Solved: SSO for SAP NW ABAP in AIX 6.1

Former Member · ‎08-16-2012

Hi,

We are configuring SSO using kerberos delivered by AIX expansion package.

NW app server: AIX 6.1

MS AD: 2003

client Windows 7

we have only ABAP systems in our landscape.

we have gone through notes 150380, 352295 and 595341 .

SNC is active, AD to AIX seem to be workign fine. but from SAP GUI when

GSS-API (min): SSPI::Inisctx#1()==Unknown SSPI error 0x80090342

traget="p:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>

Error in SNC

steps followed:

AD configuration

1) created service user in MS AD 2003 (sapsvc)

2) created SPN

setspn -A SAPService/<hostname.xxx.xxx> <DOMAIN_Name>\sapsvc

3) created keytab

ktpass -princ

SAPService/<hostname.xxx.xxx> <DOMAIN_Name> –mapuser <DOMAIN_SHORTNAME>\sapsvc -crypto DES-CBC-MD5 -ptype

KRB5_NT_PRINCIPAL -mapop set +desonly -pass <password> -out abc.keytab

AIX setup

1) Installed Kerberos from AIX expansion package

2) created config file krb5.conf

[libdefaults]

default_realm = <DOMAIN_NAME> (uppercase)

default_keytab_name = FILE:/etc/krb5/krb5.keytab

default_tkt_enctypes = des-cbc-md5 des-cbc-crc

default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]

<DOMAIN_NAME> = {

kdc = <DOMAIN_NAME>:88

admin_server = <DOMAIN_NAME>:749

default_domain = LOCAL.COM (other half of domain)

}

[domain_realm]

.LOCAL.COM = <DOMAIN_NAME>

<DOMAIN_NAME> = <DOMAIN_NAME>

[logging]

kdc = FILE:/var/krb5/log/krb5kdc.log

admin_server = FILE:/var/krb5/log/kadmin.log

kadmin_local = FILE:/var/krb5/log/kadmin_local.log

default = FILE:/var/krb5/log/krb5lib.log

this file was created by using config.krb5 command

3) merged keytab from AD using ktutil

ktutil:

ktutil: rkt /tmp/abc.keytab

ktutil: wkt /etc/krb5/krb5.keytab

4) get TGT

#kinit -k SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>

Done!

New ticket is stored in cache file //krb5cc_root

when I execute with sidadm user then I dont get any error, but it simply goes to next prompt.

5) cron job scheduled to run every 6 hours

SAP configuration:

1) set the necessary environment variables

SNC_LIB= /usr/krb5/lib/libgssapi_krb5.a

2)set the SNC parameter

snc/extid_login_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 0

snc/accept_insecure_rfc = 1

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/data_protection/use = 9

snc/data_protection/min = 1

snc/data_protection/max = 1

snc/gssapi_lib = /usr/krb5/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

snc/enable = 1

snc/identity/as = p/krb5:SAPService/tcpsapers.tcphq.tcpcorp.local.com@TCP_CENTRAL.tcpcorp.local.com

Now SNC is active. after many tries system came up with above parameters.

Client side setup

1) deployed SAPSSO.msi fie from NOTE: 352295 (It automatically set env variables)

2) copied gx64krb5.dll from win64sso.zip from note:352295 (SAP logon was giving error unable to find dll, hence copied to

/system32)

3) in SAPGUI maintained SNC name: p/krb5:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>

Mapped user:

1) in SU01

SNC name: p:ssankar@<DOMAIN_NAME>

While trying to logon it gives

GSS-API (min): SSPI::Inisctx#1()==Unknown SSPI error 0x80090342

traget="p:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>

Error in SNC

What am I doing wrong? I have gone through many blogs and threads and din't find solution for this. (screen shot attached)

-Shyam

christian_fruehwirth · ‎10-31-2012

Hello,

the problem is, that you use different operating systems.

I see you use Windows Server 2003 as your KDC.

And you have Windows 7 clients.

Encryption problems occur in your case.

Windows 7 don't know DES-encryption.

I think RC4-HMAC-NT would solve your problem. (on both sides)

Another problem is, that your setting about your environment variable is wrong.

SNC_LIB= <path>/gsskrb5.dll (in my case)

You need a libary file (.dll) like you see a line before.

You posted "gx64krb5.dll", which i think would be the right one for you.

eg: SNC_LIB= .../system32/gx64krb5.dll

Yours sincerely,

Christian Frühwirth

Now I know, that you need the 32-bit DLL, because SAP is a 32bit application. There is no 64bit version. (gsskrb5.dll would be right)

Sorry for my mistake.

Message was edited by: Christian Frühwirth

Former Member · ‎06-26-2013

Hello,

one doubt regarding SNC. How do we configure a system with application servers? Do we have to follow the same steps like we did for the CI config?

Regards,

Pedro

sebastian_peroni · ‎06-14-2013

Hi,

Crypto is an issue as others have replied.

Another thing to check...

You wrote:

Client side setup

1) deployed SAPSSO.msi fie from NOTE: 352295 (It automatically set env variables)

2) copied gx64krb5.dll from win64sso.zip from note:352295 (SAP logon was giving error unable to find dll, hence copied to

on client side, regardless if windows is a 32/64 system, SAP GUI is 32bit application and need the 32bit library.

Also copy in same directory of .dll the .pob (or similar) file from win32sso.zip

regards,

Seba

SSO for SAP NW ABAP in AIX 6.1

Accepted Solutions (1)

Accepted Solutions (1)

Answers (2)

Answers (2)

Re: Crystal jars upgrade with Wildfly and JDK

Re: UI Data Protection Masking add-on

Re: UI Data Protection Masking add-on

Re: SAP Fiori: How to perform masking for Fiori ap...

Using Integration Suite API's with Basic Auth