Hello,

we are trying to implement Single Sign-on using AIX kerberos and Windows Active Directory, but we are facing some dificulties.

Here's our landscape

AIX Server: vbtrmz00.telecom.pt

AD: vmqptp02.ptp-qa.corppt-qa.local

We created the user on active directory and created the keytab file  with the following parameters:

C:\>setspn -A SSOTRM/vbtrmz00.telecom.pt PTP-QA\trmadm

Registering ServicePrincipalNames for CN=trmadm,OU=Service Accounts,OU=SAP,OU=LS

B-PIC,OU=DC_PT,DC=ptp-qa,DC=corppt-qa,DC=local

        SSOTRM/vbtrmz00.telecom.pt

Updated object

C:\>ktpass -princ SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL -mapuser PTP-QA\trmadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass XXXXXXX -out sap.keytab

Targeting domain controller: VMQPTP02.ptp-qa.corppt-qa.local

Using legacy password setting method

Successfully mapped SSOTRM/vbtrmz00.telecom.pt to trmadm.

Key created.

Output keytab to sap.keytab:

Keytab version: 0x502

keysize 84 SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL ptype 1 (KRB5_NT_PR

INCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0417ecfdd84a80184ccfca8eb02

169d4)

-------------------------------------------------------------------------------------------------------------------------------------------------------

On SAP profile we added the following parameters:

snc/enable                                  1

snc/identity/as                             p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL   

snc/data_protection/max                     1

snc/data_protection/min                     1

snc/data_protection/use                     1

snc/gssapi_lib                              /usr/sap/TRM/SYS/exe/run/libsapcrypto.o

snc/accept_insecure_cpic                    1

snc/accept_insecure_gui                     1

snc/accept_insecure_rfc                     1

snc/permit_insecure_start                   1

snc/force_login_screen                      1

rdisp/dynamic_wp_check                      FALSE

rdisp/configurable_wp_no                    0

rdisp/wp_no_restricted                      0

rslg/new_layout                             9

ssf/ssfapi_lib                              /usr/sap/TRM/SYS/exe/run/libsapcrypto.o

ssf/name                                    SAPSECULIB

sec/libsapsecu                              /usr/sap/TRM/SYS/exe/run/libsapcrypto.o

------------------------------------------------------------------------------------------------------------------------------------------

On AIX we have the following on krb5.conf

[libdefaults]

        default_realm = PTP-QA.CORPPT-QA.LOCAL

        default_keytab_name = FILE:/etc/krb5/krb5.keytab

        default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc

        default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc

[realms]

        PTP-QA.CORPPT-QA.LOCAL = {

                kdc = vmqptp02.ptp-qa.corppt-qa.local:88

                admin_server = vmqptp02.ptp-qa.corppt-qa.local:749

                default_domain = ptp-qa.corppt-qa.local

        }

[domain_realm]

        .ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL

        vmqptp02.ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL

[logging]

        kdc = FILE:/var/krb5/log/krb5kdc.log

        admin_server = FILE:/var/krb5/log/kadmin.log

        default = FILE:/var/krb5/log/krb5lib.log

[appdefaults]

        autologin=true

        forward=true

        forwardable=true

        renewable=true

        encrypt=true

--------------------------------------------------------------------------------------------------

on AIX using ktutil we imported successfully the keytab.

When we try to generate initial ticket using kinit we have 2 results:

OK -

[root@vbtrmz00: /usr/krb5/bin ]# kinit trmadm

Password for trmadm@PTP-QA.CORPPT-QA.LOCAL:

XXXXXXXXXXXXXXXXX

java.io.IOException: Primary principals do not match

Done!

New ticket is stored in cache file /root/krb5cc_root

NOT OK -

[root@vbtrmz00: /usr/krb5/bin ]# kinit -k SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL

com.ibm.security.krb5.KrbException, status code: 6

        message: Client not found in Kerberos database

        at com.ibm.security.krb5.KrbAsRep.<init>(KrbAsRep.java:38)

        at com.ibm.security.krb5.KrbAsReq.getReply(KrbAsReq.java:79)

        at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:12)

        at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:156)

        at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:98)

com.ibm.security.krb5.KrbException, status code: 6

        message: Client not found in Kerberos database

When we start SAP with parameter snc/enable = 1 the system stops with thw following error on dev_w0 file:

SncInit(): Initializing Secure Network Communication (SNC)

N        IBM RS/6000 with AIX (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

N  SncInit(): found  snc/gssapi_lib=/usr/sap/TRM/SYS/exe/run/libsapcrypto.o

N    File "/usr/sap/TRM/SYS/exe/run/libsapcrypto.o" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  *** ERROR => SncPGSSImportName()==SNCERR_GSSAPI  [sncxxall.c 2630]

N        GSS-API(maj): An invalid name was supplied

N      Import of a name failed

N      name="p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL"

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11329]

Can anyone help?

Pedro