03-16-2011 6:31 AM
My SAP system is installed on a Windows 2008 SP2. The AD is a W2K domain.
I want to configure SSO on the Server with Microsoft Kerberos. I've followed the instructions in
http://help.sap.com/saphelp_nwmobile71/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm.
I've also set the SPN for the system.
And below are my settings for the central instance:
snc/identity/as = p:SAPService<SID>@<DOMAIN>
snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll
snc/permit_insecure_start = 1
snc/r3int_rfc_qop = 8
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/data_protection/use = 1
snc/data_protection/max = 3
snc/data_protection/min = 1
snc/enable = 1
snc/r3int_rfc_secure = 0
But the central instance can't startup and everytime it trying to start, the work process produces the error below:
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:SAPService<SID>@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): No Kerberos SSPI credentials available for requested name
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPService<SID>@<DOMAIN>"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
Does anyone has any idea what is wrong and how should I proceed?
03-16-2011 7:50 AM
Manage to resolve the issue.
This error is due to the fact that the UPN on the AD was not set correctly.
It must be SAPService<SID>@<DOMAIN>
01-24-2012 7:55 AM
I had the same error on a win2008R2 64 bit and resolved the issue as explained below.
1. edit profile (RZ10) and add these parameters:
snc/enable = 1
snc/permit_insecure_start = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/identity/as = p:SAPService<SID>@MYDOMAIN.LAN
snc/gssapi_lib = c:\windows\system32\gx64krb5.dll
snc/data_protection/use = 1
snc/data_protection/min = 1
snc/data_protection/max =1
2. On the Domain Controller go to Active Directory Users and Computers look for the user in charge for starting the Sap service, which must be the same set in the snc/identity/as (SAPService<SID>@MYDOMAIN.LAN).
3. Edit the user SAPService<SID>@MYDOMAIN.LAN.
Go to attribute editor tab.
4. Look for Service Principal Name attribute and set the value :SAPService<SID>/MYDOMAIN.LAN
Note the use of the character / (yes it's a slash!)
5. Restart the service in the SAP console
Everything should work.
PM