Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Configuration between ABAP Stack and Windows Active Directory

former_member184628
Participant
0 Kudos

Hi All,

We are trying to setup SSO in SAP on Linux and Windows Active Directory landscape, which should be a kerberos based authentication.

SAP Server on Linux(RHEL 5) : host1

Windows Domain Server running Active directory : host2.kkk.com

Domain name: kkk.com

User in Active Directory : mm0085

----------------------------------------------

Steps followed:


Windows Domain Server:

1. Created new computer in Active Directory  Users and Computer : host1

2. Executed below command:

ktpass -princ host1.KKK.com -mapuser HOST2\host1$ -pass <Password> -ptype KRB5_NT_SRV_HST -out host1.keytab

Linux Server:


1. We have copied the host1.keytab file to the linux server host1 inside /etc and renamed the file as krb5.keytab

2. Given full permission to krb5.keytab

3. we have configured kerberos with below settings,

Realm: KKK.COM

KDCs: HOST2.KKK.COM:88

Admin Server:HOST2.KKK.COM:749

4. To test the keytab file is imported successfully executed below command:

kinit -k host1@KKK.COM


5. Configured below parameter in instance profile


snc/permit_insecure_start                       1

snc/data_protection/use                          3

snc/data_protection/max                         3

snc/data_protection/min                           1

snc/accept_insecure_r3int_rfc                  1

snc/accept_insecure_rfc                           1

snc/accept_insecure_cpic                         1

snc/enable                                             1

snc/identity/as                                        p/krb5:SAP/host1.kkk.com@KKK.COM

snc/accept_insecure_gui                          1

snc/gssapi_lib                                        /usr/sap/SID/DVEBMGS00/SLL/libsecgss.so

6. Enabled snc in user account using tcode su01,

SNC name: p:mm0085@KKK.COM

Unsecure Communication Permited:Checked

Password deactivated


Windows Client System:


1. Downloaded SAPSSO.zip from SAP note 595341 from SAP Service Marketplace and installed.

2. Created Environment variable SNC_LIB under System variable section

SNC_LIB=C:\WINDOWS\system32\gsskrb5.dll


3. Enabled SNC in SAPGUI shortcut,

SNC name=p:SAP/host1.kkk.com@KKK.COM


Error:


1. GSS-API:Kerberos SSPI not usable with this user account

2. GSS-API: The LSA cannot be c target="SAP/host1.kkk.com@KKK.COM



Please let us know, where are we making mistake.

Thanks,

S Tasneem

Message was edited by: Sharib Tasneem

2 REPLIES 2

former_member184628
Participant
0 Kudos

Resolved.

0 Kudos

What was incorrect?