on 03-20-2014 2:45 PM
Hallo Experts,
we want to configure SSO with MS Kerberos between SAP GUI and the SAP System. We use
the gx64krb.dll library and configured as discribed in the documentation. When we restart the
SAP-System, the system shutdown, because the accepting credentials, which are needed by
the snc, are not available.
Now we want to create a keytab-File, that the credentials are available, but how ?
Does anybody know, how we can create a keytab-File for the SAP-System ?Do we need the
Secure Login Library ?
Thank you for your help.
Regards,
Maximilian
Maximillian,
If your SAP system is on Windows then you don't need a key table file if you are using the gx64krb.dll library. If your SAP system is on Unix or Linux then you will need a key table file.
Thanks
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hallo Tim,
thank you for your fast answer. Our SAP-System is on Windows. We get the following error:
FATAL SNCERROR -- Accepting Credentials not available!
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): SSPI::AcqCredHdl(ACC)==No credentials available in security package
N Could't acquire DEFAULT ACCEPTING credentials
So, I thought, that we have to create a keytab-File and afterwards, the credentials are available. Do you know, how we can create the accepting cerdentials ?
Thank you,
Maximilian
Hi Maximilian,
as the question is not related to the SAP NW SSO product, I would suggest to move the thread to the security forum, as it is more likly to get an answer there.
The credentials for the MS implementation of the KRB based authentication are aquired directly from the OS. Without having more knowledge on your config, it is however difficult to even guess what's going wrong. However I'd guess it's something about the spelling of the user name or similiar stuff.
You can find some guidance in the docs
Regards, Patrick
Hi Maximilian,
I have moved your thread to security.
BTW: did you check your credential names already?
Did you do a setspn -A SAPService<SID>/<do_not_care> SAPService<SID>
to register your Service Principal Name (SPN) for the app server with the domain controller ?
BTW2: this will only work for SAP-GUI not for web based access anyhow. If you want to use SPNEGO for web based access you need a product like SAP NW SSO or a 3rd party solution.
Regards,
Patrick
Hallo Patrick,
thank you for moving the thread. We are interested in the free solution with Kerberos only for the SAP GUI.
We set the SPN via Editor to SAP/SAPServiceEMD. The identity parameter in the profil is set to snc/identity/as=p:SAP/SAPServiceEMD@ITULM.LAN. But the error message is still the same.
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="SAPServiceEMD" NetWkstaUser="SAPServiceEMD"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=C:\Windows\system32\gx64krb5.dll
N File "C:\Windows\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2
N SncInit(): found snc/identity/as=p:SAP/SAPServiceEMD@ITULM.LAN
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI::IniSctx#1()==No credentials available in security package
N Could't acquire ACCEPTING credentials for
N
N name="p:SAP/SAPServiceEMD@ITULM.LAN"
N FATAL SNCERROR -- Accepting Credentials not available!
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): SSPI::AcqCredHdl(ACC)==No credentials available in security package
N Could't acquire DEFAULT ACCEPTING credentials
Do you have an idea for a solution ?
Thank you.
Regards,
Maximilian
Hi Maximilian,
based on your configuration, I'd assume, you tried to use the documentation from the SAP NW SSO product to configure the MS wrapper. They are completly independant of each other as is their config.
Without knowing your infrastructure and assuming your
- your servers are running windows 2003 or later
- SAP system runs under the user SAPServiceEMD
- your kerberos realm (windows domin name) being ITULM.LAN
I'd guess that you need to do the following:
on the command line of your windows box:
setspn -A SAPServiceEMD/SAP SAPServiceEMD
Note you can replace the second SAP with something else. It only needs to be uniqe.
If you serviceaccount is in a different domain that the you when executing the setspn command, you may need to prepend the domain name, for example MYDOMAIN\SAPServiceEMD for the account name (the last parameter to setspn).
In the config of the ABAP system you need to set:
snc/identity/as = p:SAPServiceEMD@ITULM.LAN
REgards,
Patrick
Hallo Patrick,
your assumption is totally correct. I tried what you told to me. I set the SPN via Editor to SAPServiceEMD/ITULM.LAN. When I look for the SPN names (setspn -l SAPServiceEMD) I got the following:
I changed the parameters in rz10:
But the error is still the same.
Thank you.
Regards,
Maximilian
Hallo Patrick,
the user to test is SAPServiceEMD from the domain ITULM. So the environment variable %USERDOMAIN% is ITULM. But the system is running under SAPServiceEMD which is not in the domain ITULM. So there are two SAPServiceEMD users, one in the domain ITULM, with this user, I test everything. And the other SAPServiceEMD is the user where the SAP system is running under it, which is a local user. We included the SAP Server just for test reasons into the ITULM Domain.
Now I'm a little bit confused. Which user I have to take ?
Thank you for your help.
Hallo Patrick,
one more question, we changed the user for the SAP-System. This works as expectetd but we get the next error that the encryption type is not supported by the KDC. Now my question, does the gx64krb5.dll only support DES encryption or newer types too ?
By the way, we have a strange behavior at the server (SAP-System), we set the encryption types in the GPO, but when I trace the network kommunikation, the Kerberos protokoll sends in the available ETypes total three ETypes and everyone is DES, which is very strange to me.
Thank you,
Regards,
Maximilian
Hi Maximilian,
please check SAP note 352295 on this topic. This is most likly an OS problem, as the DLL is just a wrapper around OS functionality.
Windows 7 and Windows 2008 R2
Windows 7 and Windows 2008
R2 create new challenges for Kerberos interoperability, since they have
single-DES enctypes disabled by default because of algorithm strength
concerns.
gsskrb5.dll does not know or care which Kerberos enctypes are
used and can be used with all of them. But when Kerberos single-DES enctypes
have previously been enabled for an Active Directory account the resulting
interoperability problems with Windows7 and Windows 2008R2 will affect all
Kerberos callers, including gsskrb5.dll when used for SSO by SAPgui.
It
is possible to re-enable these enctypes, as described in the KB Article
977321:
http://support.microsoft.com/kb/977321
And if you upgrade
any Domain Controllers to Windows 2008R2, you will probably have to obtain the
Microsoft Hotfix:
regards,
Patrick
Dear Maximilian,
Yes, You need the Secure Login Library in order to implement Single Sign-On for SAP GUI for Windows with Kerberos integration. Also you need license to be able to download the Secure Login Library.
Please, find a nice guide how to implement this scenario here:
Best regards,
Donka Dimitrova
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Donka, this is only true if he wants to implement the paying solution included in the product Netweaver SSO. It is even not necessary to download the Secure Login Library because the SAP Common Cryptolib is now included in all modern kernel packages. (license still needed is using transaction spnego)
The previous implementation using gx64krb5.dll is free.
Yes, I know it is not really supported ( I do use NW SSO) , but the choice is up to the customer.
Best Regards,
Olivier
User | Count |
---|---|
83 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.