Ingo,

I am referring to client side SNC, as described in part 1 of your blog. As you know, a domain account is needed and the Windows services need to be changed to start as this domain account, instead of as system. When this change is made, and the WIndows services are started, they will request a Kerberos TGT from the domain, which has a lifetime associated with it - all domain users tickets have liftetime, determined by a domain policy. The liftetime of a TGT is normally about 8 hours.

When an RFC request is made by one of the Windows services, and the SNC library is invoked, it will get a service ticket from domain and store in same credentials cache that holds the TGT (inside LSA on Windows). This service ticket will expire at same time as the TGT used to request it.

If the SNC library gets a Kerberos service ticket, and the TGT has expired, but is still within the Renew Until period (normally 1 week after TGT was issued because of policy configuration) then a new TGT is issued, and the service ticket will be issued with the new TGT.

So, from above you can see that using SNC with Kerberos, means that the tickets only last for 1 week because of domain policy configuraiton of Kerberos ticket lifetime and because of renew period for tickets issued by AD. The only way that the Kerberos tickets could be used for longer, is if:

a) The service is restarted, thereby causing it to get a new TGT and the renew until date/time for this new TGT will be 1 week after the TGT was issued.

b) The TGT could be issued when an RFC call is made, and this TGT cached in a separate memory cache, instead of in MS LSA cache normally used by Windows.

Our product supports opiton b) but to make it work we need to understand how the BO software constructs the RFC connection string, and we need to add SNC_MYNAME parameter to this string. I can explain how this works in more detail if you like, but all I need is to know where the RFC parameters are stored. For example, is there an saprfc.ini file which we can edit and add the SNC_MYNAME parameter to this file ?

Hi Tim,

so on the client side SNC which workflow are you trying to achieve and where does it fail ?

When you configure the client side SNC you starting the service under a given account and this given account is configured on the SAP side as well (SNC0, SU01).

Ingo

Ingo,

What do you mean by workflow ? I have already explained that we have SNC SSO working as described in your blog, and we are using our own SNC library which uses Kerberos protocol. Since the TGT is requested and issued by AD when the Windows services start, this TGT has a limited lifetime, so we are working on a slightly different approach which doesn't require a domain user to be used for Windows service startup, and instead it involved getting a TGT each time SNC is used, either from a memory cache or from AD. To make this work we need to know how to make BOBJ specify the SNC_MYNAME parameter when calling the SAP RFC library. We therefore need to know the place where the connection string is stored/constructed and then we can change this string to include SNC_MYNAME.

Thanks,

Tim