11-19-2013 9:17 PM
Dear All,
I have an issue with SSO configuration on ABAP.
I did search well on SCN and Google before posting here please
....
Scenario ...
Integration of SAP {ABAP} with LDAP Windows 2008 AD.
Executed command on AD server with Domain Admin
SETSPN -A SAPServiceSOL/mydomain.com MYDOMAIN\SAPServiceSOL
Steps followed on SAP server
Downloaded the win64sso.zip from OSS Note 352295 and copied file to C:\Windows\System32\ and C:\Windows\SysWOW64
Executed SAPSSO and vcredist_x64 {2005 & 2010} binaries on server
RZ10 profile parameter set
snc/enable = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/gssapi_lib = C:\Windows\System32\gx64krb5.dll
snc/identity/as = p:SAPServiceSOL @ MYDOMAIN.COM
Environment Variable set on SAP Server
SNC_LIB" pointing to
"C:\Windows\System32\gx64krb5.dll".
After doing above configuration I restarted system but it gives
error and all work process & dispatched stopped. With below error trace
I did tried changing parameter “snc/identity/as = p:MYDOMAIN\SAPServiceSOL
“ but failed again
***********
immediate print option for implicitely closed spool requests is
disabled
N SncInit(): Initializing
Secure Network Communication (SNC)
N PC with Windows NT
(mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N
GetUserName()="SAPServiceSOL"
NetWkstaUser="SAPServiceSOL"
N SncInit(): found snc/data_protection/max=3, using 3
(Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2
(Integrity Level)
N SncInit(): found snc/data_protection/use=9, using 3
(Privacy Level)
N SncInit(): found
snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N File
"C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2
library.
N The internal Adapter
for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter
(Rev 1.0) to Kerberos 5/GSS-API v2
N FileVersionInfo:
InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2
N SncInit(): found snc/identity/as=p:MYDOMAIN\SAPServiceSOL
N *** ERROR =>
SncPAcquireCred()==SNCERR_GSSAPI
[sncxxall.c 1445]
N GSS-API(maj): No
valid credentials provided (or available)
N GSS-API(min):
SSPI::IniSctx#1()==Specified target is unknown or unreachable
N Could't acquire
ACCEPTING credentials for
N
N name="p:SAPServiceSOL@MYDOMAIN.COM"
N FATAL SNCERROR --
Accepting Credentials not available!
N *** ERROR =>
SncPAcquireCred()==SNCERR_GSSAPI
[sncxxall.c 1445]
N GSS-API(maj): No
valid credentials provided (or available)
N GSS-API(min):
SSPI u2u-problem: please add Service principal for own account
N Could't acquire
DEFAULT ACCEPTING credentials
N
N *** ERROR => (debug hint: no default acceptor cred
available)
N [sncxxpar.c 727]
N <<-
SncInit()==SNCERR_GSSAPI
N sec_avail =
"false"
M ***LOG R19=>
ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c
238]
M *** ERROR =>
ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]
M in_ThErrHandle: 1
M *** ERROR =>
SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11445]
M
***********
Please advise
Mohammad
11-19-2013 11:48 PM
Hello
You shoud not use gx64krb5.dll but gx64ntlm.dll
You should copy the gx64ntlm.dll to the SAP exe directory (usr\sap\<SID>\SYS\exe\uc\NTAMD64).
and accordingly change snc/gssapi_lib
You should change snc/identity/as to p:MYDOMAIN\SAPServiceSOL
Best regards
352295 - Microsoft Windows Single Sign-On options
http://scn.sap.com/thread/1821357
If this does solve your problem, please do not forget to set thread as answered.
11-20-2013 7:44 AM
There is nothing wrong with the krb5 library you are using. Please DO NOT change to using NTLM instead. The NTLM protocol is old. The issue you have described is not due to the protocol you are using, but due to the fact you have not set the service principal correctly. The error is "SSPI u2u-problem: please add Service principal for own account"
11-20-2013 8:12 AM
Hi Tim,
can you please let me know d i need to run below setspn command on SAP server on AD Domain and is the below command right and before running any pre requiste in AD server required
setspn –A SAPServiceSOL/solmandev.mydomain.com MYDOMAIN\SAPServiceSOL
many thanks
11-21-2013 6:49 PM
Hello
Sorry for providing inaccurate information.
I did just check at a customer site configuration.
I've re-read the SAP note and it is clear about it.
Best regards
11-21-2013 1:23 PM
HI all,
I have added principal account properly and message recieved updated sucessfully...
below is issue agian
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="SAPServiceDBP" NetWkstaUser="SAPServiceDBP"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=C:\Windows\System32\gx64krb5.dll
N File "C:\Windows\System32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2
N SncInit(): found snc/identity/as=p:CN=SAPServiceDBP@MYDOMAIN.COM
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SAPServiceDBP@MYDOMAIN.COM"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:SAPServiceDBP@MYDOMAIN.COM")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 236]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 238]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11422]
Please advise
11-25-2013 4:54 PM
Hello Mazhi,
Could you kindly ensure that you're using the latest version of gsskrb5.dll/gxkrb5.dll, which is available for download as an attachments to SAP Note 352295? It was updated this year and one of the errors corrected is exactly the one you're facing...
Clarifying... The error that you have reported has recently been reported by several other customers as well. It appears as if there was a weird change in behaviour of the GetUserNameEx() SSPI of Microsoft Windows that changes the output of the function after some amount of process runtime and breaks a plausibility test within gsskrb5.dll/gx64krb5.dll.
I hope this clarifies and helps.
Best Regards,
Guilherme de Oliveira