04-24-2013 11:01 AM
Hi All,
We are trying to setup SSO in SAP on Linux and Windows Active Directory landscape, which should be a kerberos based authentication.
SAP Server on Linux(RHEL 5) : host1
Windows Domain Server running Active directory : host2.kkk.com
Domain name: kkk.com
User in Active Directory : mm0085
----------------------------------------------
Steps followed:
Windows Domain Server:
1. Created new computer in Active Directory Users and Computer : host1
2. Executed below command:
ktpass -princ host1.KKK.com -mapuser HOST2\host1$ -pass <Password> -ptype KRB5_NT_SRV_HST -out host1.keytab
Linux Server:
1. We have copied the host1.keytab file to the linux server host1 inside /etc and renamed the file as krb5.keytab
2. Given full permission to krb5.keytab
3. we have configured kerberos with below settings,
Realm: KKK.COM
KDCs: HOST2.KKK.COM:88
Admin Server:HOST2.KKK.COM:749
4. To test the keytab file is imported successfully executed below command:
kinit -k host1@KKK.COM
5. Configured below parameter in instance profile
snc/permit_insecure_start 1
snc/data_protection/use 3
snc/data_protection/max 3
snc/data_protection/min 1
snc/accept_insecure_r3int_rfc 1
snc/accept_insecure_rfc 1
snc/accept_insecure_cpic 1
snc/enable 1
snc/identity/as p/krb5:SAP/host1.kkk.com@KKK.COM
snc/accept_insecure_gui 1
snc/gssapi_lib /usr/sap/SID/DVEBMGS00/SLL/libsecgss.so
6. Enabled snc in user account using tcode su01,
SNC name: p:mm0085@KKK.COM
Unsecure Communication Permited:Checked
Password deactivated
Windows Client System:
1. Downloaded SAPSSO.zip from SAP note 595341 from SAP Service Marketplace and installed.
2. Created Environment variable SNC_LIB under System variable section
SNC_LIB=C:\WINDOWS\system32\gsskrb5.dll
3. Enabled SNC in SAPGUI shortcut,
SNC name=p:SAP/host1.kkk.com@KKK.COM
Error:
1. GSS-API:Kerberos SSPI not usable with this user account
2. GSS-API: The LSA cannot be c target="SAP/host1.kkk.com@KKK.COM
Please let us know, where are we making mistake.
Thanks,
S Tasneem
Message was edited by: Sharib Tasneem
04-24-2013 1:09 PM
06-05-2013 9:00 PM