cancel
Showing results for 
Search instead for 
Did you mean: 

SSO mit MS Kerberos

0 Kudos

Hallo Experts,

we want to configure SSO with MS Kerberos between SAP GUI and the SAP System. We use

the gx64krb.dll library and configured as discribed in the documentation. When we restart the

SAP-System, the system shutdown, because the accepting credentials, which are needed by

the snc, are not available.

Now we want to create a keytab-File, that the credentials are available, but how ?

Does anybody know, how we can create a keytab-File for the SAP-System ?Do we need the

Secure Login Library ?

Thank you for your help.

Regards,

Maximilian

Accepted Solutions (1)

Accepted Solutions (1)

tim_alsop
Active Contributor
0 Kudos

Maximillian,

If your SAP system is on Windows then you don't need a key table file if you are using the gx64krb.dll library. If your SAP system is on Unix or Linux then you will need a key table file.

Thanks

Tim

0 Kudos

Hallo Tim,

thank you for your fast answer. Our SAP-System is on Windows. We get the following error:

FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): Miscellaneous Failure

N        GSS-API(min): SSPI::AcqCredHdl(ACC)==No credentials available in security package

N      Could't acquire DEFAULT ACCEPTING credentials

So, I thought, that we have to create a keytab-File and afterwards, the credentials are available. Do you know, how we can create the accepting cerdentials ?

Thank you,

Maximilian

Former Member
0 Kudos

Hi Maximilian,

as the question is not related to the SAP NW SSO  product, I would suggest to move the thread to the security forum, as it is more likly to get an answer there.

The credentials for the MS implementation of the KRB based authentication are aquired directly from the OS. Without having more knowledge on your config, it is however difficult to even guess what's going wrong. However I'd guess it's something about the spelling of the user name or similiar stuff.

You can find some guidance in the docs

Regards, Patrick

0 Kudos

Hallo Patrick,

thank you for your help, I think it is a good idea to move the thread.

Is there a function to move the thread automatically or is the start of

a new discussion needed ?

Regards,

Maximilian

Former Member
0 Kudos

Hi Maximilian,

I have moved your thread to security.

BTW: did you check your credential names already?

Did you do a setspn -A SAPService<SID>/<do_not_care> SAPService<SID>

to register your Service Principal Name (SPN) for the app server with  the domain controller ?

BTW2: this will only work for SAP-GUI not for web based access anyhow. If you want to use SPNEGO for web based access you need a product like SAP NW SSO or a 3rd party solution.

Regards,

Patrick

0 Kudos

Hallo Patrick,

thank you for moving the thread. We are interested in the free solution with Kerberos only for the SAP GUI.

We set the SPN via Editor to SAP/SAPServiceEMD. The identity parameter in the profil is set to snc/identity/as=p:SAP/SAPServiceEMD@ITULM.LAN. But the error message is still the same.


N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceEMD"  NetWkstaUser="SAPServiceEMD"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=9, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=C:\Windows\system32\gx64krb5.dll

N    File "C:\Windows\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N    FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.11.2

N  SncInit():   found snc/identity/as=p:SAP/SAPServiceEMD@ITULM.LAN

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No valid credentials provided (or available)

N        GSS-API(min): SSPI::IniSctx#1()==No credentials available in security package

N      Could't acquire ACCEPTING credentials for

N      name="p:SAP/SAPServiceEMD@ITULM.LAN"

N      FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): Miscellaneous Failure

N        GSS-API(min): SSPI::AcqCredHdl(ACC)==No credentials available in security package

N      Could't acquire DEFAULT ACCEPTING credentials

Do you have an idea for a solution ?

Thank you.

Regards,

Maximilian

Former Member
0 Kudos

Hi Maximilian,

based on your configuration, I'd assume, you tried to use the documentation from the SAP NW SSO product to configure the MS wrapper. They are completly independant of each other as is their config.

Without knowing your infrastructure and assuming your

- your servers are running windows 2003 or later

- SAP system runs under the user SAPServiceEMD

- your kerberos realm (windows domin name) being ITULM.LAN

I'd guess that you need to do the following:

on the command line of your windows box:

setspn -A SAPServiceEMD/SAP SAPServiceEMD

Note you can replace the second SAP with something else. It only needs to be uniqe.

If you serviceaccount is in a different domain that the you when executing the setspn command, you may need to prepend the domain name, for example MYDOMAIN\SAPServiceEMD for the account name (the last parameter to setspn).

In the config of the ABAP system you need to set:

snc/identity/as = p:SAPServiceEMD@ITULM.LAN


REgards,

Patrick

0 Kudos

Hallo Patrick,

your assumption is totally correct. I tried what you told to me. I set the SPN via Editor to SAPServiceEMD/ITULM.LAN. When I look for the SPN names (setspn -l SAPServiceEMD) I got the following:

I changed the parameters in rz10:

But the error is still the same.

Thank you.

Regards,

Maximilian

Former Member
0 Kudos

Could you please remove the SPN for SAP/SAPServiceEMD.

Could you please also post the contents of the USERDOMAIN environment variable.

Thanks Patrick

Former Member
0 Kudos

Hi Maximilian,

also please check the user which is running the app server, is this really SAPServiceEMD or is it EMDadm? To me it sounds more and more, like your system is not running under SAPServiceEMD.

Regards,

Patrick

0 Kudos

Hallo Patrick,

the user to test is SAPServiceEMD from the domain ITULM. So the environment variable %USERDOMAIN% is ITULM. But the system is running under SAPServiceEMD which is not in the domain ITULM. So there are two SAPServiceEMD users, one in the domain ITULM, with this user, I test everything. And the other SAPServiceEMD is the user where the SAP system is running under it, which is a local user. We included the SAP Server just for test reasons into the ITULM Domain.

Now I'm a little bit confused. Which user I have to take ?

Thank you for your help.

Former Member
0 Kudos

Hi Maximilian,

sorry, this can't work. The user running the ABAP system needs to be in the domain. And this user needs to be named using SETPSN. The wqay you did it, the system can not talk to the domain to get the info it needs.

Regards,

Patrick

0 Kudos

Hallo Patrick,

thank you very much. Now it´s clear, that this can not work. We will change the user running the SAP System.

Regards,

Maximilian

0 Kudos

Hallo Patrick,

one more question, we changed the user for the SAP-System. This works as expectetd but we get the next error that the encryption type is not supported by the KDC. Now my question, does the gx64krb5.dll only support DES encryption or newer types too ?

By the way, we have a strange behavior at the server (SAP-System), we set the encryption types in the GPO, but when I trace the network kommunikation, the Kerberos protokoll sends in the available ETypes total three ETypes and everyone is DES, which is very strange to me.

Thank you,

Regards,

Maximilian

Former Member
0 Kudos

Hi Maximilian,

please check SAP note 352295 on this topic. This is most likly an OS problem, as the DLL is just a wrapper around OS functionality.


Windows 7 and Windows 2008 R2

Windows 7 and Windows 2008

R2 create new challenges for Kerberos interoperability, since they have

single-DES enctypes disabled by default because of algorithm strength

concerns.

gsskrb5.dll does not know or care which Kerberos enctypes are

used and can be used with all of them.  But when Kerberos single-DES enctypes

have previously been enabled for an Active Directory account the resulting

interoperability problems with Windows7 and Windows 2008R2 will affect all

Kerberos callers, including gsskrb5.dll when used for SSO by SAPgui.

It

is possible to re-enable these enctypes, as described in the KB Article

977321:

    http://support.microsoft.com/kb/977321

And if you upgrade

any Domain Controllers to Windows 2008R2, you will probably have to obtain the

Microsoft Hotfix:

    http://support.microsoft.com/kb/2274102

regards,

Patrick

0 Kudos

Hallo Patrick,

something went wrong with the AD-User. We changed this user to a new one and afterwards the snc was sucessfully initialized. Now the SSO with MS Kerberos works perfectly.

Thank you very much for your help.

Regards,

Maximilian

Answers (1)

Answers (1)

donka_dimitrova
Contributor
0 Kudos

Dear Maximilian,

Yes, You need the Secure Login Library in order to implement Single Sign-On for SAP GUI for Windows with Kerberos integration. Also you need license to be able to download the Secure Login Library.

Please, find a nice guide how to implement this scenario here:

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sig...

Best regards,

Donka Dimitrova

Former Member
0 Kudos

Hello,

Donka, this is only true if he wants to implement the paying solution included in the product Netweaver SSO. It is even not necessary to download the Secure Login Library because the SAP Common Cryptolib is now included in all modern kernel packages. (license still needed is using transaction spnego)

The previous implementation using gx64krb5.dll is free.

Yes, I know it is not really supported ( I do use NW SSO) , but the choice is up to the customer.

Best Regards,

Olivier