on 01-13-2011 7:41 PM
Please understand the scenario
1.I have created domain user as SETSPN -A sapsnc/dontcare BURTON_USA\sncsap and setting are
Set "Password never expires",
"Use DES encryption types for this account"
And "Do not require Kerberos preauthentication".
2. Created the keytab file file.keytab
ktpass -princ sncsap @ USA.BURTON.COM u2013mapuser BURTON_USA\sncsap -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass s4ps4p77 -out file.keytab
3.Copied the file file.keytab in temp location at os level
Ran the command ktutil
rkt /tmp/file.keytab
slot KVNO Principal
-
-
-
1 3 sncsap @ USA.BURTON.COM
wkt /etc/krb5.keytab
q
4. I see the file krb5.conf in etc directory
5.I configured the krb5.conf also found in /etc directory and the set the entries as shown below
[libdefaults]
default_realm = USA.BURTON.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
burton.com = USA.BURTON.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[realms]
USA.BURTON.COM = {
kdc = ldap.burton.com
admin_server = ldap.burton.com
kpasswd_server = ldap.burton.com
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
6.I run the below command
kinit -V -k sncsap @ USA.BURTON.COM
Authenticated to Kerberos v5
7.I am able to authenticate my userid also kinit amita @ USA.BURTON.COM and get the response Authenticated to Kerberos v5
8.I have configured all the profile parameters in sap and snc is up and running and snc name is also set as my windows name in su01.
my problem is when I set the p:sncsap @ USA.BURTON.COM in sap logon pad under network I get error in sapgui as
LSA can not be contacted to target "p:sncsap @ USA.BURTON.COM"
.Please help to resolve this error.
Amit
Hello,
You've managed to solve this issue?
Can you see the contents of the library logs?
It can be that the client uses other encryption then DES-CBC-MD5 (so the server can not decrypt it)?
Maybe it can be solved with the configuration parameter permitted_enctypes?
If you've managed to solve it, please explain how.
Sagi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.