cancel
Showing results for 
Search instead for 
Did you mean: 

SAP On Linux /MSAD 2003 windows /Kerberos authentication /SSO

0 Kudos

Please understand the scenario

1.I have created domain user as SETSPN -A sapsnc/dontcare BURTON_USA\sncsap and setting are

Set "Password never expires",

"Use DES encryption types for this account"

And "Do not require Kerberos preauthentication".

2. Created the keytab file file.keytab

ktpass -princ sncsap @ USA.BURTON.COM u2013mapuser BURTON_USA\sncsap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass s4ps4p77 -out file.keytab

3.Copied the file file.keytab in temp location at os level

Ran the command ktutil

rkt /tmp/file.keytab

slot KVNO Principal

-


-


-


1 3 sncsap @ USA.BURTON.COM

wkt /etc/krb5.keytab

q

4. I see the file krb5.conf in etc directory

5.I configured the krb5.conf also found in /etc directory and the set the entries as shown below

[libdefaults]

default_realm = USA.BURTON.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes

[domain_realm]

burton.com = USA.BURTON.COM

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

[realms]

USA.BURTON.COM = {

kdc = ldap.burton.com

admin_server = ldap.burton.com

kpasswd_server = ldap.burton.com

}

[logging]

kdc = FILE:/var/log/krb5/krb5kdc.log

admin_server = FILE:/var/log/krb5/kadmind.log

default = SYSLOG:NOTICE:DAEMON

6.I run the below command

kinit -V -k sncsap @ USA.BURTON.COM

Authenticated to Kerberos v5

7.I am able to authenticate my userid also kinit amita @ USA.BURTON.COM and get the response Authenticated to Kerberos v5

8.I have configured all the profile parameters in sap and snc is up and running and snc name is also set as my windows name in su01.

my problem is when I set the p:sncsap @ USA.BURTON.COM in sap logon pad under network I get error in sapgui as

LSA can not be contacted to target "p:sncsap @ USA.BURTON.COM"

.Please help to resolve this error.

Amit

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hello,

You've managed to solve this issue?

Can you see the contents of the library logs?

It can be that the client uses other encryption then DES-CBC-MD5 (so the server can not decrypt it)?

Maybe it can be solved with the configuration parameter permitted_enctypes?

If you've managed to solve it, please explain how.

Sagi.