05-16-2012 1:02 PM
Dear all,
we're in the process of implementing SSO for SAP Application servers on our IBM AIX infrastructure.
We performed all the steps related to the intitial configuration as:
- installing the Kerberos client from the AIX Expansion DVD,
- configuring the Kerberos client making it point to our Windows Domain and Windows Domain Controller
- generating - via Windows AD tools - the keytab file
- importing the aforementioned keytab file into the proper AIX folder
- requesting the kerberos ticket through the "kinit -k (...)" command
- setting up the proper SAP profile parameters in order to enable the SAP instance to use SNC
Everything seemed to work fine on the Kerberos side; however, when we try to start up the instance, the procedure fails with the following error:
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): No credentials cache found
What we don't get, is where the SAP system ( or the O.S. library ) try to look for the credential cache file; we - in fact - created the file in multiple copies aiming to try to solve the issue, saving them into:
- the SAP user home,
- the "/tmp" folder,
- the "/var/krb5/security/creds" folder ( where, by the way, it should reside by default),
- the DIR_HOME folder
None of the above folders, however, seemed to be the correct one, as the system - with the SNC parameters - still doesn't come up.
Could you please help us out?
If you need any infos or clarifications, feel free to ask.
We uploaded the dev_traces, in case you may want to take a look.
Best Regards,
Luciano Dei Rossi
05-16-2012 1:20 PM
05-16-2012 1:20 PM
05-16-2012 5:24 PM
Tim,
first of all thanks for your quick answer.
During the setup, we read tons of notes, posts, blogs, etc, about it, since we encountered the issue..
The strange thing, is that we were following an official document from IBM which states that the configuration is possible.
Anyway, following you reply and also the SAP's reply ( which, basically, says they do not support kerberos on Unix platforms ) we decided to go with the SAP NetWeaver Single Sign-On 1.0 package.
It worked at least for the server-side part; the instance is up&running and everything seems fine..
We'll continue in the next days with the client configuration and we'll see how it goes.
Regards,
Luciano
05-16-2012 6:05 PM
05-18-2012 5:35 PM
Dear Tim,
thanks for the answer.
As I wrote before, the SAP instance is now up&running with the Secure Client Library, provided by SAP itself.
As per your knowledge, is it necessary to install the Secure Login Client on the frontend workstations to let the whole SNC process to work?
Because we're getting some errors once we try to launch the connection from the SAPLogon:
*** ERROR => SncPEstablishContext() failed for target='p:CN=USERNAME@DOMAIN.LOCAL' [sncxxall.c 3379]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3345]
GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable
Unable to establish the security context
target="p:CN=USERNAME@DOMAIN.LOCAL"
<<- SncProcessOutput()==SNCERR_GSSAPI
*** ERROR => TmIWrite: SncProcessOutput (SNCERR_GSSAPI) [dpxxtm.c 1782]
*** ERROR => TmIConnect: TmIWrite [dpxxtm.c 948]
TM_LAYER TmConnect <<
Thanks in advance.
I opened another thread for this problem, that you may want to look at: http://scn.sap.com/thread/3178284
Regards,
Luciano
05-18-2012 6:05 PM
Dear Luciano,
so if you still have the problem with Secure Login Library or Seucre Login Client (SAP NW SSO) I am sure our support will help you!
Component: BC-IAM-SL at the SAP support portal.
Have a nice weekend
Regards
Matthias
05-18-2012 6:19 PM
Dear Matthias,
thanks for your reply.
I already - in fact - opened a customer message ( at first as BC-SEC-SNC, then it got changed by the support ), and I'm waiting for an answer from the SAP Support.
Before getting to open it, however, I opened a thread in SCN ( the other one I'm referring above ) to understand if there were basis for it.
I'll wait for the SAP Support and - in the meanwhile - we'll see if some members have a solution for me..
Thanks for your interest anyway.
Regards,
Luciano
05-18-2012 6:37 PM
I am sure the support will find the problem. It think I saw this error message already one time. Perhaps it is an issues with the configuration of the ServicePrincipalName. If you have some time before the Service will answer you, check this configuration.
http://help.sap.com/nwsso10 -> Secure Login Library documentation
--> 3.2 SNC Kerberos Configuration
So you use the Kerberos integration - not the certificate version right
--> Did you configured the service name in AD correctly?
--> Please check also the SNC parameter - especially snc/identity/as
this line looks strange: 'p:CN=USERNAME@DOMAIN.LOCAL'
Regards
Matthias
08-13-2012 11:20 PM
Hi Luciano,
Was your problem fixed? was the problem with service Principle name?
Even iam stuck with simillar issue. any help or pointer is highly appreciated.
-Shyam
09-11-2013 11:17 AM
Hi,
We had a very similar issue (see below the sapgui trace) with NW SSO 2.0.
@Luciano, did you solve it ?
*** ERROR => SncPEstablishContext() failed for target='p:CN=XXXXX@yyyyyy.com' [sncxxall.c 3379]
*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3345]
GSS-API(maj): No credentials were supplied
Unable to establish the security context
target="p:CN=XXXXX@yyyyyy.com"
<<- SncProcessOutput()==SNCERR_GSSAPI
*** ERROR => TmIWrite: SncProcessOutput (SNCERR_GSSAPI) [dpxxtm.c 1782]
*** ERROR => TmIConnect: TmIWrite [dpxxtm.c 948
09-06-2012 8:02 PM
Hello Luciano Dei Rossi
How did you fixed the error
*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAP/KerberosSS6@XXXX.COM"
-Sid