on 03-29-2010 11:03 PM
Hi ,
We are running on AIX 5.3 and NW 7.0
We have installed the latest file set 1.4.0.8 for kerberos on AIX.
krb5.client.rte 1.4.0.8 C F Network Authentication Service
krb5.client.samples 1.4.0.8 C F Network Authentication Service
krb5.doc.Ja_JP.html 1.4.0.8 C F Network Auth Service HTML
krb5.doc.Ja_JP.pdf 1.4.0.8 C F Network Auth Service PDF
krb5.doc.en_US.html 1.4.0.8 C F Network Auth Service HTML
krb5.doc.en_US.pdf 1.4.0.8 C F Network Auth Service PDF
krb5.doc.ko_KR.html 1.4.0.8 C F Network Auth Service HTML
krb5.doc.ko_KR.pdf 1.4.0.8 C F Network Auth Service PDF
krb5.doc.zh_CN.html 1.4.0.8 C F Network Auth Service HTML
krb5.doc.zh_CN.pdf 1.4.0.8 C F Network Auth Service PDF
krb5.lic 1.4.0.8 C F Network Authentication Service
krb5.server.rte 1.4.0.8 C F Network Authentication Service
krb5.toolkit.adt 1.4.0.8 C F Network Authentication Service
We have configured the SSO as per the document from IBM.
SSO works fine. But the issue is , even when the TGT (Ticket granting Ticket ) is expired on the server , SSO still works.
Hi,
We are planning to implement SAP GUI SSO with SNC with IBM AIX box. Can you kindly pass me the IBM document regarding how to config that?
Thank you so much.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
even when the TGT (Ticket granting Ticket ) is expired on the server , SSO still works
How can you tell the TGT has expired on the server ?
From what I understand of Kerberos is it caches the TGT, if the client has authenticated it doesn't matter whether the ticket has expired because the service tickets are used only to authenticate NEW connections. The tickets are also renewable and "refreshed" without requiring a new ticket(it has a secondary expiration time). Added to this you can change both the policy for expiration and renewal so you should check this on your domain server too. The default renewal policy is generally 5 minutes on MS based systems and can be set up to 7 days or one week.
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I am able to see the ticket is expired when i run the klist command on the server.
The document from IBM states that a cron job has to be setup to renew the tickets.
I have not setup the cron job intentionally to see if the SSO fails.
The TGT expired. Now if i login to the domain and click on my GUI , it takes me right into the SAP.
When the TGT is expired how does SSO work.?
Thanks,
Tanuj
Hi Tanuj,
The server doesn't require a TGT to validate a service ticket being sent to it by the client if the server has access to a keytab. I believe the SAP SNC is also smart enough to get a TGT for the server and an appropriate service ticket if it needs to connect via SNC to another server (server to server).
Thanks!
Kyle
Take a look in your work process developer trace files(/usr/sap/<SID><instance>/work) you should see something a long the lines of:
N GSS-API(min): No credentials cache found
...if the TGT renewal has expired. Also check on your domain controllers Event Viewer security logs for any errors.
Nelis
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.