Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with Kerberos: No valid credentials provided

michael_lehmann
Explorer
0 Kudos

hello everybody

I read note 595341 to configure my system using Kerberos (gsskrb5.dll) to use Single Sign-On. After I updated the default-profile with the SNC-parameters as follow, I couldn't start the system any more:

snc/enable = 1

snc/gssapi_lib = c:\windows\system32\gsskrb5.dll

snc/identity/as = p:SAPService<SID>@<MYDOMAIN>

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/data_protection/max = 3

snc/data_protection/min = 1

snc/data_protection/use = 9

in the dev_w0 I can find these errors:

N SncInit(): found snc/gssapi_lib=c:\windows\system32\gsskrb5.dll

N File "c:\windows\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPService<SID>@<MYDOMAIN>

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPService<SID>@<MYDOMAIN>"

M *** ERROR => ErrISetSys: error info too large [err.c 931]

M ERROR GSS-API(maj): No valid credentials provided (or available)

M GSS-API(min): SSPI u2u-problem: please add Service principal for own a

M name="p:SAPService<SID>@<MYDOMAIN>"

has anybody an idea how to solve the problem?

6 REPLIES 6

Former Member
0 Kudos

Hi Michael,

the problem is logged by the followin glines:


N SncInit(): found snc/identity/as=p:SAPService<SID>@<MYDOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

please have a look at <a href="https://service.sap.com/sap/support/notes/352295">note 352295</a>.

Please make sure, that you did the following (quoted from this note):

<i>

you will need to define Kerberos Service Principal Names in the Active Directory for all service accounts of your AppServers (traditionally called something like SAPServiceC12) using the SETSPN.EXE from the OS installation CD archive \support\tools\support.cab and call it for every SAP service account in the following fashion:

    SETSPN -A SAPServiceC11/dontcare  NT4DOMAINSAPServiceC11

This is necessary to re-enable the correct rfc-1964 kerberos protocolexchange for authentication. The name isn't actually used by gsskrb5.dll, this is just to trigger an undocumented side effect (there is no API parameter to steer this behaviour so that a workaround within gsskrb5.dll is impossible).

</i>

regards,

Patrick

michael_lehmann
Explorer
0 Kudos

hi Patrick

that's it!

I did as you said and it works.

many thanks!

greetings

Michael

michael_lehmann
Explorer
0 Kudos

There are a few clients using SNC with Kerberos. Sometimes they get an error (almost the same as above):

GSS-API(maj): No valid credentials provided (or available)

GSS-API(min): No Kerberos SSPI credentials available for requested name...

name= "p:<user>@<MYDOMAIN>"

what's wrong?

Do I have to define Kerberos Service Principal Names in the AD for user accounts as well?

0 Kudos

Hi Michael,

I have exactly the same problem as is mentioned in your final post.I also opened a question in the SDN Forum () about it but got no answer so far - well, I started the thread just a few mionutes ago, so of course there is no answer

Anyway, did you by now find a solution or a reason for this error? Did you install this snc adapter thingy on your UNIX Server?

Kind reagrds,

Christian

0 Kudos

Christian,

I think you will find that Michael is using SAP on Windows, which is supported by SAP when using Kerberos/SNC since SAP provide a library for use in this scenario. In your case I think you are using Kerberos libraries on Solaris, so support is not provided by SAP. Instead, you should consider using a SAP certified SNC product, available from a SAP partner. I represent a SAP partner who has such a product and can help you if you are interested.

Thanks,

Tim

0 Kudos

Hi Tim,

thanks for the reply. You are right, I completely missed the point where he stated that his kerberos library is a dll - so indeed he is using Windows, whereas I am using Solaris.

Thanks anyway for your answers.

Kind regards,

Christian