Solved: Does gsskrb5 cache the kerberos ticket?

Former Member · ‎06-30-2009

Hi All,

We have a service that connects to Sap system with SNC(Kerberos authentication).

It runs fine when we use a single user. If multiple users are used:

eg. Step1: Request to SAP by User A -> Succeeds

Step2: Request to SAP by UserB -> Fails

Step3: Request to SAP by UserA -> succeeds

Step4: Restart the process

Step5: Request to SAP by UserB -> Succeeds

Step6: Request to SAP by UserA -> Fails

Library used:

SAP RFC Unicode Libraries 7.11/7.0

Kerberos Dll from SAP version 1.09 (gx64krb5.dll for X64 and gsskrb5.dll for X86)

Error Details:

ErrorCode=RFC_OK.

ErrorGroup=RFC_ERROR_COMMUNICATION.

SapErrorMessage=SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed Connect_PM GWHOST=SapServer.Domain.com, GWSERV=sapgw00, SYSNR=00 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR SNCERR_GSSAPI TIME Sun Jun 28 15:49:36 200 RELEASE 711 COMPONENT SNC (Secure Network Communication) VERSION 5 RC -4 DETAIL An operation failed at the GSS-API level COUNTER 6.

I am wondering if gsskrb5 caches the kerberos ticket, which could be the reason for this behavior.

My question is:

1. Does the gsskrb5 caches the user principal name/kerberos ticket?

2. If yes, is there a way to specify not to cache the data?

Any help would be greatly appreciated.

Thanks,

Jeevitha

WolfgangJanzen · ‎07-03-2009

>


> Hi All,
> 
> We have a service that connects to Sap system with SNC(Kerberos authentication).
> 
> Thanks,
> Jeevitha

What kind of "service" is this?

To me this sounds like a server component rather than a client component.

In that case, please have a look on [another thread|; where this has been discussed.

Regarding the SNC libraries provided by SAP: Take a kind look on [SAP Note 352295|https://service.sap.com/sap/support/notes/352295].

tim_alsop · ‎06-30-2009

Hi,

All implementations of Kerberos use a credentials cache to store tickets. This is not done by the SAP supplied GSS library, but by the Windows Kerberos code in operating systems.

You need to look at how you are switching users, since it should be possible for userA to logon and get credetnials which will be cached, and when userB logs on, the credentials for userB should be stored in the cache instead of userA's. If you can provide more details of how you switch between users I might be able to help, otherwise you need to talk to Microsoft.

Thanks,

Tim

Former Member · ‎06-30-2009

Thanks a lot for your quick response.

My sap connectivity part runs as a service in IIS.

When a client makes a call to the service:

1. It will impersonate the client

2. Opens a Rfc connection

3. Makes the rfc call

4. Closes the connection

I have tried a simple C++ program, that does the same thing

1. Impersonate User1

2. Open a connection and make Rfc call - Succeeds

3. Closes the connection and revert to self

4. Repeat steps 1-3, for User2 - Fails

5. Repeat steps 1-3, for User1 - Succeeds

I was using SNC with gssntlm. And I am getting "Connection closed without message (CM_NO_DATA_RECEIVED)" error message.

Any help/suggestions would be greatly appreciated.

Thanks,

Jeevitha

Former Member · ‎06-30-2009

Hi,

Can you please check the following OSS note?

Note 753797 - ITS: SAPCRYPTO Admin, Connection Maintenance, SNC test fails

Thanks,

Sridhar

tim_alsop · ‎06-30-2009

Jeevitha,

When your service impersonates the client, the user/client needs to be a domain user account, so that the Kerberos credentials cache on IIS for the session contains the users TGT. This will also requrie that the Windows Server running IIS is joined to your AD domain.

You mention that you are using gssntlm - this concerns me because NTLM is not same as Kerberos. You need to use an SNC library which is supporting Kerberos protocol.

I have setup a very similar environment to yours and was able to get end-to-end authentication of users. e.g. a user logs on at workstation, they open web browser to access application on IIS server (e.g. .net application) and the .net application uses SAP .net connector (not called this anymore) to communicate with back-end SAP system via SAP RFC. This works as required and the RFC connection is authenticated and secured using SNC and using the credentials of user at workstation where browser is running.

Thanks,

Tim

Former Member · ‎06-30-2009

Thanks for your support.

As you have specified the client and the server running IIS are windows users. As I have already mentioned, my solution works fine with a single user. But the problem is only when I switch between different users(in the same process).

To simplify the scenario, I excluded IIS from the picture and wrote a C++ program to do the impersonation and switch between different users. Again, it works for the first user, where as it throws an exception for subsequent users.

And for this scenario, I made use of gssntlm dll, since I dont have a Sap system configured for kerberos authentication to test.

One more related question:

When one of our partner hit the same issue, it seems they got the following response from Sap:

"gsskrb5.dll and more importantly SNC within SAP communication

libraries such as librfc32.dll does NOT support the Microsoft

impersonation model, it assumes and relies on a process-global

identity.

It is impossible to use more than one thread-local

impersonation at a time (within the same process) for

SNC-based SSO authentication into SAP AppServers"

If the above is true, it is impossible for me to impersonate users in the service. Since I have to reset IIS, everytime I have to switch to a different user, which is practically impossible.

Is there exist some way to work around this issue?

Thanks,

Jeevitha

Edited by: Jeevitha Kirubanandam on Jun 30, 2009 9:10 PM

tim_alsop · ‎06-30-2009

>

> Thanks for your support.

No problem. I am glad I can help in some way.

>

> As you have specified the client and the server running IIS are windows users. As I have already mentioned, my solution works fine with a single user. But the problem is only when I switch between different users(in the same process).

I wondered if this was because the impersonation was not causing new credentials to be acquired from MS AD domain controller. Instead, the first user to logon using your service causes credentials to be issued and these credentials are staying in cache until service is restarted. During the service restart the cache is destroyed by Windows.

>

> To simplify the scenario, I excluded IIS from the picture and wrote a C++ program to do the impersonation and switch between different users. Again, it works for the first user, where as it throws an exception for subsequent users.

> And for this scenario, I made use of gssntlm dll, since I dont have a Sap system configured for kerberos authentication to test.

I don't recommend using the NTLM protocol for testing.

>

> One more related question:

>

> When one of our partner hit the same issue, it seems they got the following response from Sap:

>

> "gsskrb5.dll and more importantly SNC within SAP communication

> libraries such as librfc32.dll does NOT support the Microsoft

> impersonation model, it assumes and relies on a process-global

> identity.

>

> It is impossible to use more than one thread-local

> impersonation at a time (within the same process) for

> SNC-based SSO authentication into SAP AppServers"

Ah. That would explain why it worked for me. We are using our own gssapi32.dll library which is SAP certified. This works perfectly with IIS and SAP RFC. As I mentioned in my earlier post, we have customers using our library in the way you want, but using SAP .net connector to initiate the RFC connection from the .net application running on IIS server.

>

> If the above is true, it is impossible for me to impersonate users in the service. Since I have to reset IIS, everytime I have to switch to a different user, which is practically impossible.

> Is there exist some way to work around this issue?

It sounds as though it might be impossible when using the SAP SNC library, but I know that our own SNC library works the way you want.

>

> Thanks,

> Jeevitha

>

> Edited by: Jeevitha Kirubanandam on Jun 30, 2009 9:10 PM

tim_alsop · ‎07-01-2009

Jeevitha,

We developed a small .net application using c# which calls our gss library on IIS server to display the principal name of authenticated user from credentials cache. We were able to access this from multiple workstations and each user saw their own credentials being displayed.

Which version of IIS are you using ?

Are you able to share your c++ program so I can see what you have done wrong, since this should work when IIS is not used.

Thanks,

Tim

Former Member · ‎07-01-2009

Tim,

Thanks for your continued support

Were you able to open a rfc connection from the service, with the impersonated credential? Were you using sap .net connector?

We are using IIS 6.

I sent you the c++ program by mail.

One quick question: Isn't the gssntlm certified by SAP? I saw in sap help, that gssapi32 is the older version of gssntlm. (http://help.sap.com/saphelp_nwmobile71/helpdata/en/44/0e2ab4c7330d19e10000000a114a6b/frameset.htm)

Thanks,

Jeevitha

Edited by: Jeevitha Kirubanandam on Jul 1, 2009 10:37 AM

tim_alsop · ‎07-01-2009

Jeevitha,

Yes, we were/are able to open an RFC connection using the impersonated credentials of user at workstation. This gives the end-to-end authentication which is required in this kind of scenario.

It is good that you are using IIS 6. I think older releases of IIS worked differently regarding impersonation.

Yes, in fact GSSNTLM is developed by SAP so it is of course certified. This is not the issue that I was referring to - it is that GSSNTLM is using a different protocol (NTLM) and does not use cached credentials in same way as Kerberos does, so to test this issue you need to use a GSS library that implements the Kerberos security mechanism, and one that is compatible with MS AD implementation of Kerberos.

GSSNTLM = NTLM protocol

GSSAPI32 = Default name for SNC GSS library. Since its name does not include NTLM I assume the one you refer to is using Kerberos, but this might not be the case - depends on the developer of this library. Of course, you cannot confirm protocol by name of library alone.

I have just received your email and will look at the code to find out why it might not work.

Thanks,

Tim

WolfgangJanzen · ‎07-03-2009

>


> Hi All,
> 
> We have a service that connects to Sap system with SNC(Kerberos authentication).
> 
> Thanks,
> Jeevitha

What kind of "service" is this?

To me this sounds like a server component rather than a client component.

In that case, please have a look on [another thread|; where this has been discussed.

Regarding the SNC libraries provided by SAP: Take a kind look on [SAP Note 352295|https://service.sap.com/sap/support/notes/352295].

tim_alsop · ‎07-03-2009

Wolfgang,

The service is (or will be) a service running on IIS web server. For testing the issue, Jeevitha has developed a C++ program which uses Windows impersonation and then the impersonated user is used to initiate an RFC connection, secured with SNC. She had problems (see explanation earlier in this thread) with this, so we have helped her. Now her code is working as expected. Also, we had to use SNC_MYNAME parameter so that the RFC library knows the SNC name of the initiating user (e.g. the Kerberos principal name of impersonated Windows user).

Thanks,

Tim

WolfgangJanzen · ‎07-03-2009

>


> Wolfgang,
> 
> The service is (or will be) a service running on IIS web server. For testing the issue, Jeevitha has developed a C++ program which uses Windows impersonation and then the impersonated user is used to initiate an RFC connection, secured with SNC. She had problems (see explanation earlier in this thread) with this, so we have helped her. Now her code is working as expected. Also, we had to use SNC_MYNAME parameter so that the RFC library knows the SNC name of the initiating user (e.g. the Kerberos principal name of impersonated Windows user).
> 
> Thanks,
> Tim

So, someone has re-implemented the SAP Internet Transaction Server (ITS) ...

See: [SAP Note 493107|https://service.sap.com/sap/support/notes/493107]

Cheers, Wolfgang

tim_alsop · ‎07-03-2009

Wolfgang,

I don't consider this to be same as (or new implementation of) external ITS, other than the fact that ITS is often run on IIS Web server, and ITS also uses an SNC session between AGATE and SAP ABAP AS. This is the only similarity.

For this customers requirement, there is no SSO2 ticket required/used. Just authenticate user at web server using IWA and then use the users impersonated credentials to authenticate an RFC connection to back-end.

Thanks,

Tim

WolfgangJanzen · ‎07-03-2009

Well, yes and no.

Thinking of the requirement to orchestrate the session management (http sessions and RFC sessions), thinking of a proper way to visualize the results of the RFC / BAPI calls (ITS: WebRFC, WebReporting) - all that makes me believe that there's a huge overlap. Well, I would spare my efforts and invest in developing new stuff ...

Just my 5 cents.

Former Member · ‎02-16-2010

Hi Tim/ Jeevitha

Can you please explain how exactly you fixed this problem. We are running into same issue with multi-threaded C++ app that needs to impersonate users (for SSO). First user succeeds and subsequent users fail.

We are specifying parameters for SNC.

SNC_MODE=1

SNC_PARTNERNAME=

SNC_LIB=c:\windows\system32\gsskrb5.dll

Also do you know if this solution works with SAP NetWeaver RFC SDK and Classic RFC SDK?

Thanks

Rakesh

tim_alsop · ‎02-16-2010

Rakesh,

The problem is resolved by setting the SNC_MYNAME paramter with correct value.

For example, if user logs onto workstation using account rakesh and domain is company.local the Kerberos principal name of this user might be rakesh@COMPANY so the SNC_MYNAME parameter of needs to describe this principal name as this is the impersonted name of the user at workstation. In this case it would need to be p:rakesh@COMPANY

We used our GSS-API library to query the LSA cache to get the principal name of the impersonated user, and this name is then passed as the SNC_MYNAME parameter. Then any user logged into the IIS website can be impersonated and the correct SNC_MYNAME parameter is used.

Thanks,

Tim

Former Member · ‎02-16-2010

Tim

Thanks for quick response and explanation.

We tried setting SNC_MYNAME (of impersonated user) but still fails on second user logon. Do we need to use gssapi32.dll on client? We are using gsskrb5.dll. The second user always fails with following error

LOCATION CPIC (TCP/IP) on local host with Unicode

ERROR SNCERR_GSSAPI

RELEASE 710

COMPONENT SNC (Secure Network Communication)

VERSION 5

RC -4

DETAIL An operation failed at the GSS-API level

COUNTER 4

Regards

Rakesh

tim_alsop · ‎02-16-2010

Rakesh,

I would love to help you, but I cannot without looking at your source and understanding your setup in more detail. It is not best to do that within SDN forum, and also you have hijacked somebody elses thread with your issue - the person who opened this thread was satisfied with the answers given and marked the thread as answered.

Maybe I will hear from you soon, outside of SDN...

Thanks,

Tim

Former Member · ‎02-17-2010

Tim

Thanks for reply. Apologize if I did not follow forum ethics. Will get back to you via email or start a new thread.

Regards

Rakesh