06-30-2009 7:10 AM
Hi All,
We have a service that connects to Sap system with SNC(Kerberos authentication).
It runs fine when we use a single user. If multiple users are used:
eg. Step1: Request to SAP by User A -> Succeeds
Step2: Request to SAP by UserB -> Fails
Step3: Request to SAP by UserA -> succeeds
Step4: Restart the process
Step5: Request to SAP by UserB -> Succeeds
Step6: Request to SAP by UserA -> Fails
Library used:
SAP RFC Unicode Libraries 7.11/7.0
Kerberos Dll from SAP version 1.09 (gx64krb5.dll for X64 and gsskrb5.dll for X86)
Error Details:
ErrorCode=RFC_OK.
ErrorGroup=RFC_ERROR_COMMUNICATION.
SapErrorMessage=SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed Connect_PM GWHOST=SapServer.Domain.com, GWSERV=sapgw00, SYSNR=00 LOCATION CPIC (TCP/IP) on local host with Unicode ERROR SNCERR_GSSAPI TIME Sun Jun 28 15:49:36 200 RELEASE 711 COMPONENT SNC (Secure Network Communication) VERSION 5 RC -4 DETAIL An operation failed at the GSS-API level COUNTER 6.
I am wondering if gsskrb5 caches the kerberos ticket, which could be the reason for this behavior.
My question is:
1. Does the gsskrb5 caches the user principal name/kerberos ticket?
2. If yes, is there a way to specify not to cache the data?
Any help would be greatly appreciated.
Thanks,
Jeevitha
07-03-2009 9:32 AM
>
> Hi All,
>
> We have a service that connects to Sap system with SNC(Kerberos authentication).
>
> Thanks,
> Jeevitha
What kind of "service" is this?
To me this sounds like a server component rather than a client component.
In that case, please have a look on [another thread|; where this has been discussed.
Regarding the SNC libraries provided by SAP: Take a kind look on [SAP Note 352295|https://service.sap.com/sap/support/notes/352295].
06-30-2009 7:58 AM
Hi,
All implementations of Kerberos use a credentials cache to store tickets. This is not done by the SAP supplied GSS library, but by the Windows Kerberos code in operating systems.
You need to look at how you are switching users, since it should be possible for userA to logon and get credetnials which will be cached, and when userB logs on, the credentials for userB should be stored in the cache instead of userA's. If you can provide more details of how you switch between users I might be able to help, otherwise you need to talk to Microsoft.
Thanks,
Tim
06-30-2009 6:05 PM
Thanks a lot for your quick response.
My sap connectivity part runs as a service in IIS.
When a client makes a call to the service:
1. It will impersonate the client
2. Opens a Rfc connection
3. Makes the rfc call
4. Closes the connection
I have tried a simple C++ program, that does the same thing
1. Impersonate User1
2. Open a connection and make Rfc call - Succeeds
3. Closes the connection and revert to self
4. Repeat steps 1-3, for User2 - Fails
5. Repeat steps 1-3, for User1 - Succeeds
I was using SNC with gssntlm. And I am getting "Connection closed without message (CM_NO_DATA_RECEIVED)" error message.
Any help/suggestions would be greatly appreciated.
Thanks,
Jeevitha
06-30-2009 6:31 PM
Hi,
Can you please check the following OSS note?
Note 753797 - ITS: SAPCRYPTO Admin, Connection Maintenance, SNC test fails
Thanks,
Sridhar
06-30-2009 7:17 PM
Jeevitha,
When your service impersonates the client, the user/client needs to be a domain user account, so that the Kerberos credentials cache on IIS for the session contains the users TGT. This will also requrie that the Windows Server running IIS is joined to your AD domain.
You mention that you are using gssntlm - this concerns me because NTLM is not same as Kerberos. You need to use an SNC library which is supporting Kerberos protocol.
I have setup a very similar environment to yours and was able to get end-to-end authentication of users. e.g. a user logs on at workstation, they open web browser to access application on IIS server (e.g. .net application) and the .net application uses SAP .net connector (not called this anymore) to communicate with back-end SAP system via SAP RFC. This works as required and the RFC connection is authenticated and secured using SNC and using the credentials of user at workstation where browser is running.
Thanks,
Tim
06-30-2009 8:09 PM
Thanks for your support.
As you have specified the client and the server running IIS are windows users. As I have already mentioned, my solution works fine with a single user. But the problem is only when I switch between different users(in the same process).
To simplify the scenario, I excluded IIS from the picture and wrote a C++ program to do the impersonation and switch between different users. Again, it works for the first user, where as it throws an exception for subsequent users.
And for this scenario, I made use of gssntlm dll, since I dont have a Sap system configured for kerberos authentication to test.
One more related question:
When one of our partner hit the same issue, it seems they got the following response from Sap:
"gsskrb5.dll and more importantly SNC within SAP communication
libraries such as librfc32.dll does NOT support the Microsoft
impersonation model, it assumes and relies on a process-global
identity.
It is impossible to use more than one thread-local
impersonation at a time (within the same process) for
SNC-based SSO authentication into SAP AppServers"
If the above is true, it is impossible for me to impersonate users in the service. Since I have to reset IIS, everytime I have to switch to a different user, which is practically impossible.
Is there exist some way to work around this issue?
Thanks,
Jeevitha
Edited by: Jeevitha Kirubanandam on Jun 30, 2009 9:10 PM
06-30-2009 8:26 PM
>
> Thanks for your support.
No problem. I am glad I can help in some way.
>
> As you have specified the client and the server running IIS are windows users. As I have already mentioned, my solution works fine with a single user. But the problem is only when I switch between different users(in the same process).
I wondered if this was because the impersonation was not causing new credentials to be acquired from MS AD domain controller. Instead, the first user to logon using your service causes credentials to be issued and these credentials are staying in cache until service is restarted. During the service restart the cache is destroyed by Windows.
>
> To simplify the scenario, I excluded IIS from the picture and wrote a C++ program to do the impersonation and switch between different users. Again, it works for the first user, where as it throws an exception for subsequent users.
> And for this scenario, I made use of gssntlm dll, since I dont have a Sap system configured for kerberos authentication to test.
I don't recommend using the NTLM protocol for testing.
>
> One more related question:
>
> When one of our partner hit the same issue, it seems they got the following response from Sap:
>
> "gsskrb5.dll and more importantly SNC within SAP communication
> libraries such as librfc32.dll does NOT support the Microsoft
> impersonation model, it assumes and relies on a process-global
> identity.
>
> It is impossible to use more than one thread-local
> impersonation at a time (within the same process) for
> SNC-based SSO authentication into SAP AppServers"
Ah. That would explain why it worked for me. We are using our own gssapi32.dll library which is SAP certified. This works perfectly with IIS and SAP RFC. As I mentioned in my earlier post, we have customers using our library in the way you want, but using SAP .net connector to initiate the RFC connection from the .net application running on IIS server.
>
> If the above is true, it is impossible for me to impersonate users in the service. Since I have to reset IIS, everytime I have to switch to a different user, which is practically impossible.
> Is there exist some way to work around this issue?
It sounds as though it might be impossible when using the SAP SNC library, but I know that our own SNC library works the way you want.
>
> Thanks,
> Jeevitha
>
> Edited by: Jeevitha Kirubanandam on Jun 30, 2009 9:10 PM
07-01-2009 8:21 AM
Jeevitha,
We developed a small .net application using c# which calls our gss library on IIS server to display the principal name of authenticated user from credentials cache. We were able to access this from multiple workstations and each user saw their own credentials being displayed.
Which version of IIS are you using ?
Are you able to share your c++ program so I can see what you have done wrong, since this should work when IIS is not used.
Thanks,
Tim
07-01-2009 9:36 AM
Tim,
Thanks for your continued support
Were you able to open a rfc connection from the service, with the impersonated credential? Were you using sap .net connector?
We are using IIS 6.
I sent you the c++ program by mail.
One quick question: Isn't the gssntlm certified by SAP? I saw in sap help, that gssapi32 is the older version of gssntlm. (http://help.sap.com/saphelp_nwmobile71/helpdata/en/44/0e2ab4c7330d19e10000000a114a6b/frameset.htm)
Thanks,
Jeevitha
Edited by: Jeevitha Kirubanandam on Jul 1, 2009 10:37 AM
07-01-2009 10:00 AM
Jeevitha,
Yes, we were/are able to open an RFC connection using the impersonated credentials of user at workstation. This gives the end-to-end authentication which is required in this kind of scenario.
It is good that you are using IIS 6. I think older releases of IIS worked differently regarding impersonation.
Yes, in fact GSSNTLM is developed by SAP so it is of course certified. This is not the issue that I was referring to - it is that GSSNTLM is using a different protocol (NTLM) and does not use cached credentials in same way as Kerberos does, so to test this issue you need to use a GSS library that implements the Kerberos security mechanism, and one that is compatible with MS AD implementation of Kerberos.
GSSNTLM = NTLM protocol
GSSAPI32 = Default name for SNC GSS library. Since its name does not include NTLM I assume the one you refer to is using Kerberos, but this might not be the case - depends on the developer of this library. Of course, you cannot confirm protocol by name of library alone.
I have just received your email and will look at the code to find out why it might not work.
Thanks,
Tim
07-03-2009 9:32 AM
>
> Hi All,
>
> We have a service that connects to Sap system with SNC(Kerberos authentication).
>
> Thanks,
> Jeevitha
What kind of "service" is this?
To me this sounds like a server component rather than a client component.
In that case, please have a look on [another thread|; where this has been discussed.
Regarding the SNC libraries provided by SAP: Take a kind look on [SAP Note 352295|https://service.sap.com/sap/support/notes/352295].
07-03-2009 9:42 AM
Wolfgang,
The service is (or will be) a service running on IIS web server. For testing the issue, Jeevitha has developed a C++ program which uses Windows impersonation and then the impersonated user is used to initiate an RFC connection, secured with SNC. She had problems (see explanation earlier in this thread) with this, so we have helped her. Now her code is working as expected. Also, we had to use SNC_MYNAME parameter so that the RFC library knows the SNC name of the initiating user (e.g. the Kerberos principal name of impersonated Windows user).
Thanks,
Tim
07-03-2009 9:46 AM
>
> Wolfgang,
>
> The service is (or will be) a service running on IIS web server. For testing the issue, Jeevitha has developed a C++ program which uses Windows impersonation and then the impersonated user is used to initiate an RFC connection, secured with SNC. She had problems (see explanation earlier in this thread) with this, so we have helped her. Now her code is working as expected. Also, we had to use SNC_MYNAME parameter so that the RFC library knows the SNC name of the initiating user (e.g. the Kerberos principal name of impersonated Windows user).
>
> Thanks,
> Tim
So, someone has re-implemented the SAP Internet Transaction Server (ITS) ...
See: [SAP Note 493107|https://service.sap.com/sap/support/notes/493107]
Cheers, Wolfgang
07-03-2009 10:04 AM
Wolfgang,
I don't consider this to be same as (or new implementation of) external ITS, other than the fact that ITS is often run on IIS Web server, and ITS also uses an SNC session between AGATE and SAP ABAP AS. This is the only similarity.
For this customers requirement, there is no SSO2 ticket required/used. Just authenticate user at web server using IWA and then use the users impersonated credentials to authenticate an RFC connection to back-end.
Thanks,
Tim
07-03-2009 10:20 AM
Well, yes and no.
Thinking of the requirement to orchestrate the session management (http sessions and RFC sessions), thinking of a proper way to visualize the results of the RFC / BAPI calls (ITS: WebRFC, WebReporting) - all that makes me believe that there's a huge overlap. Well, I would spare my efforts and invest in developing new stuff ...
Just my 5 cents.
02-16-2010 8:31 PM
Hi Tim/ Jeevitha
Can you please explain how exactly you fixed this problem. We are running into same issue with multi-threaded C++ app that needs to impersonate users (for SSO). First user succeeds and subsequent users fail.
We are specifying parameters for SNC.
SNC_MODE=1
SNC_PARTNERNAME=
SNC_LIB=c:\windows\system32\gsskrb5.dll
Also do you know if this solution works with SAP NetWeaver RFC SDK and Classic RFC SDK?
Thanks
Rakesh
02-16-2010 8:40 PM
Rakesh,
The problem is resolved by setting the SNC_MYNAME paramter with correct value.
For example, if user logs onto workstation using account rakesh and domain is company.local the Kerberos principal name of this user might be rakesh@COMPANY so the SNC_MYNAME parameter of needs to describe this principal name as this is the impersonted name of the user at workstation. In this case it would need to be p:rakesh@COMPANY
We used our GSS-API library to query the LSA cache to get the principal name of the impersonated user, and this name is then passed as the SNC_MYNAME parameter. Then any user logged into the IIS website can be impersonated and the correct SNC_MYNAME parameter is used.
Thanks,
Tim
02-16-2010 10:22 PM
Tim
Thanks for quick response and explanation.
We tried setting SNC_MYNAME (of impersonated user) but still fails on second user logon. Do we need to use gssapi32.dll on client? We are using gsskrb5.dll. The second user always fails with following error
LOCATION CPIC (TCP/IP) on local host with Unicode
ERROR SNCERR_GSSAPI
RELEASE 710
COMPONENT SNC (Secure Network Communication)
VERSION 5
RC -4
DETAIL An operation failed at the GSS-API level
COUNTER 4
Regards
Rakesh
02-16-2010 11:23 PM
Rakesh,
I would love to help you, but I cannot without looking at your source and understanding your setup in more detail. It is not best to do that within SDN forum, and also you have hijacked somebody elses thread with your issue - the person who opened this thread was satisfied with the answers given and marked the thread as answered.
Maybe I will hear from you soon, outside of SDN...
Thanks,
Tim
02-17-2010 2:19 PM
Tim
Thanks for reply. Apologize if I did not follow forum ethics. Will get back to you via email or start a new thread.
Regards
Rakesh