Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Microsoft Kerberos SSP setup for ABAP and SAPGUI

Go to solution
Former Member

‎05-16-2013 3:38 PM

0 Kudos

Hello,

I'm trying to configure SSO from SAPGUI to SAP ABAP using Microsoft SSP and I'm running into issues. My information is as follows.

SAP Server: Windows 2008 R2

AD Domain Server: Windows 2008 R2

Domain Name: mydomain.net

SAP Startup Service User: mydomain.net\SAPServiceSID

For the service user I have tried multiple SPNs along with the corresponding entry in snc/identity/as in the instance profile but SAP fails to start with all of them:

SAP/SAPServiceSID

SAPServiceSID

SAPServiceSID @ mydomain.net (All caps and lower case for the domain/Kerberos Realm)

SAP/SAPServiceSID @ mydomain.net (All caps and lower case for the domain/Kerberos Realm)

What is the proper formatting for SPN/UPN?

What is the proper formating for snc/identity/profile?

Here is the error that I'm getting for all attempts?

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceCBX"  NetWkstaUser="SAPServiceCBX"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=C:\Windows\SysWOW64\gx64krb5.dll

N    File "C:\Windows\SysWOW64\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N    FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2

N  SncInit():   found snc/identity/as=p:SAP/SAPServiceSID @ mydomain.net

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No valid credentials provided (or available)

N        GSS-API(min): SSPI::IniSctx#1()==No credentials available in security package

N      Could't acquire ACCEPTING credentials for

N      name="p:SAP/SAPServiceSID @ mydomain.net"

N      FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): Miscellaneous Failure

N        GSS-API(min): SSPI::AcqCredHdl(ACC)==No credentials available in security package

N      Could't acquire DEFAULT ACCEPTING credentials

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-17-2013 5:59 PM

0 Kudos

What you are trying to do is no longer allowed without purchasing additional licenses from SAP. SNC based SSO is currently part of the NetWeaver Single Sign-On product offering. See SAP note 1684886 for details. If you don't mind the license violation, I believe the correct format for the non NWSSO based solution in SAP Logon is p:DOMAIN\SAPService<SID>. Remember to check that there is a trust between the SAP domain and the AD domain unless there are one and the same.

https://service.sap.com/sap/support/notes/1684886

1 REPLY 1

Go to solution
Former Member

‎05-17-2013 5:59 PM

0 Kudos

What you are trying to do is no longer allowed without purchasing additional licenses from SAP. SNC based SSO is currently part of the NetWeaver Single Sign-On product offering. See SAP note 1684886 for details. If you don't mind the license violation, I believe the correct format for the non NWSSO based solution in SAP Logon is p:DOMAIN\SAPService<SID>. Remember to check that there is a trust between the SAP domain and the AD domain unless there are one and the same.

https://service.sap.com/sap/support/notes/1684886