related profile parameters, the system is not coming up, below the profile parameters I have set and output of dev_w0 file:

Profile Parameters:

snc/gssapi_lib /usr/lib64/snckrb5.so

snc/identity/as p/krb5:SAPService/linuxlabsrv.domainname@DOMAINNAME SNC identity

snc/enable 1 Use SNC

snc/accept_insecure_cpic 1 Permit CPIC without SNC

snc/accept_insecure_rfc 1 Permit RFC without SNC

snc/accept_insecure_gui 1 Permit SAPGUI connections without SNC

snc/accept_insecure_r3int_rfc 1 Permit internal RFC connections without SNC

snc/data_protection/min 1 Min. protection level 1 (authentication)

snc/data_protection/max 3 Max. protection level 3 (encryption)

snc/data_protection/use 3 Use level of snc/data_protection/max

snc/permit_insecure_start 1 Allow execution of external programs without SNC

dev_w0 Errror:

SncInit(): Initializing Secure Network Communication (SNC)

N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.

N The Adapter identifies as:

N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:sapservicedpi

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): No principal in keytab matches desired name

N Could't acquire ACCEPTING credentials for

N

N name="p:sapservicedpi@domainname"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

M Mon Apr 20 18:03:05 2009

M LOCATION SAP-Server omtr-sap-pi_DPI_00 on host omtr-sap-pi (wp 0)

M ERROR GSS-API(maj): Unspecified GSS failure. Minor code may provi

M GSS-API(min): No principal in keytab matches desired name

M name="p:sapservicedpi@domainname"

M TIME Mon Apr 20 18:03:05 2009

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

==========================================================================

Can some one please throw some light....

Thanks

Sri

Accepted Solutions (0)

Answers (3)

Answers (3)

thomas_tancheephong
Participant
0 Kudos

Hi all,

I am getting this error message, can anyone help me on this?

SsfSapSecin: automatic application server initialization for SAPSECULIB

SsfSapSecin: Looking for PSE in database

SsfPseLoad: started...(path=/usr/sap/A01/DVEBMGS01/sec, AS=sapA01, instanceid=01)

SsfPseLoad: Downloading file /usr/sap/A01/DVEBMGS01/sec/SAPSYS.pse (client: , key: SYSPSE, len: 1619)

SsfPseLoad: ended (1 of 1 sucessfully loaded, 1 checked...

MskiCreateLogonTicketCache: Logon Ticket cache created in shared memory.

MskiCreateLogonTicketCache: Logon Ticket cache pointer registered in shared memory.

SncInit(): Initializing Secure Network Communication (SNC)

AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.

The SNC-Adapter identifies as:

External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

SncInit(): found snc/identity/as=p:SAPServiceA01'@'DOMAIN

GSS-API(maj): Miscellaneous failure

GSS-API(min): No principal in keytab matches desired name

Could't acquire ACCEPTING credentials for

name="p:SAPServiceA01'@'DOMAIN"

SncInit(): Fatal -- Accepting Credentials not available!

<<- SncInit()==SNCERR_GSSAPI

sec_avail = "false"

LOG R19=> ThSncInit, SncInitU ( SNC-000004) http://thxxsnc.c 230

ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) http://thxxsnc.c 232

in_ThErrHandle: 1

ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) http://thxxhead.c 10589

markus_doehr2
Active Contributor
0 Kudos

> Could't acquire ACCEPTING credentials for

> name="p:SAPServiceA01'@'DOMAIN"

> SncInit(): Fatal -- Accepting Credentials not available!

Does your keytab contain the credentials exactly for that User and DOMAIN?

Markus

thomas_tancheephong
Participant
0 Kudos

Hi,

I just regenerate a keytab file from AD server, but i now i getting an error when i executed kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN.

Key table entry not found...

I guess whether is the encryption problem or not, if my Windows is 2008 and SAP in linux any specification have to do first?

I have checked Does use Kerberos Authentication, use DES Encryption only

I have no idea on this, hope you can help me on this.

Thanks,

Thomas

markus_doehr2
Active Contributor
0 Kudos

> I just regenerate a keytab file from AD server, but i now i getting an error when i executed kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN.

> Key table entry not found...

And you use EXACTLY the same user with the same chars in capitals and non-capitals? Kerberos is very picky about names. "SIDADM" is not the same as "sidadm" is not the same as "SIDadm".

Markus

thomas_tancheephong
Participant
0 Kudos

Hi Markus,

I have make it works, thanks for your explanation.

But i would like to know is this method supported by SAP?

Thanks,

Regards,

Thomas

Former Member
0 Kudos

Hello

I'm configuring SSO on HP-UX, and i encountered the same errors during SAP instance startup:

" *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No such file or directory

N Could't acquire ACCEPTING credentials for

N

N name="p:sidadm/domain.com(at)DOMAIN.COM"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

How did you manage to resolve this problem?

markus_doehr2
Active Contributor
0 Kudos

> I'm configuring SSO on HP-UX, and i encountered the same errors during SAP instance startup:

>

> " *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

> N GSS-API(maj): Miscellaneous failure

> N GSS-API(min): No such file or directory

> N Could't acquire ACCEPTING credentials for

> N

did you create a keytab with "ktpass.exe" on your Windows DC and copied that to the system?

Markus

Former Member
0 Kudos

Resolving the thread, as we bought the third-party tool for the same.

markus_doehr2
Active Contributor
0 Kudos

> N SncInit(): found snc/identity/as=p:sapservicedpi

> N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

> N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

> N GSS-API(min): No principal in keytab matches desired name

> N Could't acquire ACCEPTING credentials for

> N

> N name="p:sapservicedpi@domainname"

You have to generate a Kerberos ticket on your Windows DC and copy that to the Linux box, e. g.

ktpass -princ <sid>adm/<DOMAIN>@>DOMAIN> -mapuser <sid>adm -pass <password> -out <filename>.keytab -kvno 1

Copy then the "<filename>.keytab" to the Linux box.

Then execute once

kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN

Check with

klist

if the ticket is accepted.

Create a cron job for user <sid>adm which runs every hour once to update the ticket.

Then restart your instance.

Markus

Former Member
0 Kudos

Hi Markus

Thank you so much for the inputs, we have created the keytab file from DC with the following options.

-


setspn -A sapservicedpi/FQDN ORM\sapservicedpi

ktpass.exe -princ sapservicedpi/domain@DOMAIN -mapuser ORM\dpiadm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass master00 -out dpi.keytab

-


after we copied the file to linux and did the kinit, now the output of the command klist as below:

-


login as: root

root@10.12.7.65's password:

Last login: Mon Apr 20 19:02:05 2009 from 10.12.30.11

[root@omtr-sap-pi ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: sapservicedpi@DOMAIN

Valid starting Expires Service principal

04/20/09 16:08:32 04/21/09 02:08:38 krbtgt/DOMAIN@DOMAIN

renew until 04/22/09 16:08:32

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

-


Is this the correct process of generating the ticket? and I also wanted to try the command you suggested in the reply.

Thanks again for the reply

Regards

Sri

markus_doehr2
Active Contributor
0 Kudos

> after we copied the file to linux and did the kinit, now the output of the command klist as below:

You need to do the kinit with the user the ticket is assigned to - so not as root but as <sid>adm.

> Is this the correct process of generating the ticket? and I also wanted to try the command you suggested in the reply.

Yes - looks good!

That ticket is only valid for the lifetime of the ticket, that's why it's necessary to create a cron job for <sid>adm who does that before the ticket expires.

Looks all good to me.

Now you should be able to start the system with SNC enabled.

Markus

Former Member
0 Kudos

Markus right now once the ticket is getting generated and the output of klist is already posted. now when I am trying to enable the SNC profile parameter the system is not coming up and the dev_w0 output as below (same error):

-


profile parameters in the system

snc/enable = 1

snc/identity/as = p/krb5:sapservicedpi/fqdn@DOMAIN

snc/gssapi_lib = /usr/lib64/snckrb5.so

-


dev_w0

B rule_fae->0, concat_fae->0, concat_fae_or->0

N SncInit(): Initializing Secure Network Communication (SNC)

N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.

N The Adapter identifies as:

N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:sapservicedpi

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): No principal in keytab matches desired name

N Could't acquire ACCEPTING credentials for

N

N name="p/krb5:sapservicedpi/fqdn@DOMAIN"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

-


Can you please take a look

Thanks

Sri

markus_doehr2
Active Contributor
0 Kudos

> snc/identity/as = p/krb5:sapservicedpi/fqdn@DOMAIN

We use:

snc/identity/as p:<sid>adm/DOMAIN@DOMAIN

I don't know why the Realtech documentation uses p/krb5 (AFAIK Kerberos IV was never supported and working).

Markus

brian_walker
Active Participant
0 Kudos

This topic was already covered in this SDN Forums thread:

Brian

Edited by: Brian Walker on Apr 21, 2009 5:33 PM

Former Member
0 Kudos

Markus

Just changed the profile parameter and did a instance restart, its hanging again with same error:

-


SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.

N The Adapter identifies as:

N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:dpiadm/DOMAIN@DOMAIN

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): No principal in keytab matches desired name

N Could't acquire ACCEPTING credentials for

N

N name="p:dpiadm/DOMAIN@DOMAIN"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

-


What would be other things I need to check?

Thanks

Sri

brian_walker
Active Participant
0 Kudos

Unless Windows 2008 does something different than Windows 2003, we never used a /DOMAIN. Our principles in the SAP profile parameters look like:

p:sidadm@DOMAIN and not p:sidadm/DOMAIN@DOMAIN

If you look at the docs in the thread I referenced, you'll also want to schedule a cron job to run kinit again every 4 hours.

Brian

markus_doehr2
Active Contributor
0 Kudos

We use

N  SncInit():   found snc/identity/as=p:<sid>adm/<DOMAIN>@<DOMAIN>
N  SncInit(): Accepting  Credentials available, lifetime=Indefinite
N  SncInit(): Initiating Credentials available, lifetime=Expired

The error messages suspects the identity not the same as in the generated keytab.

So if you generated

> ktpass.exe -princ sapservicedpi/domain@DOMAIN...

then I would suggest using here the same "sapservicedpi/domain@DOMAIN".

Markus

Former Member
0 Kudos

Srikar,

Are you using sidadm or sapservicesid as the service user?

Did you run setspn for sidadm as well? I can see that you have been using sapservicesid previously.

Thanks

David

Former Member
0 Kudos

Thanks Brain & David for the inputs.

Markus even when I am using the format

"sapservicedpi/domain@DOMAIN" in the profile parameters I am

getting the same error.

Next step can I try creating the new keytab file with the format below:

ktpass -princ <sid>adm/<DOMAIN>@>DOMAIN> -mapuser <sid>adm -pass <password> -out <filename>.keytab -kvno 1

David I think we just created the keytab file only for serviceuser.

Thanks

Sri

Former Member
0 Kudos

In continuation to the my previous reply, please see below the result of ktutil, I think we are making progress now the error is different:

-


[root@omtr-sap-pi work]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: sapservicedpi @ XXX.XXXXXXXXX .COM

Valid starting Expires Service principal

04/20/09 16:08:32 04/21/09 02:08:38 krbtgt/XXX.XXXXXXXX.COM @ XXX.XXXXXXXX .COM

renew until 04/22/09 16:08:32

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

[root@omtr-sap-pi work]# ktinit

-bash: ktinit: command not found

[root@omtr-sap-pi work]# kinit

Password for sapservicedpi @ XXX.XXXXXXXX .COM:

[root@omtr-sap-pi work]# ktutil

ktutil: rkt /etc/krb5.keytab

ktutil: list

slot KVNO Principal

-


-


-


1 2 sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM

ktutil:

-


After I got the correct keytab identity I have changed the profile parameter snc/identity/as to "sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM" and restarted the instance. Now the error in the dev_w0 changed, please see below:

-


SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.

N The Adapter identifies as:

N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more in formation

N GSS-API(min): Unknown code krb5 195

N Could't acquire INITIATING credentials for

N

N name="p:sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM"

M *** ERROR => ErrISetSys: error info too large [err.c 944]

-


Now I am getting the error "GSS-API(min): Unknown code krb5 195".

What would be wrong now?

Thanks

Sri

Former Member
0 Kudos

As Markus mentioned,

"You need to do the kinit with the user the ticket is assigned to - so not as root but as <sid>adm."

markus_doehr2
Active Contributor
0 Kudos

Just as thought:

did you configure the system to be a Kerberos client before you started all the other stuff? (/etc/krb5.conf)

Markus

Former Member
0 Kudos

Yes Markus here is the file:

-


[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = XXX.XXXXXXXXXX.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 48h

forwardable = yes

[realms]

XXX.XXXXXXXX.COM = {

kdc = <ldapservername>:88

admin_server = <ldapservername>:749

kpasswd_server = <ldapservername>

}

[domain_realm]

.xxx.xxxxxxxxx.com = XXX.XXXXXXXXXX.COM

xxx.xxxxxxxxx.com = XXX.XXXXXXXXXX.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 90000

renew_lifetime = 90000

forwardable = true

krb4_convert = false

-


Thanks

Sri

markus_doehr2
Active Contributor
0 Kudos

> Yes Markus here is the file:

Ok!

Kerberos is VERY VERY picky about authorization specifications with/without capitalization. Make sure you enter the same domain in the exactly same manner in the keytab, krb5.conf and in the profile. So using one time IP and the other time a domain will not work.

Markus

markus_doehr2
Active Contributor
0 Kudos

Just to add:

At the time I was trying that the first time, I was not able to use the Kerberos libraries from the OS vendors, none of them worked (SuSE SLES 10 without SP, Solaris 10, HP-UX), I had to compile Kerberos myself (MIT and Heimdal implementation worked, we currently use the MIT one) and link against those.

Markus

Former Member
0 Kudos

Hi Markus,

I am working with Srikar on this problem.

I am also wondering about the "setspn" step.

Do we need to execute the setspn command on the domain controller?

example: setspn -A sidadm/host.domain SHORT\sidadm

Thanks,

Steve

Former Member
0 Kudos

Markus/Brain

Good news we got the SNC enabled finally, see the dev_w0 output:

-


N SncInit(): Initializing Secure Network Communication (SNC)

N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so

N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.

N The Adapter identifies as:

N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:sncsap @ XXX.XXXXXXXX.COM

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=09h 09m 10s

M ***LOG R1Q=> 1& [thxxsnc.c 259]

M SNC (Secure Network Communication) enabled

M CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

-


Now the next step, enabling the SNC tab in SAP GUI. I have entered the below in the tab "Network -> Checked the option "Activate Secure Network Connection" -> in SNC Name -> "p:sncsap @XXX.XXXXXXXX.COM""

When I am trying to login through GUI I am getting the following error:

SAP System Message

Secured Network Layer (SNC) error

I have already copied the "gssntlm.dll" file from SNC Adapater ZIP file from SAP into client machine system32 folder and renamed it as "sncgss32.dll"

Are there any steps I am missing? Please let us know.

Regards

Sri

brian_walker
Active Participant
0 Kudos

Please click on the details when you get the error message and post the information contained there.

Brian

Former Member
0 Kudos

Brain

I am just getting the popup when I try to login to the system from GUI with the below error in popup:

SAP System Message

Secured Network Layer (SNC) error

Is there anywhere we can find the error in detail?

Thanks

Sri

brian_walker
Active Participant
0 Kudos

Is there not a button or something to look at a more detailed error message? The most common errors are that you have the principle wrong in the SAPGUI SNC tab (this should match the snc/identity/as), you don't have a kerberos ticket issued from the domain controller (we usually lock and unlock our PC), or there is a >5 minute difference between the SAP server and the computer running SAPGUI (kerberos is finicky about time differences when comparing ticket validity).

Brian

markus_doehr2
Active Contributor
0 Kudos

> Now the next step, enabling the SNC tab in SAP GUI. I have entered the below in the tab "Network -> Checked the option "Activate Secure Network Connection" -> in SNC Name -> "p:sncsap @XXX.XXXXXXXX.COM""

>

> When I am trying to login through GUI I am getting the following error:

>

> SAP System Message

> Secured Network Layer (SNC) error

>

> I have already copied the "gssntlm.dll" file from SNC Adapater ZIP file from SAP into client machine system32 folder and renamed it as "sncgss32.dll"

Try to set the environment variable

SNC_LIB <path-to-sncgss.dll>

for that user or a system variable.

Logoff the machine and logon, open a cmd.exe check with "set s" if the variable is set. Then try to start SAPGUI again.

Markus

Former Member
0 Kudos

Hi Brain/Markus

Thanks for the all the help so far, I think I am very close to this SSO. As you guys mentioned I have done the following checks:

1. Network tab entry in SAP GUI is same as the entry in profile parameter "snc/identity/as"

2. SNC_LIB environment variable is set "SNC_LIB=C:\WINDOWS\system32\sncgss32.dll" (output from set -s)

3. Time is same in both the SAP App Server and Windows Client as both of them are synchronized to the Server

4. I can see in the SNC tab in SU01 " SNC is active on this application server" and " Canonical name determined" and tried entering "p:sncsap @XXX.XXXXXXXX.COM" and "p:fname.lname @XXX.XXXXXXXX.COM" and some other different options

5. I have checked in the klist -k, the server is having the Valid Ticket

But finally when I am trying to login through SAP GUI, I am getting the same error as mentioned in the last post

Can you please let me know is there anything I am missing out here ?

Thanks

Sri

brian_walker
Active Participant
0 Kudos

You'll want to download the kerbtray tool from Microsoft to look at your kerberos ticket on your Windows workstation. This will show you what your principle is. For us, on the SNC tab of SU01 we enter p:<USERNAME>@MILLIKEN.COM

Both the username and the domain need to be capitalized for us. The information from kerbtray will help.

I don't believe the SNC error you're seeing when you start SAPGUI is related to the SU01 data though. Normally you'd get an error that says that your kerberos identity is not known in any of the clients in the SAP system.

As regards system time, we had some problems where some users had manually set their time instead of letting the Windows regional settings handle it. The time comparison is done with UTC, so both the SAP server and the local workstation's time are converted to UTC and then compared. Even though the times look the same, they can be different when converted to UTC.

There should be some more detailed information available in SAPGUI besides the generic SNC error.

Brian

Former Member
0 Kudos

Brain

I have installed the kerbtray and I can see the Kerberos tickets, in the first line it says "Client Principal it shows "fname.lname @XXX.XXXXXXXX.COM" and even I can see some more under that for eg: "krbtgt/XXX.XXXXXXXX.COM" I have entered the same "fname.lname @XXX.XXXXXXXX.COM" in SU01 SNC tab, but still the same error

Any inputs please ?

Thanks

Sri

In continuation I was just looking at dev_w0 file after the start of the server, I found this ERROR, does this error make any sense ?

-


X Thu Apr 23 17:04:05 2009

X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]

X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]

X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]

X

X Thu Apr 23 17:05:05 2009

X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]

X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]

N

N Thu Apr 23 17:05:24 2009

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]

N GSS-API(maj): An unsupported mechanism was requested

N Unable to establish the security context

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 976]

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 981]

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 10534]

-


Edited by: Srikar Vankadaru on Apr 24, 2009 1:09 AM

markus_doehr2
Active Contributor
0 Kudos

I'm not sure, this may be because of the explicit DES encryption you gave.

I used

http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html

and followed those steps (slightly adapted to Windows 2003).

And: did you enter the principal also in the SAPGUI itself (in the logon entry)?

Markus

Former Member
0 Kudos

I have entered the principal name in the network tab in the SAP GUI

Still facing the same error..Is there anything that we need todo with sncgss32.dll in windows32 folder of client system ?