Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO configuration for AIX platform using Kerberos

Former Member

‎11-12-2009 7:26 AM

0 Kudos

Hello BASIS Experts,

I am facing problem while configuring SSO.

Requirment:- Want to enable Single Sign On with SNC using Kerberos on SAP Application Servers (ABAP) running on Power (p5 and p6) AIX with a central Active Directory serving as Kerberos server

Steps I have performed till now: -

1> Kerberos Client Configuration (krb5.rte, config.krb5)

2> Adding AIX Server as host to Active Directory and create keytab. I am using following command to create keytab file.

Ktpass u2013princ <SPN> u2013mapuser dewa\ajeeb u2013pass <some_password> u2013ptype KRB5_NT_PRINCIPAL u2013out ajeeb.keytab

After this step I am facing problem,

I am not able to initialize keytab on AIX machine.

I am using following command to initialize keytab

Kinit u2013k <Service_principal_name>

While doing this I am getting following error.

sscadm 2> kinit -k <SPN>

Unable to obtain initial credentials.

Status 0x96c73a18 - Preauthentication failed.

As per google this error indicated incorrect credential in keytab file.

Questions:

1> Any idea am I following any wrong step?

2> Any good documents which full fill my requirement.

Thanks in advance for kind help.

Kind Regards,

Abhijeet Rathi

3 REPLIES 3

tim_alsop
Active Contributor

‎11-16-2009 9:28 AM

0 Kudos

Hi,

Did you manage to solve your Kerberos pre-authentication issue ?

I don't think you mentioned, but I assume you are using an open source implementation of Kerberos on AIX, in which case the support you get from IBM or SAP community will be limited. You might need to consider the support aspects, if you haven't already. For example, if your users cannot logon to your SAP applications once you get it working and have put it into production, who will you contact to get the issue fixed ?

Thanks,

Tim

Former Member

‎01-26-2010 7:46 AM

0 Kudos

Dear Tim,

I am not clear with your answer. I suppose I might be following some wrong procedure and I want some one who is having experence in this should correct me or guide me who I can accomplish this.

Thanks.

Kind Regards

Abhijeet Rathi

tim_alsop
Active Contributor
In response to Former Member

‎01-26-2010 8:08 AM

0 Kudos

Hi,

I am sorry you were not clear on my answer. I will try and explain again.

To implement SNC/Kerberos with SAP ABAP you need a Kerberos library which includes a GSS-API library. For this you usually have three options:

1) Use the library included with operating system (e.g. included with AIX operating system) - this is often an old release of the protocol, and includes bugs, and sometimes does not support the correct mechanism OID required for it to work with SAP.

2) Download an open source implementation of Kerberos (e.g. from MIT website) and compile on your server, then make it work with SAP.

3) Use a Kerberos library included with a product from a SAP partner.

I am not sure which of above you are using, but I would strongly recommend you consider option 3 if you haven't already. The other 2 options can waste a lot of time, and limited/no support is provided, either during testing and implementation, or after you have put the solution into production. If you want support and help and a solution which is guaranteed to work then option 3 is best. The commercial solutions also include extra features which you might want to consider.

Thanks,

Tim