Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Unable to setup SSO on ABAP with Microsoft Kerberos 5

Former Member

‎03-16-2011 6:31 AM

0 Kudos

My SAP system is installed on a Windows 2008 SP2. The AD is a W2K domain.

I want to configure SSO on the Server with Microsoft Kerberos. I've followed the instructions in

http://help.sap.com/saphelp_nwmobile71/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm.

I've also set the SPN for the system.

And below are my settings for the central instance:

snc/identity/as = p:SAPService<SID>@<DOMAIN>

snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll

snc/permit_insecure_start = 1

snc/r3int_rfc_qop = 8

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/data_protection/use = 1

snc/data_protection/max = 3

snc/data_protection/min = 1

snc/enable = 1

snc/r3int_rfc_secure = 0

But the central instance can't startup and everytime it trying to start, the work process produces the error below:

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll

N File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPService<SID>@<DOMAIN>

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): No Kerberos SSPI credentials available for requested name

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPService<SID>@<DOMAIN>"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

Does anyone has any idea what is wrong and how should I proceed?

2 REPLIES 2

Former Member

‎03-16-2011 7:50 AM

0 Kudos

Manage to resolve the issue.

This error is due to the fact that the UPN on the AD was not set correctly.

It must be SAPService<SID>@<DOMAIN>

Former Member

‎01-24-2012 7:55 AM

0 Kudos

I had the same error on a win2008R2 64 bit and resolved the issue as explained below.

1. edit profile (RZ10) and add these parameters:

snc/enable = 1

snc/permit_insecure_start = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/identity/as = p:SAPService<SID>@MYDOMAIN.LAN

snc/gssapi_lib = c:\windows\system32\gx64krb5.dll

snc/data_protection/use = 1

snc/data_protection/min = 1

snc/data_protection/max =1

2. On the Domain Controller go to Active Directory Users and Computers look for the user in charge for starting the Sap service, which must be the same set in the snc/identity/as (SAPService<SID>@MYDOMAIN.LAN).

3. Edit the user SAPService<SID>@MYDOMAIN.LAN.

Go to attribute editor tab.

4. Look for Service Principal Name attribute and set the value :SAPService<SID>/MYDOMAIN.LAN

Note the use of the character / (yes it's a slash!)

5. Restart the service in the SAP console

Everything should work.

PM