SAP GUI Error "SAP System Message: S"
I'm trying to implement SSO between SAP GUI and an ABAP system. Eventually, the SSO will include AS Java and ABAP WebGUI as well.
So far I have deploy the SSO Server on an AS Java 7.3 system. The SSO Server has the root certificate and the user CA certificate configured. The Login Module is SecureLoginModuleLDAP. The Login Module in the NetWeaver Administrator is configured for my MS AD.
On the ABAP system, I have configured the ABAP instance profile as described in http://scn.sap.com/docs/DOC-29687. I have created the PSE for SNC manually and modified the SNC name for my test user in SU01.
On the client side, I have the SSO Client and SAP GUI installed. When I login with my MS AD user, I can see the Kerberos Token activated. I can also authenticate myself on the MS AD using the SSO Client and obtain a certificate. SNC_LIB points to <Library path>\secgss.dll. SSF_LIBRARY_PATH points to <Library path>\secssf.dll.
The problem is that when I try to logon to the ABAP system using SNC with the SAP GUI, I have an error message saying "SAP System Message: S". There is also a few entries in SM21; "Delete session 001 after error 044".
This does not seem like a popular error on SCN as I did not find much past cases.
Any help will be much appreciated.
Verono Kwok replied
I have resolved my problem.
First of all, when the SSO Client was installed, the Kerberos option was chosen as default. I noticed that the example provided by Matthias in http://scn.sap.com/docs/DOC-29687. There was only a X.509 certificate present in the SSO Client, whereas in my screenshots above there were both the Kerberos and the X.509 certificate. I uninstalled the SSO Client and re-installed it using the custom install option and uncheck the Kerberos option.
Now, when I log in using the SSO Client I could only see my X.509 certificate verified against my Microsoft Active Directory. When I log on to my ABAP system with SNC enable, I encountered another error. "GSS-API(min): A2210223:Server does not trust my certificate path target".
I have misunderstood the PKI requirement of this exercise. I generate the SNC PSE using the ABAP system instead of using the SSO Server. I then generated an SAP server certificate in the SSO Server under Server Configuration > Certificate Management with my SNC name defined in the profile parameter snc/identity/as. This certificate was then imported to my ABAP system using STRUST.
After the system was restarted, I was able to single sign-on to the ABAP system using SNC.