Federico,

What is the output of your krb5.conf? Ours is this:

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

ccache_type = 4

kdc_timesync = yes

}

At times we get hints of krb4 so the . in the principal name could become an issue. I'm wondering if the krb4_convert should be true?

Thanks as always,

Bill

Edited by: Bill Conklin on Apr 15, 2010 4:29 PM

Hello Bill,

> What is the output of your krb5.conf?

Here it is:

pam = {

ticket_lifetime = 1d

renew_lifetime = 1d

forwardable = true

proxiable = false

retain_after_close = false

minimum_uid = 1

try_first_pass = true

}

> I'm wondering if the krb4_convert should be true?

As you can see I'm not using any "krb4" parameter.

Federico Biavati

Hi David,

> #kinit -V -k SAPService<sid>.svc/dontcare @ DOMAIN.COM

is it correct that the service name ends with ".svc"? It sounds strange to me.

Here is the syntax in order to get your first TGT:

kinit u2013V u2013k <ServiceName>/<hostname_linux_server>.<domain_name>@<DOMAIN_NAME>

Federico Biavati

We were able to generate a ticket. I validated that the ticket witn the /tmp directory of <sid>adm matches the entry in our keytab. However when we start sap we continue to recieve the invalid name error. When we try to log into the system using SNC we see this error in the dev_w0 logs.

• ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): Decrypt integrity check failed

N Unable to establish the security context

M *** ERROR => ErrISetSys: error info too large [err.c 944]

M Thu Apr 15 13:53:04 2010

M LOCATION SAP-Server <sid>_<sid>_00 on host ss2 (wp 0)

M ERROR GSS-API(maj): Unspecified GSS failure. Minor code may provi

M GSS-API(min): Decrypt integrity check failed

M Unable to establish the security context

M TIME Thu Apr 15 13:53:04 2010

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 3352

M DETAIL SncPEstablishContext

M SYSTEM CALL gss_accept_sec_context

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): Unspecified GSS failure. Minor code may provi;;;;

M ;;;;GSS-API(min): Decrypt integrity check failed;;;;

M ;;;;Unable to establish the security context

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 5

N <<- ERROR: SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 976]

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 981]

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 10534]

> M GSS-API(min): Decrypt integrity check failed

After attempting a logon, what service tickets are listed with the MS ktutil.exe or kerbtray on the SAP GUI side? Does the entry match the server SNC name? Does the case match? Does the version number match the version number in the keytab?

The .svc is a requirement our domain admin has for the type of userid we have. We are checking through the different logs to see if there is a key problem or some sort of mismatch going on now.

Thanks for the help!

@Kyle --

When I run Kerbtray on the client, the only ticket I see that would have anything to do with this is krbtgt@<UPPERCASE REALM>, it's listed twice.

Here's the thing: In the Security Event Log on the client (W2K3 Citrix server with SAPGUI installed), we get a successful login, using my network id, under Event ID 552:

Logon attempt using explicit credentials:

Logged on user:

User Name: <My network id>

Domain: DOMAIN

Logon ID: (0x0,0x2BDCE5E)

Logon GUID: {7978d3d6-561e-1680-1aca-df051c612917}

User whose credentials were used:

Target User Name: <My network id>

Target Domain: FQDN of our AD domain

Target Logon GUID: {51cdc69c-4de2-deb0-8ea2-5f474bb8620a}

Target Server Name: dontcare

Target Server Info: SAPServiceSID.svc/dontcare

Caller Process ID: 652

Source Network Address: -

Source Port: -

In the dev_W0 log we get what David posted earlier, about the invalid name BUT the message still ends with "SNC enabled". So since we do not know exactly what name was invalid, this morning we changed the snc/identity/as and saw the message change to something like:

SNC name doesn't match what's in the keytab.

So that tells us that when we get the Invalid Name error, the SAP system is comparing the snc/identity/as name to what's in the keytab. Since previously the snc/identity/as and the name in the keytab matched, the Invalid Name message must have had to do with THAT name. SO by getting the message to change with a different snc/identity/as name, it must be that either the formatting of the snc/identity/as name is incorrect OR that the .svc is causing problems. I think the latter.

Kerberos IV used periods to separate things in the names it dealt with. And a lot of standards are created off of previous ones so now I could easily see where Kerb V would have a problem with a period in a name.

Does this theory make sense to anyone else?

Bill

When I run Kerbtray on the client, the only ticket I see that would have anything to do with this is krbtgt@<UPPERCASE REALM>, it's listed twice.

The TGTs are irrelevant (other than letting us know that two domains are involved). Immediately after getting the "Decrypt integrity check failed" there will be a service ticket on the client that you can view with Kerbtray. If it is difficult to find because there are too many tickets, purge the tickets (right click kerbtray), lock and unlock the screen, then try SAP GUI again before looking for the ticket.

Once we matched up the encryption types that error seemed to clear up. The more we test the more think the .svc is causing problems. We are working with the domain admin to remove the .svc.

Ok Gentlemen, we're back...

We've actually progressed quite a bit since our last posting. We have SNC enabled on the R3 server with initiating and accepting credentials, all looks good there.

On the client we have the SAPGUI set up for SNC but now get Security Network Layer (SNC) error when trying to log on to SAP. We set the client for Authentication Only.

From the client we can run a successful GSSTEST using either sncgss32.dll or gsskrb5.dll as either SAPServiceSID/dom.ain at DOM.AIN or as a user sidadm at DOM.AIN. (at sign removed)

We ONLY get tickets to the client when we run GSSTEST. When we log into Windows, we don't get a ticket automatically.

From the Linux server, when we run kinit, we have no problem authenticating and thereby getting a ticket for the credential cache.

When we try to log into R3, in the dev_w0 log we get:

GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): Unknown code krb5 181

N Unable to establish the security context

A Kerberos error 181 is KRB5_KT_NOTFOUND: Key table entry not found

Occasionally we get Kerberos error 31, which is KRB5KRB_AP_ERR_BAD_INTEGRITY: Decrypt integrity check failed. I'm not as concerned about this one. I'd like to push through the 181 though.

As we are learning more about this:

The SAPService<SID> user id/SPN is more for Windows services running a SAP system and is the id of the account that starts the SAP service on the Windows server. What is the equivalent in Linux??? We run Linux in Dev and Solaris in Prod.

In SAP under SU01 we had to create an alias for that user as it would only accept characters up to SAPService. Not sure if the alias is a problem or not.

So in a nutshell:

We have Kerberos working, we have a keytab, we have a credential cache, we have tickets on the client. GSSTEST runs successfully, we can't log into SAP.

Any ideas? Would be greatly appreciated.

Bill

Hello Bill,

 We have Kerberos working, we have a keytab, we have a credential cache, we have tickets on the client. GSSTEST runs successfully, we can't log into SAP.
Any ideas? Would be greatly appreciated. 

Here are my 2 cents:

Did you check the time synchronization between your SAP System, your AD server(s) and your Windows client?

The Kerberos protocol marks every ticket as invalid which has more than 2 minutes (by default)

time difference based of the server time.

Did you schedule the automatic renewal of the Kerberos ticket on your SAP System?

The easier way is to setup a cron job as SIDadm.

How did you setup your Instance profile?

Here are the parameters that I'm using:

snc/gssapi_lib value: /usr/lib64/libgssapi_krb5.so

snc/identity/as value: p/krb5:SAPServicePRD/dontcare @ MYDOMAIN.COM

snc/enable value: 1

snc/permit_insecure_start value: 1

snc/data_protection/use value: 3

snc/data_protection/max value: 3

snc/data_protection/min value: 1

snc/accept_insecure_r3int_rfc value: 1

snc/accept_insecure_gui value: 1

snc/accept_insecure_rfc value: 1

snc/accept_insecure_cpic value: 1

Are you using Windows XP or Vista/7?

On 7 there is a little trick to perform, if you want to use the kerberos authentication.

By the way, my clients are using the u201CMaximum Security Settings Availableu201D setting.

Regards,

Federico Biavati

Did you check the time synchronization between your SAP System, your AD server(s) and your Windows client?
The Kerberos protocol marks every ticket as invalid which has more than 2 minutes (by default)
time difference based of the server time.

Yes, they are all within seconds of each other.

Did you schedule the automatic renewal of the Kerberos ticket on your SAP System?
The easier way is to setup a cron job as SIDadm.

We have not yet, we are renewing the tickets manually and making sure we're not working with expired ones.

How did you setup your Instance profile?
Here are the parameters that I'm using:
snc/gssapi_lib value: /usr/lib64/libgssapi_krb5.so
snc/identity/as value: p/krb5:SAPServicePRD/dontcare @ MYDOMAIN.COM
snc/enable value: 1
snc/permit_insecure_start value: 1
snc/data_protection/use value: 3
snc/data_protection/max value: 3
snc/data_protection/min value: 1
snc/accept_insecure_r3int_rfc value: 1
snc/accept_insecure_gui value: 1
snc/accept_insecure_rfc value: 1
snc/accept_insecure_cpic value: 1

Ours match yours.

Are you using Windows XP or Vista/7?

XP

BTW, we have gotten rid of the 181 error. Not sure exactly how, I had our admins do a new keytab under a different user and I also had them delete the old user. I think there was too much going on there with users over the course of this. So we now have a single, stable user that has the SPN mapped to it.

The error now is the code 31 I mentioned before, which is KRB_AP_ERR_

BAD_INTEGRITY-Integrity check on decrypted field failed

Any other ideas?

Upon further review today, this is what I'm theorizing:

At no time do we get a ticket from Kerberos. We use Kerbtray to verify that. Once I run gsstest, we get a ticket but I believe the error 31 is because that ticket's creation wasn't initiated by the SNC library on the client.

Make sense?

Hello Bill,

> Does anyone have this working (Linux SAP App server, Windows 2003 AD domain, and SAPGUI)?

That is my exact configuration.

I have SAP R/3 4.7 Ext2 and SAP ECC 6.0 EhP4 systems; both of them are running on SuSE Linux Enterprise 10 64-bit SP2

I have a Windows 2003 32-bit AD Domain and my clients are Windows XP SP2 with SAPGui version 7.10 (Patch Level 15).

> If so, how is your snc/identity/as name formatted? Pls give an example

Here it is:

snc/identity/as p/krb5:SAPServicePRD/dontcare @ MYDOMAIN.COM

!!!!! whitout spaces before and after the "@" symbol !!!!!

where:

"MYDOMAIN.COM" is my AD Domain

and "PRD" is my SAP SID

> What is the output of your kinit command? How is THAT name formatted and does it match the snc/identity/as?

here is the kinit command: kinit -V -k SAPServicePRD/dontcare @ MYDOMAIN.COM

here is the output: Authenticated to Kerberos v5

> What was the formatting of the setspn and ktpass commands? Pls give exactly what you typed, with substitues for

> your own values.

C:\>setspn -A SAPServicePRD/dontcare MYDOMAIN\SAPServicePRD

C:\>ktpass -princ SAPServicePRD/dontcare @ MYDOMAIN.COM -mapuser

MYDOMAIN\SAPServicePRD -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set

+desonly -pass ******** -out SAPServicePRD.keytab

> Pls don't give us the formatted response that's in all the documentation out there, that is the stuff that's not working....

That worked for me... but if you have questions feel free to ask.

Just for your info, I just adapted this whitepaper to my needs:

http://www.realtech.com/wInternational/sap-consulting/sap-technologie/sap-identity-managementW3Dnavi...

Thanks,

Federico Biavati

Federico, thank you for that invaluable information. We've turned the information over to our domain admins. In the meantime, I would like a couple of more things:

1) In the SAPGUI, under the SNC tab, how is your SNC name typed?

2) On the SAP server, how is the name typed under the SNC user account properties?

3) What libraries are you using on the Linux server and on the front end client?

We've referenced the Realtek document you linked to and decided that it is a good reference. Our problem has been that when we've tried something and it didn't work, there are 15 different answers out there to resolve it. We've been working on this long enough that now it's all become a blur and confusing so we decided we needed to get point blank answers, which you are providing and we appreciate it much!

Thanks again,

Bill

Hello Bill,

> 1) In the SAPGUI, under the SNC tab, how is your SNC name typed?

SNC Name: p/krb5:SAPServicePRD/dontcare @ MYDOMAIN.COM

(Again, without space between the "@" symbol)

And I selected "Maximum Security Settings Available"

> 2) On the SAP server, how is the name typed under the SNC user account properties?

SNC Name: p:fbiavati @ MYDOMAIN.COM

Where "fbiavati" is my domain account

> 3) What libraries are you using on the Linux server

I'm using the u201CMIT Kerberos5 Implementation u2013 client programsu201D (Start u201Cyastu201D and choose u201CSoftwareu201D u2013 u201CSoftware Managementu201D)

Further packages that I needed to install are:

pam_krb5

pam_krb5_32bit

If you enable Kerberos from Yast (u201CYastu201D u2013 u201CNetwork Servicesu201D u2013 u201CKerberos Clientu201D: Choose u201CUse Kerberosu201D and u201CFinishu201D) the 2 "pam_krb5*" packages will be automatically installed.

> and on the front end client?

I'm using the "gsskrb5.dll" library, which I moved into the directory %windir%\system32

After that I had to add the system variable SNC_LIB with the value "gsskrb5.dll".

You can use the installer file "SAPSSO.MSI" that you find attached to the note:

"Note 595341 - Installation issues with Single Sign-On and SNC"

> We've referenced the Realtek document you linked to and decided that it is a good reference. Our problem has

> been that when we've tried something and it didn't work, there are 15 different answers out there to resolve it.

Yes, I know that. As I said, I had to adapt that document to my needs..... but it's a very good starting point.

> We've been working on this long enough that now it's all become a blur and confusing so we decided we needed to

> get point blank answers, which you are providing and we appreciate it much!

Good to know; let me know if you need further help.

Thanks,

Federico Biavati

One area I am stilling looking at is the SPN scripts that were run on the domain. I think that may be part of the problem as well.

C:\temp>setspn -A SAPService<SID>.svc/domain.test.test.com SAPService<SID>.svc

Registering ServicePrincipalNames for CN=SAP SA <SID>,OU=Service Accounts,DC=domain,DC=test,DC=test,DC=com

SAPService<SID>.svc/domain.test.test.com

Updated object

C:\temp>ktpass /princ SAPService<SID>.svc(@DOMAIN.TEST.TEST.COM) -mapuser SAPService<SID>.svc@ DOMAIN.TEST.TEST.COM /pass (password) /out krb5.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

Targeting domain controller: testserver.domain.test.test.com

Failed to set property "servicePrincipalName" to "SAPService<SID>.svc" on Dn "CN=S

AP SA <SID>,OU=Service Accounts,DC=domain,DC=test,DC=test,DC=com": 0x13.

WARNING: Unable to set SPN mapping data.

If SAPService<SID>.svc already has an SPN mapping installed for SAPService<SID>.svc, this is no cause for concern.

Key created.

Output keytab to krb5.keytab:

Keytab version: 0x502

keysize 67 SAPService<SID>.svc(@ DOMAIN.TEST.TEST.COM) ptype 1 (KRB5_NT_PRINCIPAL) vno 2 e

type 0x17 (RC4-HMAC) keylength 16 (0xae974876d974abd805a989ebead86846)

Account SAPService<SID>.svc has been set for DES-only encryption.

So the major question is: What do you see wrong with what weu2019re doing here and how should we correct it?

I had to put the (DOMAIN) around the domain name examples because the posting thought I had an email address in the message. The () were actually not included in the error and script messages.

Hi David,

I've never seen a "SNCERR_PLAUSI" error before. Since you're using an unsupported GSS-API library, my first guess would be to run gsstest against it.

ftp://ftp.sap.com/pub/ietf-work/gssapi/gsstest/

If your environment needs to be supported, there are several certified 3rd party SNC solutions on the EchoHub that specialize in AD Kerberos integration for Unix/Linux.

Thanks,

Kyle

Thank you for the advice, I'll run the test against our configuration. I am aware that the SNC configuration from Linux or Solaris to Windows is not a supported solution and that SAP recommends third party software to handle this. I have told my client this as well, but at this time additional software spending is not in the cards.

Edited by: David Harris on Apr 9, 2010 2:46 PM

Thanks Nelis, I've asked the domain admin to add this to our script when generating the keytab.