cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Netweaver SSO SCN Kerberos

Go to solution
Former Member

on ‎03-08-2013 9:30 AM

0 Kudos

Hi

I have a local installation of NW7 AS Abap on Windows 2008.

I want to setup SSO with Kerberos.

I have done the initial setup

(using snc/identity/as = p:sapservicesid@<KERBEROS_REALM_NAME>.

Remember its a local installation, the NW server is in the domain. However sapservicesid is a local user (not domain user).

I get the following error in the dev_w0

File "C:\Windows\SysWOW64\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N  *** ERROR => SncPDLInit(): gss_indicate_mechs() failed [sncxxdl.c  493]

N  *** ERROR => SncPDLInit(()==SNCERR_INIT  [sncxxdl.c 488]

N        GSS-API(maj): Miscellaneous Failure

N        GSS-API(min): Kerberos SSPI not usable with this User account

N      STOP! -- initial call to gss_indicate_mechs() failed

Any ideas

Abu Sarah

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

JPReyes
Active Contributor
‎03-08-2013 9:36 AM
0 Kudos

SAP Note 352295 - Microsoft Windows Single Sign-On options states that

"Kerberos authentication is only available  for Domain Accounts that are managed by a Microsoft Active Directory, NOT for local computer accounts."

Regards, Juan

Show replies
Show replies
Former Member
‎03-08-2013 9:58 AM
0 Kudos

I assumed that sapservicesid was the default user for this setting:

snc/identity/as = p:sapservicesid@<KERBEROS_REALM_NAME

from my understanding sapservicesid is always a local user.

Can I user any other user, for example:

snc/identity/as = p:joe_bloggs@<KERBEROS_REALM_NAME





JPReyes
Active Contributor
‎03-08-2013 10:17 AM
0 Kudos 
from my understanding sapservicesid is always a local user.

SAPserviceSID must have local admin rights but does not need to be a local user.

Regards, Juan

Former Member
‎03-08-2013 10:23 AM
0 Kudos

Ok, SAPserviceSID is not always a local user

However

SAPServiceSID is a standard user not a local admin.

JPReyes
Active Contributor
‎03-08-2013 10:30 AM
0 Kudos 
However
SAPServiceSID is a standard user not a local admin.

Well, regardless of been or not a local admin you won't be able to use kerberos with a local account, kerberons needs to run against a doman user running under Active Directory.

Regards, Juan

Answers (0)

Ask a Question