Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP SSO (SNC) for ABAP - VPN problems?

Former Member

‎05-25-2011 3:39 PM

0 Kudos

Hi everyone,

we are using SAP SSO (SNC) for ABAP to Logon to our SAP Systems. In the internal Lan SAP SSO work's fine, but over VPN we have some problems with the SSO connection or the kerberos ticket. If you want to connect via VPN and SSO to a SAP System, you get this error:

GSS-API(maj): No valid credentials provided (or available)

GSS-API(maj): No Kerberos SSPI credentials available for requested nam

Could't acquire DEFAULT INITIATING credentials

In the following the steps to connect to our Company NETWORK via VPN:

1. Start Windows

2. Logon to Windows (without domain connection)

3. Start VPN and logon

4. Now you are in the internal lan and you have a connection to the domain

I understand, that we have no valid kerberos ticket on the workstation, but we have a valid domain connect. I should get a valid new kerberos ticket. I don't know where the Problem is in our system or company network. I hope you can help me, to sort this problem out.

6 REPLIES 6

tim_alsop
Active Contributor

‎05-25-2011 3:54 PM

0 Kudos

Hi,

If you logon to a Windows workstation which is not connected to the LAN, but requires a VPN connection to access the domain controllers, then you must logon to the workstation using a domain account and password, and Windows will check your password using cache of password which was stored last time you logged onto the domain. Using this cached credential domain logon, you are then able to connect to VPN, and once the domain controllers become reachable, you should be able to get Kerberos tickets.

The SSPI error is shown because the SAP SNC library doesn't request new ticket when it finds the cache is empty. Our SNC library does, since we coded it to support this scenario and many of our customers have remote users who connect via a VPN.

If you access a file server after logging into the VPN, this will trigger Windows to use its stored pasword and get your Kerberos TGT from domain, and if you use a tool like kerbtray you will see this ticket appear in the cache. When you have a TGT in cache, you can then logon to SAP. Clearly this is not very user friendly, which is why we made our SNC library do this automatically instead of showing the user an error.

Tim

Former Member
In response to tim_alsop

‎05-25-2011 6:11 PM

0 Kudos

Hi,

thank you for your quick and very good replay! 

> If you access a file server after logging into the VPN, this will trigger Windows to use its stored pasword and get your Kerberos TGT from domain, and if you use a tool like kerbtray you will see this ticket appear in the cache.

This is a good temporary solution, but by many of our Users this not work, because they don't get a TGT.

Your Solution (modify the SNC Libraray) sounds very good! Do you have some tipps for me, how i must change our SNC Library to do "request automaticly a TGT" ? or you have some links for me? I want to solve the problem in our system.

tim_alsop
Active Contributor
In response to tim_alsop

‎05-25-2011 6:47 PM

0 Kudos 
> This is a good temporary solution, but by many of our Users this not work, because they don't get a TGT.

I am not sure I am clear why some users don't get a TGT. Are these users using workstations that are logged onto local accounts, or logged onto a domain from another company ? 

> Your Solution (modify the SNC Libraray) sounds very good! Do you have some tipps for me, how i must change our SNC Library to do "request automaticly a TGT" ? or you have some links for me? I want to solve the problem in our system.

Our library is included in our product (see http://ecohub.sap.com/catalog/#!solution:trustbrokersecureclient), which is SAP certified and fully commercially supported. It would nto be right if I told you how to write code to achieve the same as in our product, since you are using a library from SAP marketplace, which was developed by SAP. To change this you would need to understand the internals of this library and make changes to it, compile it and use the updated library instead of the one supplied by SAP. if it goes wrong you would need to fix it yourself... Clearly it is much better to use a product that does what you need, and is fully supported.

BTW. The same product also supports workstations which are not logged onto a domain, or logged onto a different domain, that is not trusted by the domain you are using for SAP. Our customers often use this to handle shared workstations, or users working for business partner companies, or kiosk workstations.

Former Member
In response to tim_alsop

‎05-26-2011 9:14 AM

0 Kudos 
> I am not sure I am clear why some users don't get a TGT. Are these users using workstations that are logged onto local 
accounts, or logged onto a domain from another company ?

These users use the domain credentials to logon to the workstation, not a local account or another company domain. 

> Our library is included in our product (see http://ecohub.sap.com/catalog/#!solution:trustbrokersecureclient), which is SAP certified and fully commercially supported. It would nto be right if I told you how to write code to achieve the same as in our product, since you are using a library from SAP marketplace, which was developed by SAP. To change this you would need to understand the internals of this library and make changes to it, compile it and use the updated library instead of the one supplied by SAP. if it goes wrong you would need to fix it yourself... Clearly it is much better to use a product that does what you need, and is fully supported. 
> 
> BTW. The same product also supports workstations which are not logged onto a domain, or logged onto a different domain, that is not trusted by the domain you are using for SAP. Our customers often use this to handle shared workstations, or users working for business partner companies, or kiosk workstations.

No problem, i understand you. I visit your product site and your product looks very good, but i can't find a price list on your site for this product. do you have some tentative price informations for me?

if someone else have a link to modifiy a SNC Lib to do this or a link to a open source snc Lib (with this feature), were this very cool.

tim_alsop
Active Contributor
In response to tim_alsop

‎05-26-2011 9:19 AM

0 Kudos 
These users use the domain credentials to logon to the workstation, not a local account or another company domain.

ok, then you just need to get a better SNC library to fix all of your problems...

No problem, i understand you. I visit your product site and your product looks very good, but i can't find a price list on your site for this product. do you have some tentative price informations for me?

We do not publish prices on internet or on sdn. You need to contact me if you want prices.

Former Member
In response to tim_alsop

‎05-26-2011 9:29 AM

0 Kudos 
> We do not publish prices on internet or on sdn. You need to contact me if you want prices.

ok, i send you an email