SSO with AD

Former Member · ‎06-30-2010

Hi,

I am trying to implement Single Sign-On with Microsoft Kerberos SSP as per installation guide and changed the parameter as per guide

snc/enable = 1

snc/gssapi_lib =<DRIVE>:\%windir%\system32\<kerberos_file>.dll

snc/identity/as =p:SAPService<SAPSID>at the rate<UPPERCASE_DNS_DOMAIN_NAME>

The domain name of my system as mentioned in the Properties of My Computer is WSE.wsmain.local and when I am mentioning

snc/identity/as =p:SAPService<SAPSID>at the rateWSE.wsmain.local the dispatcher is not coming up and I think the root cause is this snc paramter only. I even tried snc/identity/as =p:SAPService<SAPSID>at the rateWSE.WSMAIN.LOCAL, p:SAPService<SAPSID>at the rateWSE as well as same with three more cases with <sid>adm like snc/identity/as =p:<sid>admat the rateWSE.WSMAIN.LOCAL and so on but the dispatcher is not coming up.

I am also pasting the log for dev_w0 for your reference:

trc file: "dev_w0", trc level: 1, release: "700"

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gx64krb5.dll

N File "C:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI http://sncxxall.c 1432

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M *** ERROR => ErrISetSys: error info too large http://err.c 944

M Tue Jun 29 19:11:31 2010

M LOCATION SAP-Server wss-cha-w6r_W6R_14 on host wss-cha-w6r (wp 0)

M ERROR GSS-API(maj): No valid credentials provided (or available)

M GSS-API(min): SSPI u2u-problem: please add Service principal for own a

M name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M TIME Tue Jun 29 19:11:31 2010

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 1432

M DETAIL SncPAcquireCred

M SYSTEM CALL gss_acquire_cred

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;

M ;;;;GSS-API(min): SSPI u2u-problem: please add Service principal for own a;;;;

M ;;;;name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- ERROR: SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) http://thxxsnc.c 230

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) http://thxxsnc.c 232

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) http://thxxhead.c 10468

M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm http://thxxrun1.c 724

M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed http://thxxtool3.c 261

M Entering ThSetStatError

M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

M Entering ThReadDetachMode

M call ThrShutDown (1)...

M ***LOG Q02=> wp_halt, WPStop (Workproc 0 4088) http://dpnttool.c 327

Please suggest.

Regards,

Mridul

former_member189546 · ‎06-30-2010

Hello,

Please refer note 352295 Microsoft Windows Single Sign-On options, point

Windows 2003 continued:

If you want to use gsskrb5.dll with Windows 2003 Active Directory, you

MUST use gsskrb5.dll v1.0.8 or newer on all your servers and frontends

and you will have to add a Service Principal to the Domain Service

Account of your SAP AppServer in order to re-enable the rfc-1964

2-token Kerberos authentication which gsskrb5.dll needs to work. The

Service Principal itself is not used, only the undocumented side-effect

of re-enabling rfc-1964/rfc-4121 compliant authentication. Therefore

the "hostname" part of the Service Principal name doesn't matter.

(Win2K3sp2 seems to newly require that the Service Principal contains a

slash character). You can use the Microsoft command line tool

"SETSPN.EXE" to define the Service principal. If the Domain Service

account of your SAP AppServer is "SAPServiceC11" in the NT4-style Domain

"MYDOMAIN", you would type:

SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

"SETSPN.EXE" is included on the Microsoft Windows installation CD in the

Archive "\support\tools\support.cab"

The Service Principal Name is required only when the Windows 2003 Domain

is running at "Windows 2003" functional level, it is not necessary with

a Windows 2000 Domain or a Windows 2003 Domain at "Windows 2000 mixed"

functional level.

regards,

John Feely

SSO with AD

Accepted Solutions (0)

Answers (1)

Answers (1)

Dealy in updating custom values for Visibility Sce...

Blending Tables (Import Models)

BusinessObjects 4.2 SP9 to 4.3 latest version

Re: To get records for last 120days(4 Moths) in BO...

Re: Dynamic SemanticObject for Intent Based Naviga...