SNC startup error - Kerberos SSPI not usable with...

Former Member · ‎05-19-2009

Hi ,

We have the sap BW system (win2003 X64-bit ) u2013 VB0.

We just added this server to a new Active directory & I created a new user vb0adm on the Active directory server.

I am trying to start the SNC on this SAP server , but unable to start .

I am keep getting error - "Kerberos SSPI not usable with this User account"

Here is the info

The added instance profile parameters

snc/enable = 1

snc/gssapi_lib = c:\WINDOWS\system32\gx64krb5.dll

snc/identity/as = p:vb0adm@BOBJ

part of DEV_W0 contents :

-

M SecAudit(RsauShmInit): number of slots requested = 2

M SecAudit(RsauShmInit): number of slots used..... = 2

M SecAudit(RsauShmInit): user selection........... = 0

M SecAudit(RsauShmInit): max size of one file..... = 0 KB

M SecAudit(RsauShmInit): max size of all files.... = 102400 KB

M SecAudit(RsauGetCurrentProfile): Init of shared memory completed

M SecAudit(RsauGetCurrentProfile): Security Audit Log not active

M SsfSapSecin: automatic application server initialization for SAPSECULIB

N SsfSapSecin: Looking for PSE in database

N SsfPseLoad: started...(path=C:\usr\sap\VB0\DVEBMGS00\sec, AS=sapv-biw700, instanceid=00)

N SsfPseLoad: Downloading file C:\usr\sap\VB0\DVEBMGS00\sec (client: , key: 151435, len: 9588)

N SsfPseLoadFile: Couldn't open file C:\usr\sap\VB0\DVEBMGS00\sec: Permission denied

N SsfPseLoad: Downloading file C:\usr\sap\VB0\DVEBMGS00\sec\SAPSYS.pse (client: , key: SYSPSE, len: 9463)

N SsfPseLoad: ended (1 of 2 sucessfully loaded, 2 checked...

N MskiCreateLogonTicketCache: Logon Ticket cache created in shared memory.

N MskiCreateLogonTicketCache: Logon Ticket cache pointer registered in shared memory.

N

N Tue May 19 15:28:46 2009

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=c:\WINDOWS\system32\gx64krb5.dll

N File "c:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed

N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): Kerberos SSPI not usable with this User account

N STOP! -- initial call to gss_indicate_mechs() failed

M *** ERROR => ErrISetSys: error info too large [err.c 969]

M Tue May 19 15:28:46 2009

M LOCATION SAP-Server sapv-biw700_VB0_00 on host sapv-biw700 (wp 0)

M ERROR GSS-API(maj): Miscellaneous Failure

M GSS-API(min): Kerberos SSPI not usable with this User account

M STOP! -- initial call to gss_indicate_mechs() failed

M TIME Tue May 19 15:28:46 2009

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -1

M MODULE sncxxdl.c

M LINE 452

M DETAIL SncPDLInit(

M SYSTEM CALL gss_indicate_mechs

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;

M ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;

M ;;;;STOP! -- initial call to gss_indicate_mechs() failed

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) c:\WINDOWS\system32\gx64krb5.dll not loaded

N [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 230]

M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 232]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10524]

M

M Info for wp 0

M

M pid = 3284

M severity = 0

M status = 0

M stat = WP_RUN

M waiting_for = NO_WAITING

M reqtype = DP_RQ_DIAWP

M act_reqtype = NO_REQTYPE

M rq_info = 0

M tid = -1

M mode = 255

M len = -1

M rq_id = 65535

M rq_source =

M last_tid = 0

M last_mode = 0

M semaphore = 0

M act_cs_count = 0

M csTrack = 0

M csTrackRwExcl = 0

M csTrackRwShrd = 0

M mode_cleaned_counter = 0

M control_flag = 0

M int_checked_resource(RFC) = 0

M ext_checked_resource(RFC) = 0

M int_checked_resource(HTTP) = 0

M ext_checked_resource(HTTP) = 0

M report = > <

M action = 0

M tab_name = > <

M attachedVm = no VM

M PfStatDisconnect: disconnect statistics

M Entering TH_CALLHOOKS

M ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP

M TrThHookFunc: called for WP dump

M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm [thxxrun1.c 723]

M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed [thxxtool3.c 261]

M ThCallHooks: call hook >BtcCallLgCl< for event BEFORE_DUMP

M Entering ThSetStatError

M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

M Entering ThReadDetachMode

M call ThrShutDown (1)...

M ***LOG Q02=> wp_halt, WPStop (Workproc 0 3284) [dpnttool.c 333]

Thanks in advance.

VB

Former Member · ‎05-20-2009

Additional info -

Our SAP system was installed with local installation. Now we hooked up to domain .

Lot of groups & users are not exist on the new domain.

1. We created the user - <SID>ADM in Active Directory now.

2. we kept the Kerberos files on the SAP system.

3. Created the SNC on the AD server

When we started the SAP system with SNC parameters , we are getting this error now .

"Kerberos SSPI not usable with this User account"

Former Member · ‎05-26-2009

I am able to fix the error now . Hope this might help, if someone get the similar issue.

the issue is that , due SNC parameters setup, SAP is expecting services under domain account.

However we initially did the local install & (added to the domain later) & all the SAP services are starting with local user .

When we changed local (Services runnong with local accounts) to domain insatll (services running under domain accounts) , I am able to start the SAP in SNC mode.

Please note SAP does not support changing the local to domain install , with out a system copy .

we did this in testing environment . So Please perform domain install to begin with , if you want to do this in Windows .

Former Member · ‎05-21-2009

Please try to avoid posting long log files - the system will remove the formatting if it is too long (2500 characters).

Only post the relevant part of the log after having read it.

Cheers,

Julius

Former Member · ‎12-11-2012

I tried pointing the gssapi to sapcrypto.dll and mine was active, but I had issues while logging from SApGui and it gave me the SSPi error

ncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=F:\usr\sap\QA1\SYS\exe\nuc\NTI386\sapcrypto.dll

N File "F:\usr\sap\QA1\SYS\exe\nuc\NTI386\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N SncInit(): found snc/identity/as=p:CN=SAPServicePRD, OU=test, O=mySAP.com Workplace, C=DE

N SncInit(): Accepting Credentials available, lifetime=219625h 26m 35s

N SncInit(): Initiating Credentials available, lifetime=219625h 26m 35s

p190355 · ‎01-21-2021

have the same issue. Can you share what was done to resolve this issue?

SNC startup error - Kerberos SSPI not usable with this User account