on 04-23-2014 2:46 PM
Hi to everyone in the SAP Netweaver Single Sign-On Community,
for the last few days I have been stuck trying to implement Single Sign-On with Kerberos authentication for an AS ABAP system running on AIX 6.1. Whatever I try to do, I always seem to end up with the same generic error:
(domain names in this picture and all following files and traces have been removed or replaced with "generic.domain")
Hopefully somebody with more experience would be so kind to take a look at this post and the attached traces to help me figure out where the problem with my configuration lies.
Attached you will find the developer trace of the first work process, the trace of the Secure Login Library with trace level 4 of an authentication attempt, and the traces of the Secure Login Client during the same authentication attempt. Additionally this post contains the configuration of the application server and the service user.
Generic information:
Platform: IBM AIX 6.1
Kernel: 7.21 Patch Level 226
Version of the Secure Login Library (output of ./sapgenpse😞
Loaded CommonCryptoLib from sapgenpse folder
"/sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so"
Platform: aix-6.1-ppc-64 (aix-6.1-ppc-64)
Versions: SAPGENPSE 2.0 SP2 Patch 3 (Feb 22 2014)
FILE-Version 8.4.10.3
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.10 pl40 (2.0 SP2 Patch 3) (Feb 22 2014) MT-safe
USER="k31adm"
Environment variable $SECUDIR is defined:
"/usr/sap/K31/DVEBMGS03/sec"
Configuration of SNC parameters in the instance profile of the application server:
snc/enable = 1
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/gssapi_lib = /sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 0
snc/identity/as = p:CN=svc-sap-sso@GENERIC.DOMAIN
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
Availability of required personal security environments for the user k31adm (output of ./sapgenpse seclogin -l😞
running seclogin with USER="k31adm"
0: CN=svc-sap-sso@GENERIC.DOMAIN
/usr/sap/K31/DVEBMGS03/sec/SAPSNCSKERB.pse
1: CN=svc-sap-sso@GENERIC.DOMAIN
/usr/sap/K31/DVEBMGS03/sec/SAPSNCS.pse
2 readable SSO-Credentials available
Configuration of the Microsoft Active Directory service user:
domain: generic.domain
samaccountname: svc-sap-sso
serviceprincipalname: SAP/svc-sap-sso
Hello,
after analysing the traces, the error could be caused by a wrong password for the SPN user.
Please try to syncronize the passwords on Active Directory and Secure Login Library Server side. On Secure Login Library side you must delete and create new Kerberos entries.
best regards
Alexander Gimbel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I gotta admit, I'm a bit ashamed right now.
Thank you, Mr. Gimbel. The problem was indeed an incorrect password. While we did indeed enter the new password into the PSE, we did not delete the entries first. Instead we simply tried to update the keytab entries with sappsegen -p SAPSNCSKERB.pse -nopsegen -a svc-sap-sso@GENERIC.DOMAIN.
Should anyone find this post: Delete the keytab entries before entering an entry with an updated password.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.