on 12-03-2012 5:45 AM
Hello,
We want to test SSO in our SAP landscape and we have 2 application servers in our production environment. We will follow the below process
1. Install the kerberos client on the CI and DI (AIX).
2. Add the AIX servers to AD.
3. Create the keytab in AD and copied the keytab to the SAP servers.
The confusion is when we are creating the keytab do we need to use the same SPN for all the application servers (e.g <SID>@XYZ.COM or do we need to have a have seperate SPN (e.g <hostname>@XYZ.COM) Also can we use the SPN as
4. Initialized the keytab on the AIX host.
5. Enable SNC parameter in the application servers.
Can the parameter /snc/identity/as be p:<SID>@XYZ.COM?
Any help is really appreciated as I do not seem to find much information on this setup.
Thanks
Dee
Hello ,
I think , you need to have separate SPN all the AS and snc/identity/as should be p:CN=<>/Kerberos<>@xyz.com , please dont miss "CN".
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
in my case its like p:CN=<org1>/Kerberos<sid1>@xyz.com and principle name is <org1>/Kerberos<sid1> , so identity/as should have the SPNname@xyz.com.
Thanks
Hello Devpriy,
Thank you for your inputs. One more question to clear the confusion. Can you help me with the SPN for the application servers? Do you mean I can have the have the SPN's for the 2 application servers as
<hostname1>@XYZ.COM
<hostname2>@XYZ.COM
and the /snx/identity/as = p:CN=Kerberos<SID>@XYZ.COM
Thanks
Dee
Hello Dee,
I looked some help documents for you -
please follow page no . 24 " Define Service Principal Name " - this will help you to define using asiedit tool -
https://websmp105.sap-ag.de/~sapidb/011000358700001219782011
after this you may need the below info - page 33 - enabling snc in sap gui.
https://websmp110.sap-ag.de/~sapidb/011000358700001219792011
Hope it helps.
Thanks ,
Dev
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.