cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign On

Go to solution
Former Member

on ‎09-30-2013 12:16 PM

0 Kudos

Hi folks,

I am implementing SSO for a customer on six partitions. Five partitions run without problems. The work processes of the sixth partition fail to start.

Part of ST11 DEV_W0:

.........

SncInit(): Initializing Secure Network Communication (SNC)

IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 16/64/64)

UserId="p0110" (4294770762), envvar USER="P0110"

SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

SncInit(): found snc/identity/as=p:SAPService/server11.kunde.ent@KUNDE.ENT

SncInit(): Accepting Credentials available, lifetime=Indefinite

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]

GSS-API(maj): Miscellaneous failure

GSS-API(min): No credentials cache found

Could't acquire INITIATING credentials for

name="p:SAPService/server11.kunde.ent@KUNDE.ENT"

SncInit(): Fatal Initiating Credentials not available!

<<- SncInit()==SNCERR_GSSAPI

sec_avail = "false"

***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238]

*** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]

in_ThErrHandle: 1

*** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11370]

...............

When I run kinit and klist with the SAP p0110 user everything looks fine

$

> kinit -k SAPService/server11.kunde.ent@KUNDE.ENT

$

> klist

Ticket cache: FILE:/var/krb5/security/creds/krb5cc_-196541

Default principal: SAPService/server11.kunde.ent@KUNDE.ENT

Valid starting Expires Service principal

09/30/13 15:01:00 09/04/13 01:01:00 krbtgt/KUNDE.ENT@KUNDE.ENT

Renew until 10/01/13 15:01:00

$

The differences on this partition are the strange name of the credentials cache krb5cc_-196541 and the unusually high uid of user p0110.

SAP refuses support as the support Kerberos only on Windows.

Any hints ?

Thanks Fredi

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-25-2013 4:26 PM
0 Kudos

Thank you all for your answers.

The problem is now solved by converting to the new user concept and by changing the User ID Number for P01ADM from the 4294770xxx range to 216 as on the other lpars.

I did this with help of QSYSCHGID command and program which I found in the net.

Regards Fredi

Show replies
Show replies

Answers (2)

Answers (2)

Sriram2009
Active Contributor
‎10-19-2013 8:44 PM
0 Kudos

Hi Stark

Could you check the IBM link it may useful to you

http://www.ibm.com/developerworks/tivoli/library/t-ssosapnwas/

Regards

Sriram

Show replies
Show replies
Former Member
‎10-15-2013 4:11 PM
0 Kudos

Hallo Fredi,

it seems to be a problem with the kerberos server on IBM i; the log msg. indicates a problem with

the ticket cache. Maybe you try to re-install or re-configure the kerberos server? If this does not help you should open a PMR at IBM.

Best Regards,

Joachim

Show replies
Show replies
Former Member
‎10-28-2013 1:18 PM
0 Kudos

Hello Joachim,

Thank you for your contribution. I had already recreated the whole stuff before I opened this discussion.

We will be doing an upgrade to EHP7 before end of the year. I will have to change to the new user concept. Hopefully it will work with <SID>ADM.

Kind regards

Fredi 

Ask a Question