03-20-2007 11:57 PM
hello everybody
I read note 595341 to configure my system using Kerberos (gsskrb5.dll) to use Single Sign-On. After I updated the default-profile with the SNC-parameters as follow, I couldn't start the system any more:
snc/enable = 1
snc/gssapi_lib = c:\windows\system32\gsskrb5.dll
snc/identity/as = p:SAPService<SID>@<MYDOMAIN>
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 0
snc/data_protection/max = 3
snc/data_protection/min = 1
snc/data_protection/use = 9
in the dev_w0 I can find these errors:
N SncInit(): found snc/gssapi_lib=c:\windows\system32\gsskrb5.dll
N File "c:\windows\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:SAPService<SID>@<MYDOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI u2u-problem: please add Service principal for own account
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPService<SID>@<MYDOMAIN>"
M *** ERROR => ErrISetSys: error info too large [err.c 931]
M ERROR GSS-API(maj): No valid credentials provided (or available)
M GSS-API(min): SSPI u2u-problem: please add Service principal for own a
M name="p:SAPService<SID>@<MYDOMAIN>"
has anybody an idea how to solve the problem?
03-21-2007 8:31 AM
Hi Michael,
the problem is logged by the followin glines:
N SncInit(): found snc/identity/as=p:SAPService<SID>@<MYDOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI u2u-problem: please add Service principal for own account
please have a look at <a href="https://service.sap.com/sap/support/notes/352295">note 352295</a>.
Please make sure, that you did the following (quoted from this note):
<i>
you will need to define Kerberos Service Principal Names in the Active Directory for all service accounts of your AppServers (traditionally called something like SAPServiceC12) using the SETSPN.EXE from the OS installation CD archive \support\tools\support.cab and call it for every SAP service account in the following fashion:
SETSPN -A SAPServiceC11/dontcare NT4DOMAINSAPServiceC11
This is necessary to re-enable the correct rfc-1964 kerberos protocolexchange for authentication. The name isn't actually used by gsskrb5.dll, this is just to trigger an undocumented side effect (there is no API parameter to steer this behaviour so that a workaround within gsskrb5.dll is impossible).
</i>
regards,
Patrick
03-22-2007 6:21 AM
hi Patrick
that's it!
I did as you said and it works.
many thanks!
greetings
Michael
07-25-2007 2:58 PM
There are a few clients using SNC with Kerberos. Sometimes they get an error (almost the same as above):
GSS-API(maj): No valid credentials provided (or available)
GSS-API(min): No Kerberos SSPI credentials available for requested name...
name= "p:<user>@<MYDOMAIN>"
what's wrong?
Do I have to define Kerberos Service Principal Names in the AD for user accounts as well?
01-23-2008 8:59 AM
Hi Michael,
I have exactly the same problem as is mentioned in your final post.I also opened a question in the SDN Forum () about it but got no answer so far - well, I started the thread just a few mionutes ago, so of course there is no answer
Anyway, did you by now find a solution or a reason for this error? Did you install this snc adapter thingy on your UNIX Server?
Kind reagrds,
Christian
01-23-2008 9:05 AM
Christian,
I think you will find that Michael is using SAP on Windows, which is supported by SAP when using Kerberos/SNC since SAP provide a library for use in this scenario. In your case I think you are using Kerberos libraries on Solaris, so support is not provided by SAP. Instead, you should consider using a SAP certified SNC product, available from a SAP partner. I represent a SAP partner who has such a product and can help you if you are interested.
Thanks,
Tim
01-23-2008 1:40 PM
Hi Tim,
thanks for the reply. You are right, I completely missed the point where he stated that his kerberos library is a dll - so indeed he is using Windows, whereas I am using Solaris.
Thanks anyway for your answers.
Kind regards,
Christian