06-01-2011 7:56 AM
I want to configure SNC for SAP ECC 6.0, therefore, have a few questions.
The Plan:
SAP SERVER & ACTIVE DIRECTORY CONFIGURATION (AD ON WINDOWS 2008 R2, SAP ON WINDOWS 2008 STANDARD)
1. Create user on Active Directory which works as Server Principal, eg: sncadm
2. Set "Password never expiresu201D and "Do not require Kerberos preauthentication".
3. SET Service SPN on SAP Server, eg: setspn -A SAPService/serverSAP AD_domain\sncadm
4. Export Keytab from microsoft ADS, eg:
ktpass -princ SAPService/serverSAP@AD_domain -mapuser serverSAP\sncadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop +desonly set -pass passw0rd -out n4s.keytab
SAP SYSTEM CONFIGURATION (ECC 6.0 ABAP, WINDOWS 2008 x64)
snc/gssapi_lib - /usr/lib64/snckrb5.so
snc/identity/as- p/krb5:SAPService/serverSAP@AD_domain
snc/enable - 1
snc/accept_insecure_cpic - 1
snc/accept_insecure_rfc - 1
snc/accept_insecure_gui - 1
snc/accept_insecure_r3int_rfc - 1
snc/data_protection/min - 1
snc/data_protection/max - 3
snc/data_protection/use - 3
snc/permit_insecure_start - 1
WINDOWS CLIENT CLIENT (WINDOWS 7 and WINDOWS XP)
1. Install DLL: SAPSSO.MSI
2. Configure SAP Logon
it`s a good idea ? i have many question:
1. On windows 2008 R2(server AD) DES encryption is disabled, RC4-HMAC-NT will be working ?
2. Are the features for a user account set up something else ?
3. configure Service SPN on SAP Server, not Active Directory server ?
4. The script is KTPASS "+desonly", leave or set something else for encryption RC4-HMAC-NT?
5. ABAP Stack is limited to 12 characters in the username, as in the case if the AD account name has more than 12 ?
6. where exactly to copy the key ktpass?
BR,
T.
Edited by: tomsie on Jun 1, 2011 8:57 AM
06-01-2011 2:41 PM
Hi,
here are some answers.
3. The SPN must be known in the AD, therefore maintain it on the AD server. AD has to know the service, otherwise the AD cannot grant kerberos tickets for that service.
4. If the SAP server is running on a Windows machine you do not need ktpass. But the user SAPServiceSID must be a domain user. And the SPN must be attached with SAPServiceSID.
5. Users are mapped in the SNC tab of SU01. So you do not need identical user names in AD and SAP.
6. see answer 4.
Regards
Rainer
06-01-2011 2:41 PM
Hi,
here are some answers.
3. The SPN must be known in the AD, therefore maintain it on the AD server. AD has to know the service, otherwise the AD cannot grant kerberos tickets for that service.
4. If the SAP server is running on a Windows machine you do not need ktpass. But the user SAPServiceSID must be a domain user. And the SPN must be attached with SAPServiceSID.
5. Users are mapped in the SNC tab of SU01. So you do not need identical user names in AD and SAP.
6. see answer 4.
Regards
Rainer
06-03-2011 3:32 PM
Thank for your help
ok, then if I do it on the user SAPServiceSID, then the Active Directory server performs:
setspn-A SAPSID_10/server_sap AD_domain \ SAPServiceSID
where:
SAPSID_10 - is a service which works with SAP
server_sap - is the name of the server which is running the instance of SAP
AD_domain - is the domain name AD
SAPServiceSID - user SAPServieSID
right ?
BR,
T.