- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Problem configuring Kerberos SSO for ABAP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Problem configuring Kerberos SSO for ABAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2012 2:14 PM
Hello all,
We're having some issues with the configuration of Kerberos SSO to our SAP server. The SAP server is Windows Server 2008R2 SP1, the domain controllers are also Windows Server 2008R2 SP1.
Actions taken:
1. We placed gx64krb5.dll in c:\windows\system32 on the central instance (version 1.0.9.2)
2. We have the service SAP<SID>_00 running under user INTERNAL.<DOMAIN>.COM\SAPService<SID>
3. We have set the SPN for this service user to "SAPService<SID>/internal.<DOMAIN>.com
4. Kerberos DES encryption has been enabled for the domain user account
5. We maintained profile parameters in SAP:
snc/enable = 1
snc/identity/as = p:SAPService<SID>@INTERNAL.<DOMAIN>.COM
snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll
snc/accept_insecure_gui = 1
snc/permit_insecure_start = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/data_protection/use = 1
snc/data_protection/min = 1
snc/data_protection/max =1
When we start SAP, the following error is logged in the work process tracefile and the work process dies:
ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==(internal error) The LSA cannot be contacted
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPService<SID>@INTERNAL.<CUSTOMER>.COM"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
Does anybody have an idea what might be the issue here? Thanks for all replies!
Kindest regards, Wilbert
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2012 4:14 PM
Hello Wilbert,
The error you're having:
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==(internal error) The LSA cannot be contacted
N Could't acquire ACCEPTING credentials for
means that the SAP application cannot determine which user is required to run SNC from Kerberos. The SAP profile parameter determines which SNC user should be used. In this case double check that the profile parameter snc/identity/as is set as below:
snc/identity/as = p:<ActualUserName>@<WINDOWS.DOMAIN.NAME>
or
snc/identity/as = p:<WINDOWS.DOMAIN.NAME>\<ActualUserName>
SAP Note 352295 provides more tips on windows and SNC for SAP. I hope it helps you also.
Best Regards,
Guilherme de Oliveira.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2012 4:14 PM
Hello Wilbert,
The error you're having:
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==(internal error) The LSA cannot be contacted
N Could't acquire ACCEPTING credentials for
means that the SAP application cannot determine which user is required to run SNC from Kerberos. The SAP profile parameter determines which SNC user should be used. In this case double check that the profile parameter snc/identity/as is set as below:
snc/identity/as = p:<ActualUserName>@<WINDOWS.DOMAIN.NAME>
or
snc/identity/as = p:<WINDOWS.DOMAIN.NAME>\<ActualUserName>
SAP Note 352295 provides more tips on windows and SNC for SAP. I hope it helps you also.
Best Regards,
Guilherme de Oliveira.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2012 6:00 PM
Hello Guilherme,
Thanks for your reply! It does not seem to matter whether I specify
snc/identity/as = p:SAPService<SID>@INTERNAL<DOMAIN>.COM
or
snc/identity/as = p:INTERNAL.<DOMAIN>.COM\SAPService<SID>
Both option will result in work process death.
Kindest regards, Wilbert
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2012 3:52 PM
Hello all,
Our problem was on the Domain Controller side: DES encryption had not been enabled on the WS2008R2 DC's as per http://support.microsoft.com/kb/977321. After the changes in this KB article had been implemented (and after the servers were rebooted), the SNC mechanism was activated successfully during work process startup and the SAP Instance no longer died off.
That's hurdle one! Ofcourse we are immediately confronted with hurdle number two: how can we use this mechanism to facilitate SSO to a BSP hosted on the Web AS ABAP through ICM (if this is even possible at all)?
All insights are greatly appreciated!
Kindest regards, Wilbert
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2012 5:54 PM
Hi,
SNC is used for logon from applications like SAP GUI, SAP RFC enabled applications etc. It is not used for Web browser authentication. So, for ICM services you need to use a different approach. I assume you want to use Kerberos and Active Directory so that users are authenticated in the same way and recognised as the same user when they logon via GUI or via browser ? If so, then I suggest you look at a product such as this one - ecohub.sdn.sap.com/irj/ecohub/solutions/trustbrokeradapter
Thanks,
Tim
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2012 9:29 AM
Hi,
For Kerberos SSO to BSP or ABAP Webdynpro applications, we use our SAP Portal and a redirect application.
Once authenticated via spnego Kerberos on the portal, the portal sends a MYSAPSSO2 cookie (SAP Logon Ticket) to the user's browser and redirects to the BSP URL. The portal Logon Ticket is accepted by our ECC6 system because of the trustship configuration between the 2 systems.
This works productively for the HR applications used by our 9000 employees.
It seems also that SAP is currently developping spnego Kerberos for the abap ICM but there is no planned date for delivery.
Regards,
Olivier
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 6:19 PM
Hey Guys,
We really don't want to set up a Java instance just for Kerberos authentication. Maybe I should explain our situation a bit better: we're in the transition of certain ITS applications that formerly ran on an standalone ITS (agate, wgate). These application used NTLM SSO. Now we need to make these applications available on an integrated ITS. So we're looking for a way to setup SSO for our application through the integrated ITS.
Kindest regards, Wilbert
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2012 12:09 PM
So we're looking for a way to setup SSO for our application through the integrated ITS.
Kindest regards, Wilbert
The integrated ITS is using the standard authentication capabilities of the Internet Communication Framework (ICF). And unfortunately, SPNEGO is not amongst the supported authentication methods, yet. Since ICF does not offer a concept for custom login modules (like JAAS) there's currently no alternative to either using the "Java issuing a logon ticket" solution or using SAML 2.0 (available as of NWAS ABAP 7.02) with an SAML 2.0 IdP supporting SPNEGO (either SAP or non-SAP).
Best regards,
Wolfgang
- SAP Managed Tags:
- Security
