cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC SSO and STMS configuration

Go to solution
Former Member

on ‎03-25-2010 2:43 PM

0 Kudos

Hi All

Last week we implemented SSO with SNC using the Windows AD and I5 REALMS on our development system(s).

All is good until we realize that these systems are the domain controllers for our transport landscpae. So far we have not done the SNC SSO configuration on our QA and PRD system(s)

We have made an entry for the Dev system in the vsncsysacl table and also made the changes in the STMS >System overview->Display Transport Domain-> Management tab> SNC protection changed from Inactive to active and hitting "Copy SNC information"...we get some funky error messages about SNC for PRD and QA.

So when we tried refreshing the Transport queue, we get an error message stating "Transport connection of type E required or something" for QA and PRD.

Long story short, we cannot convert all the system in a landscape to use SNC SSO in a single day, as we have to test out things, interfaces, RFC's and all other stuff. How do we go about it system by system if transports will not work? What I mean is that DEV is configured for SNC SSO, but QA and PRD are not.

Is there a way to make TMS work ?

Things tried so far:

1) Entries in vsncsysacl table

2) SNC tab for user TMSADM in DEV populated with service principal name( since no domain account for this user)

Can't imagine doing the changes across the landscpae in one day...

Is there a way around it friends?

Thank you

Abhi

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-25-2010 7:32 PM
0 Kudos

Hello Abhi,

I would say, that it should be pretty easy, to setup the systems to use SSO AND passworrd logon ... Then you can transport with your users ... After some time, you then could remove the password logon option ...

If you do not care for authorization issues who transports, it would be an eay - but ugly - option, to provide TMSADM SAP_ALL and you won't be asked for a user ...

Regards

Volker Gueldenpfennig, consolut international ag

http://www.consolut.net - http://www.4soi.de - http://www.easymarketplace.de

Show replies
Show replies
Former Member
‎03-25-2010 8:26 PM
0 Kudos

Hi Volker

Thank you for your response.

But that is not the issue. Setting up the systems to use SSO AND passworrd logon is indeed easy, but that is not our issue.

Maybe I did not explain it nice enough.

We had a preexisting system landscpae. Then one day we implemented SNC on our development system( which happens to be our domain controler). We have not yet done any configuration on our QA and PRD environments.

Now when we try to refresh the QA or PRD system in STMS import queue, we get "RFC system error in system/destination"

As i understand it and read the details, its mentions SNC or RFC connection type "E" required for connection.

So most likely when the RFC call is made to the QA/PRD system from TMS, its expecting some SNC communication from the other systems. I can't update the TMS RFC's in SM59 manually to say SNC active. It has to change from the configuration of the TMS.

So I am struggling.

One option which I am already thinking of is to change the domain controller to PRD and see if its works, coz PRD is still without any SNC configuration.

Hope that explains better.

Thanks

Abhi

Former Member
‎03-25-2010 9:09 PM
0 Kudos

Hello Abhi,

ok, then I would hope, you didn't set the following profile parameters:

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1 <<<<

snc/accept_insecure_cpic = 1

snc/accept_insecure_r3int_rfc = 1 <<<<<

snc/permit_insecure_comm = 1

snc/permit_insecure_start = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

Did you set at least these two ?

Regards

Volker Gueldenpfennig, consolut international ag

http://www.consolut.net - http://www.4soi.de - http://www.easymarketplace.de

Former Member
‎03-25-2010 9:15 PM
0 Kudos

Hi Volker

Thank you so much for the quick response...

That may do it...Currently I have these in the profile:

snc/gssapi_lib /lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

snc/identity/as p:SAPservice/sapdev.<domain_name>@<i5_REALM>

snc/accept_insecure_gui 1

snc/permit_insecure_start 1

No i do not have those two parameters in my profile.. I will try to add it and and bounce and update if it works...

Thank you for your advise..it may work...looks promising...

Abhi

Former Member
‎03-25-2010 9:17 PM
0 Kudos

Hello Abhi,

perfect ))

that#s it ))

I would add all of them ...

Regards

Volker Gueldenpfennig, consolut international ag

http://www.consolut.net - http://www.4soi.de - http://www.easymarketplace.de

Former Member
‎03-26-2010 12:49 AM
0 Kudos

Hi Volker,

Thank you for your help.

Its just worked like a charm... Added the snc/accept_insecure_rfc and snc/accept_insecure_r3int_rfc and bounced and magic!!!

So this was it...thank again for all your help.

Atleast now we can do one system at a time...

Thanks

Abhi

Answers (1)

Answers (1)

linus_hellsing1
Explorer
‎02-05-2014 10:08 AM
0 Kudos

Hi,

I hade the same problem just now. I'll write my solution for all of you out there that might fall in the same trap, to enable SNC and distribute the changes. When you do you must make sure the SNC is actually working. If not, you will probably end up with systems that have the setting SNC in their RFC connection and since the domain controller can't access them anymore (or at least get some responce from the child system), it wound be able to turn it off.

I solved it like this:

Reset the user TMSADM in all system and give it a manual password (do it in STMS - Systems - Extras).

Delete all TMS RFC connections that have the SNC set to active in the child systems (the domain controller is probably already correct) in SM59, they are named something like this TMSADM@SID.DOMAIN_SID.

Manually recreate new RFC connections to the domain controller in the child systems to let the child system report back that it got the changes.

Distribute and activate the settings from the transport domain controller.

DONE! 🙂

You might have to recreate the RFC connections in all child systems, it is done in STMS - Systems - Extras.

Br Linus Hellsing

Show replies
Show replies
Ask a Question