on 03-26-2007 12:11 PM
We Gui SNC configured for almost 10 system and it works. Now we want to configure it for a new one and unfortunately it works.
We have checked the config:
- parameters in RZ10
- existence of Kerberos dll in /windows/system32
- active directory settings for a SAPServiceSID user
- advance setting in saplogon
All looks fine but yet when we try to connect we get:
SAP System message: Secure Network Layer (SNC) error
Please help
Hello,
To update this Post to (sncxxall.c)
you can replace in C:\Windows\SysWOW64 the faulty file sncgss32.dll by another original one
Cheers !
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mariusz,
After trying a thousand red herrings, my colleague (cheers Marky) discovered a the solution. solved our problem by starting the "Windows Time" service on host.
http://www.microsoft.com/windows2000/docs/wintimeserv.doc
...
The Windows® 2000 operating system implements Kerberos V5 as the primary protocol for network authentication. One requirement of the protocol is that system clocks must be synchronized. To achieve the degree of clock synchronization that Kerberos authentication requires, Windows 2000 implements the Windows Time service (or W32Time).
I hope this is of help to every/anyone.
Kind Regards,
Peter Babbington
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had a similar problem with one workstation on our network. The user had changed the timezone setting on their PC. Even though the clock "showed" the correct time, it was in fact set to a date/time in the past, which apparently was enough to render the SNC/kerberos ticket invalid. Setting their clock (including timezone) to the correct settings fixed the problem.
Sorry. I just check another trace file and I can see the error:
Tue Mar 27 14:51:27 2007
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3145]
GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI returns garbage (maybe wrong target name?)
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 968]
ERROR => ThSncIn: SncProcessInput [thxxsnc.c 973]
in_ThErrHandle: 1
ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1) [thxxhead.c 8324]
Regards,
Mariusz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Marius, I'm also looking for a solution to this symptom: Have upgraded kernel and sapgui patches to latest levels, reinstated the SPN (as per ossnote 352295) with no luck. The weird thing is, SSO was working on this system for a couple of weeks before developing the symptoms below (NO CHANGES MADE).
N Fri Mar 30 11:30:41 2007
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): SSPI returns garbage (maybe wrong target name?)
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 973]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 978]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 9598]
M Entering ThSetStatError
Thank you for your response.
I have checked the trace files and it looks strange as I do not get any errors in the trace. Everything looks OK but I still get SNC errors when logging in
<i>SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
SncInit(): found snc/identity/as=p:SAPServiceSEQ@corp.jti.com
SncInit(): Accepting Credentials available, lifetime=Indefinite
SncInit(): Initiating Credentials available, lifetime=Indefinite SNC (Secure Network Communication) enabled
PfReadDBVersion: use compatibility mode for stat-files</i>
Please advice
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The Sap Note 95810 - Problem analysis when using SNC with Secude says the following about your prob. Pl check.
2.1 Error in the Security Network Layer
-
During the logon a dialog box appears:
SAP system message:
'Error in the Security Network Layer'.
In this case, a problem was recognized in the SNC layer in the application server.
The cause must be checked in the trace files of the work processes (dev_w*).
Since it cannot be said in which work process the logon was attempted, you must scan the trace files of all work processes if necessary.
Transaction ST11 displays the corresponding files sorted correponding with the last access time so that you should begin with the first file shown there.
Error scenarios which can be identified in dev_w*:
2.1.1 The signature of a certificate cannot be checked.
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c ....]
GSS-API(maj): A token had an invalid signature
GSS-API(min): Certification path incomplete
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]
2.1.2 Invalid PIN
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c ....]
GSS-API(maj): Miscellaneous failure
GSS-API(min): Invalid PIN
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.