cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO - SAP GUI - KERBEROS using SNC

Former Member

on ‎03-29-2010 11:03 PM

0 Kudos

Hi ,

We are running on AIX 5.3 and NW 7.0

We have installed the latest file set 1.4.0.8 for kerberos on AIX.

krb5.client.rte 1.4.0.8 C F Network Authentication Service

krb5.client.samples 1.4.0.8 C F Network Authentication Service

krb5.doc.Ja_JP.html 1.4.0.8 C F Network Auth Service HTML

krb5.doc.Ja_JP.pdf 1.4.0.8 C F Network Auth Service PDF

krb5.doc.en_US.html 1.4.0.8 C F Network Auth Service HTML

krb5.doc.en_US.pdf 1.4.0.8 C F Network Auth Service PDF

krb5.doc.ko_KR.html 1.4.0.8 C F Network Auth Service HTML

krb5.doc.ko_KR.pdf 1.4.0.8 C F Network Auth Service PDF

krb5.doc.zh_CN.html 1.4.0.8 C F Network Auth Service HTML

krb5.doc.zh_CN.pdf 1.4.0.8 C F Network Auth Service PDF

krb5.lic 1.4.0.8 C F Network Authentication Service

krb5.server.rte 1.4.0.8 C F Network Authentication Service

krb5.toolkit.adt 1.4.0.8 C F Network Authentication Service

We have configured the SSO as per the document from IBM.

SSO works fine. But the issue is , even when the TGT (Ticket granting Ticket ) is expired on the server , SSO still works.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎07-18-2011 6:27 PM
0 Kudos

Hi,

We are planning to implement SAP GUI SSO with SNC with IBM AIX box. Can you kindly pass me the IBM document regarding how to config that?

Thank you so much.

Show replies
Show replies
nelis
Active Contributor
‎03-30-2010 7:32 AM
0 Kudos 
even when the TGT (Ticket granting Ticket ) is expired on the server , SSO still works

How can you tell the TGT has expired on the server ?

From what I understand of Kerberos is it caches the TGT, if the client has authenticated it doesn't matter whether the ticket has expired because the service tickets are used only to authenticate NEW connections. The tickets are also renewable and "refreshed" without requiring a new ticket(it has a secondary expiration time). Added to this you can change both the policy for expiration and renewal so you should check this on your domain server too. The default renewal policy is generally 5 minutes on MS based systems and can be set up to 7 days or one week.

Nelis

Show replies
Show replies
Former Member
‎03-30-2010 4:45 PM
0 Kudos

Hi,

I am able to see the ticket is expired when i run the klist command on the server.

The document from IBM states that a cron job has to be setup to renew the tickets.

I have not setup the cron job intentionally to see if the SSO fails.

The TGT expired. Now if i login to the domain and click on my GUI , it takes me right into the SAP.

When the TGT is expired how does SSO work.?

Thanks,

Tanuj

Former Member
‎03-30-2010 8:21 PM
0 Kudos

Hi Tanuj,

The server doesn't require a TGT to validate a service ticket being sent to it by the client if the server has access to a keytab. I believe the SAP SNC is also smart enough to get a TGT for the server and an appropriate service ticket if it needs to connect via SNC to another server (server to server).

Thanks!

Kyle

nelis
Active Contributor
‎03-31-2010 7:54 AM
0 Kudos

Take a look in your work process developer trace files(/usr/sap/<SID><instance>/work) you should see something a long the lines of:


N GSS-API(min): No credentials cache found

...if the TGT renewal has expired. Also check on your domain controllers Event Viewer security logs for any errors.

Nelis

Ask a Question