cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP.Net Connector 3.0 with SSO failed

former_member364916
Discoverer

on ‎05-28-2014 7:49 AM

0 Kudos
Hello all,
We had an proof-of-concept ASP.Net C# web application connecting SAP with .Net Connector 3.0 to invoke RFC / Function Module for data extraction.  Since extracted data are senstive, we would like to use SNC and current Windows Authenticated (SSO) user connecting SAP for data extraction.
This had been setup on Windows7 / IIS 7.5 / ASP.Net Framework 4.0 / Windows Authentcation enabled environment.  But it failed with exception on respective SAP users not found: "Could not find a suitable SAP user for the SNC name of the caller". Indeed, we do have SAP Frontend installed on same machine and verified SSO for same domin user can successfully login SAP.
Did we miss any parameters to the configuration?
Any help would be appreciated.
Thanks.
Here's the source for connection setup and parameters:


public void nco() {


_ID = new MyBackendConfig();


RfcDestinationManager.RegisterDestinationConfiguration(_ID);


RfcDestinationManager.GetDestination("BD2");


}


...




public class MyBackendConfig : IDestinationConfiguration


{
public RfcConfigParameters GetParameters(String destinationName)




if ("BD2".Equals(destinationName))


{


RfcConfigParameters parms = new RfcConfigParameters();


RfcConfigParameters.AppServerHost, ConfigurationManager.AppSettings["AppServerHost"]);


RfcConfigParameters.SystemNumber, ConfigurationManager.AppSettings["SystemNumber"]);


RfcConfigParameters.Client, ConfigurationManager.AppSettings["Client"]);  // Client


//parms.Add(RfcConfigParameters.User, ConfigurationManager.AppSettings["User"]);


//parms.Add(RfcConfigParameters.Password, ConfigurationManager.AppSettings["Password"]);
RfcConfigParameters.SncMode, "1");


RfcConfigParameters.SncPartnerName, "p:SAPServiceBD1@<domain.com>");


RfcConfigParameters.SncQOP, "9");


RfcConfigParameters.LogonGroup, "BW-DEV");


RfcConfigParameters.SystemID, "BD2");


RfcConfigParameters.Trace, "2");


...


}


...


}
Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎04-14-2016 1:00 AM
0 Kudos

Has this issue been resolved? I have a very similar problem and getting almost identical errors. We have a .Net4.0 app running on IIS7.5. I'm trying to use SNC for an SSO connection via Kerberos. I've got my app running with a service account that has unconstrained delegation. My SNC parameters are very similar to the original post on here.

I'm getting the identical error:

ERROR       GSS-API(maj): No valid credentials provided (or available)

            GSS-API(min): No Kerberos SSPI credentials available for

            requested nam

            name="p:myId@sub.contoso.com"

I think my delegation is configured correctly because I have tested it to other IIS servers. For example, I'm able to delegate my user's kerberos to other web servers. My SNC parameters look like so:

RfcConfigParameters.SncMode = "1";

RfcConfigParameters.SncLibraryPath = @"C:\qgsskrb5.dll";

RfcConfigParameters.SncPartnerName = "p:sap@sub.contoso.com";

RfcConfigParameters.SncMyName, "p:myId@sub.contoso.com";

My web server is running with a service account that has a SPN of the webserver. The sap@sub.contoso.com account has an SPN to the "sap\sap@sub.contoso.com"

We have a SAP GUI client that uses the same SNC library and that works correctly when I run from my local machine. However, my problem is I'm trying to mimic this on my .net web app with the delegation/impersonation.

Any help would be much appreciated!

Show replies
Show replies
MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎05-28-2014 8:15 AM
0 Kudos

Hi Seungkwon,

When using SNC, also the SNC_NAME of the local instance is sent. Depending on the SNC implementation there could be a single one or multiple ones. In case you don't specify one, always the default one will be used. For being able to logon to the ABAP system, you need to map the identity defined by the SNC_NAME to some ABAP user in the ABAP system. How this needs to be done should be described in the documentation of the SNC Library that you are using.

Best regards,

Markus

Show replies
Show replies
former_member364916
Discoverer
‎05-28-2014 10:10 AM
0 Kudos

Hi Markus,

Thank you for your response.

We did setup AD user mappings in ABAP / SAP, which had been verified with SAP Frontend successfully authenticated with SSO.

For AD user details, we tried to fill-in the connetion parameters, but nothing applicable can be found (ie. SNC_Name / SncName not available in RfcConfigParameters class).  And we also tried setting AD details to attrbiute "SncMyName", "SncSSO", which would raise "No Kerberos SSPI credentials available" error.

Setting AD details to SncMyName:

            parms.Add(RfcConfigParameters.SncMyName, "p:henryw1@<domain.com>");

Best Regards.

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎05-28-2014 12:33 PM
0 Kudos

Hi Seungkwon,

The RfcConfigParameters constant is SncMyName, which would be relevant in order to override the default value. In case the default value is sufficient, you can omit this parameter. I cannot tell you details about the configuration needed for that special SNC library that you use and need to refer to the vendor's documentation in this case.

Best regards,

Markus

former_member364916
Discoverer
‎07-15-2014 4:56 AM
0 Kudos

Hi Markus,

We had tried different parameters to verify the scenario, and updated SncLibraryPath but resulted in a different error.

Do you know any reference materials for configuring .Net client application to use AD identity connecting SAP (with NCO 3.0) ?

MarkusTolksdorf
Product and Topic Expert
Product and Topic Expert
‎07-15-2014 9:08 AM
0 Kudos

Hi Seungkwon,

there is no special documentation for a .NET client. You need to check the documentation of the SNC solution that you are using for your landscape. How this needs to be configured is independent from the type of RFC client you use. It will be the same for NCo, JCo, and NW RFC SDK. Hence you need to look for a configuration documentation for this SNC solution. Therefore, you need to get the answers from someone else. Sorry, but I can't help in this case.

Best regards,

Markus

Ask a Question