cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Stuck on implementing Kerberos based SNC/SSO with SLL 2.0 SP2 on AIX 6.1

Go to solution
Former Member

on ‎04-23-2014 2:46 PM

0 Kudos

Hi to everyone in the SAP Netweaver Single Sign-On Community,

for the last few days I have been stuck trying to implement Single Sign-On with Kerberos authentication for an AS ABAP system running on AIX 6.1. Whatever I try to do, I always seem to end up with the same generic error:

(domain names in this picture and all following files and traces have been removed or replaced with "generic.domain")

Hopefully somebody with more experience would be so kind to take a look at this post and the attached traces to help me figure out where the problem with my configuration lies.

Attached you will find the developer trace of the first work process, the trace of the Secure Login Library with trace level 4 of an authentication attempt, and the traces of the Secure Login Client during the same authentication attempt. Additionally this post contains the configuration of the application server and the service user.

Generic information:

Platform:    IBM AIX 6.1

Kernel:    7.21 Patch Level 226

Version of the Secure Login Library (output of ./sapgenpse😞

Loaded CommonCryptoLib from sapgenpse folder

"/sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so"

Platform:    aix-6.1-ppc-64  (aix-6.1-ppc-64)

Versions:  SAPGENPSE    2.0 SP2 Patch 3 (Feb 22 2014)

  FILE-Version  8.4.10.3

  CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.10 pl40 (2.0 SP2 Patch 3) (Feb 22 2014) MT-safe

USER="k31adm"

Environment variable $SECUDIR is defined:

"/usr/sap/K31/DVEBMGS03/sec"

Configuration of SNC parameters in the instance profile of the application server:


snc/enable = 1

snc/data_protection/use = 3

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/gssapi_lib = /sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/identity/as = p:CN=svc-sap-sso@GENERIC.DOMAIN

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

Availability of required personal security environments for the user k31adm (output of ./sapgenpse seclogin -l😞


running seclogin with USER="k31adm"

0: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCSKERB.pse

1: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCS.pse

2 readable SSO-Credentials available

Configuration of the Microsoft Active Directory service user:

domain:                          generic.domain

samaccountname:          svc-sap-sso

serviceprincipalname:    SAP/svc-sap-sso

SLCTrace1of2.txt.zip
SLLTrace.txt.zip
SLCTrace2of2.txt.zip
Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-07-2014 10:09 AM
0 Kudos

Hello,

after analysing the traces, the error could be caused by a wrong password for the SPN user.
Please try to syncronize the passwords on Active Directory and Secure Login Library Server side. On Secure Login Library side you must delete and create new Kerberos entries.

best regards

Alexander Gimbel

Show replies
Show replies
Former Member
‎05-07-2014 10:23 AM
0 Kudos

I gotta admit, I'm a bit ashamed right now.

Thank you, Mr. Gimbel. The problem was indeed an incorrect password. While we did indeed enter the new password into the PSE, we did not delete the entries first. Instead we simply tried to update the keytab entries with sappsegen -p SAPSNCSKERB.pse -nopsegen -a svc-sap-sso@GENERIC.DOMAIN.

Should anyone find this post: Delete the keytab entries before entering an entry with an updated password.

former_member264368
Discoverer
‎06-21-2016 9:28 AM
0 Kudos

Hi All, I couldn't figured out how to delete the keytab entries. Anyone may shed me some lights? thanks Sarah

btw, I'm using the latest Secure Login Library SP04. The central command is "snc", there is no sapgenpse anywhere.

we are on AIX6.1, trying to use Win AD for SSO for AS ABAP only,

former_member264368
Discoverer
‎06-23-2016 6:16 AM
0 Kudos

found how to do it

snc keytab -d <string>   #this will delete any keytab entries contain this <string>

Answers (1)

Answers (1)

Former Member
‎04-23-2014 2:47 PM
0 Kudos

Added trace of first work process.

dev_w0.txt.zip
Show replies
Show replies
Ask a Question
Related Content