on 08-16-2012 3:09 AM
Hi,
We are configuring SSO using kerberos delivered by AIX expansion package.
NW app server: AIX 6.1
MS AD: 2003
client Windows 7
we have only ABAP systems in our landscape.
we have gone through notes 150380, 352295 and 595341 .
SNC is active, AD to AIX seem to be workign fine. but from SAP GUI when
GSS-API (min): SSPI::Inisctx#1()==Unknown SSPI error 0x80090342
traget="p:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>
Error in SNC
steps followed:
AD configuration
1) created service user in MS AD 2003 (sapsvc)
2) created SPN
setspn -A SAPService/<hostname.xxx.xxx> <DOMAIN_Name>\sapsvc
3) created keytab
ktpass -princ
SAPService/<hostname.xxx.xxx> <DOMAIN_Name> –mapuser <DOMAIN_SHORTNAME>\sapsvc -crypto DES-CBC-MD5 -ptype
KRB5_NT_PRINCIPAL -mapop set +desonly -pass <password> -out abc.keytab
AIX setup
1) Installed Kerberos from AIX expansion package
2) created config file krb5.conf
[libdefaults]
default_realm = <DOMAIN_NAME> (uppercase)
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
<DOMAIN_NAME> = {
kdc = <DOMAIN_NAME>:88
admin_server = <DOMAIN_NAME>:749
default_domain = LOCAL.COM (other half of domain)
}
[domain_realm]
.LOCAL.COM = <DOMAIN_NAME>
<DOMAIN_NAME> = <DOMAIN_NAME>
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
this file was created by using config.krb5 command
3) merged keytab from AD using ktutil
ktutil:
ktutil: rkt /tmp/abc.keytab
ktutil: wkt /etc/krb5/krb5.keytab
4) get TGT
#kinit -k SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>
Done!
New ticket is stored in cache file //krb5cc_root
when I execute with sidadm user then I dont get any error, but it simply goes to next prompt.
5) cron job scheduled to run every 6 hours
SAP configuration:
1) set the necessary environment variables
SNC_LIB= /usr/krb5/lib/libgssapi_krb5.a
2)set the SNC parameter
snc/extid_login_rfc = 1
snc/extid_login_diag = 1
snc/permit_insecure_start = 0
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/data_protection/use = 9
snc/data_protection/min = 1
snc/data_protection/max = 1
snc/gssapi_lib = /usr/krb5/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)
snc/enable = 1
snc/identity/as = p/krb5:SAPService/tcpsapers.tcphq.tcpcorp.local.com@TCP_CENTRAL.tcpcorp.local.com
Now SNC is active. after many tries system came up with above parameters.
Client side setup
1) deployed SAPSSO.msi fie from NOTE: 352295 (It automatically set env variables)
2) copied gx64krb5.dll from win64sso.zip from note:352295 (SAP logon was giving error unable to find dll, hence copied to
/system32)
3) in SAPGUI maintained SNC name: p/krb5:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>
Mapped user:
1) in SU01
SNC name: p:ssankar@<DOMAIN_NAME>
While trying to logon it gives
GSS-API (min): SSPI::Inisctx#1()==Unknown SSPI error 0x80090342
traget="p:SAPService/<hostname.xxx.xxx> @ <DOMAIN_Name>
Error in SNC
What am I doing wrong? I have gone through many blogs and threads and din't find solution for this. (screen shot attached)
-Shyam
Hello,
the problem is, that you use different operating systems.
I see you use Windows Server 2003 as your KDC.
And you have Windows 7 clients.
Encryption problems occur in your case.
Windows 7 don't know DES-encryption.
I think RC4-HMAC-NT would solve your problem. (on both sides)
Another problem is, that your setting about your environment variable is wrong.
SNC_LIB= <path>/gsskrb5.dll (in my case)
You need a libary file (.dll) like you see a line before.
You posted "gx64krb5.dll", which i think would be the right one for you.
eg: SNC_LIB= .../system32/gx64krb5.dll
Yours sincerely,
Christian Frühwirth
Now I know, that you need the 32-bit DLL, because SAP is a 32bit application. There is no 64bit version. (gsskrb5.dll would be right)
Sorry for my mistake.
Message was edited by: Christian Frühwirth
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If for some reason you cannot change encryption from des on server side there's workaround on local station to enable Windows 7 client to support DES:
1) Run: secpol.msc
2) Local Policies -> Security Options
3) Network security: Configure encryption types allowed for Kerberos
4) Check all checkboxes
5) Restart machine
Hello,
one doubt regarding SNC. How do we configure a system with application servers? Do we have to follow the same steps like we did for the CI config?
Regards,
Pedro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Crypto is an issue as others have replied.
Another thing to check...
You wrote:
Client side setup
1) deployed SAPSSO.msi fie from NOTE: 352295 (It automatically set env variables)
2) copied gx64krb5.dll from win64sso.zip from note:352295 (SAP logon was giving error unable to find dll, hence copied to
on client side, regardless if windows is a 32/64 system, SAP GUI is 32bit application and need the 32bit library.
Also copy in same directory of .dll the .pob (or similar) file from win32sso.zip
regards,
Seba
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.