cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO-SNC name for application servers in group/server selection

Go to solution
Former Member

on ‎12-03-2012 5:45 AM

0 Kudos

Hello,

We want to test  SSO in our SAP landscape and we have 2 application servers in our production environment. We will follow the below process

1. Install the kerberos client on the CI and DI (AIX).

2. Add the AIX servers to AD.

3. Create the keytab in AD and copied the keytab to the SAP servers.

The confusion is when we are creating the keytab do we need to use the same SPN for all the application servers (e.g <SID>@XYZ.COM or do we need to have a have seperate SPN (e.g <hostname>@XYZ.COM) Also can we use the SPN as

4. Initialized the keytab on the AIX host.

5. Enable SNC parameter in the application servers.

Can the parameter /snc/identity/as be p:<SID>@XYZ.COM?

Any help is really appreciated as I do not seem to find much information on this setup.

Thanks


Dee

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-03-2012 5:54 AM
0 Kudos

Hello ,

I think , you need to have separate SPN all the AS and snc/identity/as should be p:CN=<>/Kerberos<>@xyz.com , please dont miss "CN".

Thanks

Show replies
Show replies
Former Member
‎12-03-2012 6:28 AM
0 Kudos

Hello Devpriy,

Thank you for your quik response. Can you elaborate it a little bit more? What should be the entry in <> in the parameter? Should it be the <SID> of the production instance?

p:CN=<>/Kerberos<>@xyz.com?

Please advise.

Thanks

Dee

Former Member
‎12-03-2012 7:31 AM
0 Kudos

in my case its like p:CN=<org1>/Kerberos<sid1>@xyz.com and principle name is <org1>/Kerberos<sid1> , so identity/as should have the SPNname@xyz.com.

Thanks

Former Member
‎12-04-2012 1:41 AM
0 Kudos

Hello Devpriy,

Thank you for your inputs. One more question to clear the confusion. Can you help me with the SPN for the application servers? Do you mean I can have the have the SPN's for the 2 application servers as

<hostname1>@XYZ.COM

<hostname2>@XYZ.COM

and the /snx/identity/as = p:CN=Kerberos<SID>@XYZ.COM

Thanks

Dee

Former Member
‎12-04-2012 4:36 AM
0 Kudos

Hello Dee,

I looked some help documents for you -

please follow page no . 24 " Define Service Principal Name " - this will help you to define using asiedit tool -

https://websmp105.sap-ag.de/~sapidb/011000358700001219782011

after this you may need the below info - page 33 - enabling snc in sap gui.

https://websmp110.sap-ag.de/~sapidb/011000358700001219792011

Hope it helps.

Thanks ,

Dev

Answers (0)

Ask a Question