Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP with ABAP System SSO

Former Member

‎11-19-2013 9:17 PM

0 Kudos

Dear All,

I have an issue with SSO configuration on ABAP.

I did search well on SCN and Google before posting here please
....

Scenario ...

Integration of SAP  {ABAP} with LDAP Windows 2008  AD.

Executed command on AD server with Domain Admin

   

SETSPN -A SAPServiceSOL/mydomain.com  MYDOMAIN\SAPServiceSOL

Steps followed on SAP server

   

Downloaded the  win64sso.zip from OSS Note 352295 and copied file to C:\Windows\System32\ and C:\Windows\SysWOW64

Executed  SAPSSO and vcredist_x64 {2005 & 2010} binaries on server

RZ10 profile parameter set

   

snc/enable = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1

snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll

snc/identity/as = p:SAPServiceSOL @ MYDOMAIN.COM

  

Environment Variable set on SAP Server

SNC_LIB" pointing to
"C:\Windows\System32\gx64krb5.dll".

After doing above configuration I restarted system but it gives
error and all work process & dispatched stopped. With below error trace

I did tried changing parameter “snc/identity/as = p:MYDOMAIN\SAPServiceSOL
“ but failed again 

***********

immediate print option for implicitely closed spool requests is
disabled

N  SncInit(): Initializing
Secure Network Communication (SNC)

N        PC with Windows NT
(mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N      
GetUserName()="SAPServiceSOL"
NetWkstaUser="SAPServiceSOL"

N  SncInit():   found snc/data_protection/max=3, using 3
(Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2
(Integrity Level)

N  SncInit():   found snc/data_protection/use=9, using 3
(Privacy Level)

N  SncInit(): found
snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll

N    File
"C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2
library.

N    The internal Adapter
for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter
(Rev 1.0) to Kerberos 5/GSS-API v2

N    FileVersionInfo:
InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2

N  SncInit():   found snc/identity/as=p:MYDOMAIN\SAPServiceSOL

N  *** ERROR =>
SncPAcquireCred()==SNCERR_GSSAPI
[sncxxall.c 1445]

N        GSS-API(maj): No
valid credentials provided (or available)

N        GSS-API(min):
SSPI::IniSctx#1()==Specified target is unknown or unreachable

N      Could't acquire
ACCEPTING credentials for

N      name="p:SAPServiceSOL@MYDOMAIN.COM"

N      FATAL SNCERROR --
Accepting Credentials not available!

N  *** ERROR =>
SncPAcquireCred()==SNCERR_GSSAPI
[sncxxall.c 1445]

N        GSS-API(maj): No
valid credentials provided (or available)

N        GSS-API(min):
SSPI u2u-problem: please add Service principal for own account

N      Could't acquire
DEFAULT ACCEPTING credentials

N  *** ERROR =>     (debug hint: no default acceptor cred
available)

N   [sncxxpar.c 727]

N  <<-
SncInit()==SNCERR_GSSAPI

N           sec_avail =
"false"

M  ***LOG R19=>
ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c  
238]

M  *** ERROR =>
ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    240]

M  in_ThErrHandle: 1

M  *** ERROR =>
SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11445]

M

***********

Please advise

Mohammad

6 REPLIES 6

ACE-SAP
Active Contributor

‎11-19-2013 11:48 PM

0 Kudos

Hello

You shoud not use gx64krb5.dll but gx64ntlm.dll

You should copy the gx64ntlm.dll to the SAP exe directory (usr\sap\<SID>\SYS\exe\uc\NTAMD64).

and accordingly change snc/gssapi_lib

You should change snc/identity/as to  p:MYDOMAIN\SAPServiceSOL

Best regards

352295 - Microsoft Windows Single Sign-On options

http://scn.sap.com/thread/1821357

If this does solve your problem, please do not forget to set thread as answered.

tim_alsop
Active Contributor
In response to ACE-SAP

‎11-20-2013 7:44 AM

0 Kudos

There is nothing wrong with the krb5 library you are using. Please DO NOT change to using NTLM instead. The NTLM protocol is old. The issue you have described is not due to the protocol you are using, but due to the fact you have not set the service principal correctly. The error is "SSPI u2u-problem: please add Service principal for own account"

Former Member
In response to ACE-SAP

‎11-20-2013 8:12 AM

0 Kudos

Hi Tim,

can you please let me know d i need to run below setspn command on SAP server on AD Domain and is the below command right and before running any pre requiste in AD server required

setspn –A SAPServiceSOL/solmandev.mydomain.com MYDOMAIN\SAPServiceSOL

many thanks

ACE-SAP
Active Contributor
In response to ACE-SAP

‎11-21-2013 6:49 PM

0 Kudos

Hello

Sorry for providing inaccurate information.

I did just check at a customer site configuration.

I've re-read the SAP note and it is clear about it.

Best regards

Former Member

‎11-21-2013 1:23 PM

0 Kudos

HI all,

I have added principal account properly and message recieved updated sucessfully...

below is issue agian

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceDBP"  NetWkstaUser="SAPServiceDBP"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=9, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll

N    File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N    FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2

N  SncInit():   found snc/identity/as=p:CN=SAPServiceDBP@MYDOMAIN.COM

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No valid credentials provided (or available)

N        GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SAPServiceDBP@MYDOMAIN.COM"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:SAPServiceDBP@MYDOMAIN.COM")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    236]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    238]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11422]

Please advise

guilherme_deoliveira
Participant
In response to Former Member

‎11-25-2013 4:54 PM

0 Kudos

Hello Mazhi,

Could you kindly ensure that you're using the latest version of gsskrb5.dll/gxkrb5.dll, which is available for download as an attachments to SAP Note 352295? It was updated this year  and one of the errors corrected is exactly the one you're facing...

Clarifying... The error that you have reported has recently been reported by several other customers as well. It appears as if there was a weird change in behaviour of the GetUserNameEx() SSPI of Microsoft Windows that changes the output of the function after some amount of process runtime and breaks a plausibility test within gsskrb5.dll/gx64krb5.dll.

I hope this clarifies and helps.

Best Regards,

Guilherme de Oliveira