Solved: LDAP under SNC environment with Microsoft AD on NW...

Former Member · ‎04-26-2010

Hi,

I have Configured LDAP on NW 7.0 WebAS ABAP stack to work with Microsoft 2008 Active Directory. After configuring LDAP I can able to sync users from AD to SAP database and ofcourse all the users from AD have been created in the SAP database after executing the report. But the problem is all the users created with out password in SAP database.

When I researched found that We cannot map password to users in WebAS ABAP from AD. For that to work I have to configure SNC in the same system for secure communication without Password. Using a config docs and help.sap.com I have configured SNC on the Same NetWeaver System where I have configured LDAP.

Now my Questions are.

1. How to confirm that configured SNC is working fine and did correct configuration?

2. How to Integrate LDAP to work in SNC environment with Microsoft AD.

Acc. to SAP note # 505296 When I gave SNC data in the LDAP RFC the connection is getting failed with error "Error Details SNC disabled for conversation 66505689, tp = LDAP_Host name / CPIC-CALL: 'ThSAPC"

and as of note I cant find ldap_rfc.cfg in the Kernel directory or in any other location to add L= .. option.

Also suggest me which SNC name should I mention in SM59 SNC data for LDAP RFC connection.

We are using NetWeaver 7.0 with ABAP+JAVA stacks on Windows 2003 Server with MS-SQL Server database. Please Suggest the next step to make LDAP work and how to solve the RFC error when activated SNC data inSM59? Does this require any additional configuration?

Thanks,

Ajay.

tim_alsop · ‎04-26-2010

Answers below:

1. Check the dev_w0 log file in work directory to see if SNC initialized or not during work process startup. You should see a message for initiating credentials and one for accepting credentials.

2. Make sure you use an SNC library that uses the Kerberos protocol.

Note: LDAP is not a cryptographic protocol, but Kerberos is. You will not find an LDAP capable SNC library, but you will find a Kerberos SNC library. Active Directory accepts LDAP authentication and also Kerberos authentication.

Before you work on RFC connections using SNC, I suggest you get SNC to work with SAP GUI logon. Once this is working you will be able to configure the SNC name in the RFC destination for server to server configuration.

Thanks,

Tim

tim_alsop · ‎04-26-2010

Answers below:

1. Check the dev_w0 log file in work directory to see if SNC initialized or not during work process startup. You should see a message for initiating credentials and one for accepting credentials.

2. Make sure you use an SNC library that uses the Kerberos protocol.

Note: LDAP is not a cryptographic protocol, but Kerberos is. You will not find an LDAP capable SNC library, but you will find a Kerberos SNC library. Active Directory accepts LDAP authentication and also Kerberos authentication.

Before you work on RFC connections using SNC, I suggest you get SNC to work with SAP GUI logon. Once this is working you will be able to configure the SNC name in the RFC destination for server to server configuration.

Thanks,

Tim

Former Member · ‎04-27-2010

Hi Tim,

Following is the part of dev_w0 log

N SncInit(): Accepting Credentials available, lifetime=242753h 53m 41s

N SncInit(): Initiating Credentials available, lifetime=242753h 53m 41s

M ***LOG R1Q=> 1& [thxxsnc.c 259]

M SNC (Secure Network Communication) enabled

M CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.

G rscpSetKernelHooks: RSCP and CCC cache was already used.

G CCC cache of type 'malloc ' with 6000000 bytes.

G Provisional CCC cache will be removed now.

Does this means Configured SNC is working fine? or is there any other way to test/ confirm?

I have used the same procedure exactly as of below link using cryptography library on Market Place.

http://developers.sun.com/docs/javacaps/configuring/jcapscfgsnetsap.ggrqn.html

If SNC uses kerberos protocol, then LDAP is not required with AD for Users to logon or sync in DB?

This is my first time configuration of SNC. Please also tell if possible what do to in Su01 if SNC configured? when we give SNC data (Canonical name) in SU01 how it works?

Thanks,

Ajay.

tim_alsop · ‎04-27-2010

Hi

Your SNC has initialised correctly, but you are using the cryptographic library for SNC, which uses x.509 certificates, not Kerberos. You need to configure the Kerberos SNC library instead if you want to use AD authentication to logon to SAP.

Thanks,

Tim

Former Member · ‎04-27-2010

Hi Tim,

Please provide answers to the following questions:

1. Where can I get the kerberos Library?

2. How can I download the kerberos library? and Is the procedure to configure SNC is same with this also?

3. Doesn't we require LDAP when I use Kerberos library?

4. Then what is the need of Cryptographic Library? Where does this applicable?

Thanks,

Ajay.

tim_alsop · ‎04-27-2010

>


> Hi Tim,
> 
> Please provide answers to the following questions:
> 1. Where can I get the kerberos Library? 
You can download the SAP library from SAP website or FTP server. The SAP note which explains how to do this setup (not sure of number) will give details of where to get the library from. This library is only available from SAP if you are using SAP on Windows. if you are using SAP on UNIX or Linux, then you need to get a product from a SAP partner instead.
> 2. How can I download the kerberos library? and Is the procedure to configure SNC is same with this also?
The procedure is not same, since a different protocol is used.
> 3. Doesn't we require LDAP when I use Kerberos library? 
You can use LDAP for synchronising the user data with MS AD, but LDAP sync will not sync the password so SNC is needed to authenticate users when they logon to SAP and when this is done the SAP password is not used.
> 4. Then what is the need of Cryptographic Library? Where does this applicable?
The SAP crypto library can be used for SNC between SAP servers, when no integration with MS AD is required. When you want to use MS AD authentication, the x.509 SNC library from SAP is not that useful.
> 
> Thanks,
> Ajay.

Former Member · ‎04-28-2010

Hi Tim,

When I have searched SDN and help.sap.com I found that Cryptographic library is forThis approach is suitable for both initial authentication as well as subsequent SSO to any systems that supports client certificate authentication, Where as Kerberos SNC is only for Initial authentication. So It should work with cryptography library also as of that document.

I have set SNC_LIB and SECUDIR env variable on front end where SAP GUI exist and when I try to login getting error like

"GSS-API(maj): No credentials were supplied

GSS-API(min): No credentials found for this name (not logged on) (User Couldn't acquire DEFAULT INITIATING Credentials"

I have copied all files from the Application Server to front end for those Env variables still not working.

which SNC name should I mention in SU01? (Is that User DN?/ SNC name in STRUST?or somthing else?)

and which SNC name should I mention in the SAP GUI? (Is that User DN?/ SNC name in STRUST?or somthing else?)

Please tell these Questions and suggest any other thing to make it work? Is there any document for kerberos?

Thanks,

Ajay.

tim_alsop · ‎04-28-2010

Ajay,

The crypto library included in SAP NetWeaver is not usable for SAP GUI SSO. This is due to fact that you would need to install this library on each workstation where SAP GUI is running, and you would need to have a client certificate for each user, which normally requires a PKI, and also it is because the library is not owned by SAP, as it is OEMed from a company called SECUDE. The agreement does not allow it to be used for SSO, so if you want to use client certificates for SSO with SAPGUI and hence use the crypto library you need to buy the SECUDE product. If you want to use Active Directory auithentication (e.g. Kerberos) then you need to use an SNC library on workstations and also on server which supports/uses the Kerberos protocol, and then SNC names will be of the format p:user@UPPER_CASE_DOMAIN_NAME for users, but services like SAP NetWeaver will have an SNC name like p:sap<SID>/<hostname>@UPPER_CASE_DOMAIN_NAME

Thanks,

Tim

Former Member · ‎04-28-2010

Hi Tim,

Thank you for the clarification, I will try with kerberos library and update you the result. With Kerberos Do we still need to have Kerberos library to be installed on clients/ SAP GUI work stations? One more thing our system users SIDadm and SAPServiceSID both are local not domain users. So how can I use these users DNs as SNC name? but the Server is in domain then how could I represent SNC name? does p:SAPServiceSID/Host-at-domain.com work?

Is there any help available on configuration steps with Kerberos Library?

Thanks,

Ajay

tim_alsop · ‎04-28-2010

>


> Hi Tim,
> 
> Thank you for the clarification, I will try with kerberos library and update you the result. With Kerberos Do we still need to have Kerberos library to be installed on clients/ SAP GUI work stations? 
Yes, SNC library supporting same protocol is requried on both client and server.
> One more thing our system users SIDadm and SAPServiceSID both are local not domain users. So how can I use these users DNs as SNC name?
When using Kerberos, there is no DN, instead the Kerberos principal name is used, but if the user is not a domain user, it is not possible to use SNC library from SAP. You either need to change SAP to use domain user, or use a different SNC library that does not have this restriction.
> but the Server is in domain then how could I represent SNC name? does p:SAPServiceSID/Host-at-domain.com work?
No - see previous comment above.
> 
> Is there any help available on configuration steps with Kerberos Library?
Probably - I am more familiar with our own SNC library, not the one from SAP.
> 
> Thanks,
> Ajay

Former Member · ‎04-28-2010

As of your reply the possible way is

1. We have to create same user SAPServiceSID in the Microsoft AD then start configuration correct? Does this work, if we create now not during System Installation?

You have mentioned p:sap<SID>/<hostname>@UPPER_CASE_DOMAIN_NAME in previous post. When user is domain user why to mention host name like sapSID/hostname. Does AD identify this representation? We can directly use sapSID@UPPER_CASE_DOMAIN_NAME?

2. We have one domain test user ID or lets say my own domain ID. So can I use this ID for SNC Kerberos config as SNC name?, If yes how could I represent SNC name? Do I need to change some thing like In services, the SAP service to my own ID instead SAPServiceSID? any thing else?

Is there any other ways for me to start SNC configuration with Kerberos Library if the above doent work? Please clarify me.

Thanks,

Ajay.

tim_alsop · ‎04-28-2010

>


> As of your reply the possible way is 
> 1.  We have to create same user SAPServiceSID in the Microsoft AD then start configuration correct? Does this work, if we create now not during System Installation?
I don't know the answer. I only know how to make our own product work, and this does not require server to be joined to domain, or for SAP to be started using domain user account.
> You have mentioned p:sap<SID>/<hostname>@UPPER_CASE_DOMAIN_NAME in previous post. When user is domain user why to mention host name like sapSID/hostname. Does AD identify this representation? We can directly use  sapSID@UPPER_CASE_DOMAIN_NAME?
I mentioned the instance part of the principal name (e.g. hostname) since I am more used to our product, which uses a Kerberos service principal name, and not a user account principal name. If you are using the SAP SNC library on Windows, then it uses user-to-user authentication, so the SAP application has a user account, so it would be user@REALM as you suggest.
> 
> 2. We have one domain test user ID or lets say my own domain ID. So can I use this ID for SNC Kerberos config as SNC name?, If yes how could I represent SNC name? Do I need to change some thing like In services, the SAP service to my own ID instead SAPServiceSID? any thing else?
I doubt it. I suggest you find the documentation for the SNC library you are using and follow the steps.
> 
> Is there any other ways for me to start SNC configuration with Kerberos Library if the above doent work? Please clarify me.
You have two options. Firstly you can use the SNC library from SAP if (a) SAP is on Windows, and (b) SAP server is joined to the domain and SAP is started using a domain user account. Secondly, you can use a third party SNC library which supports the operating system you are running SAP on, e.g. Windows, UNIX or Linux. 
> 
> Thanks,
> Ajay.

Former Member · ‎04-28-2010

Thank you Tim for your answers and patience with my long questions. I was searching all help sites but not getting exact config steps for kerberos library on windows. Now I will get SAPServiceSID created in the domain then I will try with Kerberos SNC. I will update and ask your help with the results.

Thanks,

Ajay.

Former Member · ‎06-15-2010

Closed - Configured SNC Kerberos.

LDAP under SNC environment with Microsoft AD on NW 7.0