Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CONFIGURATION SAP SNC on WINDOWS 2008/ECC 6.0

Go to solution
former_member312761
Participant

‎06-01-2011 7:56 AM

0 Kudos

I want to configure SNC for SAP ECC 6.0, therefore, have a few questions.

The Plan:

SAP SERVER & ACTIVE DIRECTORY CONFIGURATION (AD ON WINDOWS 2008 R2, SAP ON WINDOWS 2008 STANDARD)

1. Create user on Active Directory which works as Server Principal, eg: sncadm

2. Set "Password never expiresu201D and "Do not require Kerberos preauthentication".

3. SET Service SPN on SAP Server, eg: setspn -A SAPService/serverSAP AD_domain\sncadm

4. Export Keytab from microsoft ADS, eg:

ktpass -princ SAPService/serverSAP@AD_domain -mapuser serverSAP\sncadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop +desonly set -pass passw0rd -out n4s.keytab

SAP SYSTEM CONFIGURATION (ECC 6.0 ABAP, WINDOWS 2008 x64)

snc/gssapi_lib - /usr/lib64/snckrb5.so

snc/identity/as- p/krb5:SAPService/serverSAP@AD_domain

snc/enable - 1

snc/accept_insecure_cpic - 1

snc/accept_insecure_rfc - 1

snc/accept_insecure_gui - 1

snc/accept_insecure_r3int_rfc - 1

snc/data_protection/min - 1

snc/data_protection/max - 3

snc/data_protection/use - 3

snc/permit_insecure_start - 1

WINDOWS CLIENT CLIENT (WINDOWS 7 and WINDOWS XP)

1. Install DLL: SAPSSO.MSI

2. Configure SAP Logon

it`s a good idea ? i have many question:

1. On windows 2008 R2(server AD) DES encryption is disabled, RC4-HMAC-NT will be working ?

2. Are the features for a user account set up something else ?

3. configure Service SPN on SAP Server, not Active Directory server ?

4. The script is KTPASS "+desonly", leave or set something else for encryption RC4-HMAC-NT?

5. ABAP Stack is limited to 12 characters in the username, as in the case if the AD account name has more than 12 ?

6. where exactly to copy the key ktpass?

BR,

T.

Edited by: tomsie on Jun 1, 2011 8:57 AM

1 ACCEPTED SOLUTION

Go to solution
RainerKunert
Active Participant

‎06-01-2011 2:41 PM

0 Kudos

Hi,

here are some answers.

3. The SPN must be known in the AD, therefore maintain it on the AD server. AD has to know the service, otherwise the AD cannot grant kerberos tickets for that service.

4. If the SAP server is running on a Windows machine you do not need ktpass. But the user SAPServiceSID must be a domain user. And the SPN must be attached with SAPServiceSID.

5. Users are mapped in the SNC tab of SU01. So you do not need identical user names in AD and SAP.

6. see answer 4.

Regards

Rainer

2 REPLIES 2

Go to solution
RainerKunert
Active Participant

‎06-01-2011 2:41 PM

0 Kudos

Hi,

here are some answers.

3. The SPN must be known in the AD, therefore maintain it on the AD server. AD has to know the service, otherwise the AD cannot grant kerberos tickets for that service.

4. If the SAP server is running on a Windows machine you do not need ktpass. But the user SAPServiceSID must be a domain user. And the SPN must be attached with SAPServiceSID.

5. Users are mapped in the SNC tab of SU01. So you do not need identical user names in AD and SAP.

6. see answer 4.

Regards

Rainer

Go to solution
former_member312761
Participant
In response to RainerKunert

‎06-03-2011 3:32 PM

0 Kudos

Thank for your help

ok, then if I do it on the user SAPServiceSID, then the Active Directory server performs:

setspn-A SAPSID_10/server_sap AD_domain \ SAPServiceSID

where:

SAPSID_10 - is a service which works with SAP

server_sap - is the name of the server which is running the instance of SAP

AD_domain - is the domain name AD

SAPServiceSID - user SAPServieSID

right ?

BR,

T.