- SAP Community
- Products and Technology
- Additional Q&A
- Problem with SNC configuration
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Problem with SNC configuration
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-26-2007 12:11 PM
We Gui SNC configured for almost 10 system and it works. Now we want to configure it for a new one and unfortunately it works.
We have checked the config:
- parameters in RZ10
- existence of Kerberos dll in /windows/system32
- active directory settings for a SAPServiceSID user
- advance setting in saplogon
All looks fine but yet when we try to connect we get:
SAP System message: Secure Network Layer (SNC) error
Please help
Accepted Solutions (0)
Answers (5)
Answers (5)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
To update this Post to (sncxxall.c)
you can replace in C:\Windows\SysWOW64 the faulty file sncgss32.dll by another original one
Cheers !
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Mariusz,
After trying a thousand red herrings, my colleague (cheers Marky) discovered a the solution. solved our problem by starting the "Windows Time" service on host.
http://www.microsoft.com/windows2000/docs/wintimeserv.doc
...
The Windows® 2000 operating system implements Kerberos V5 as the primary protocol for network authentication. One requirement of the protocol is that system clocks must be synchronized. To achieve the degree of clock synchronization that Kerberos authentication requires, Windows 2000 implements the Windows Time service (or W32Time).
I hope this is of help to every/anyone.
Kind Regards,
Peter Babbington
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
We had a similar problem with one workstation on our network. The user had changed the timezone setting on their PC. Even though the clock "showed" the correct time, it was in fact set to a date/time in the past, which apparently was enough to render the SNC/kerberos ticket invalid. Setting their clock (including timezone) to the correct settings fixed the problem.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Sorry. I just check another trace file and I can see the error:
Tue Mar 27 14:51:27 2007
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3145]
GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI returns garbage (maybe wrong target name?)
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 968]
ERROR => ThSncIn: SncProcessInput [thxxsnc.c 973]
in_ThErrHandle: 1
ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1) [thxxhead.c 8324]
Regards,
Mariusz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Marius, I'm also looking for a solution to this symptom: Have upgraded kernel and sapgui patches to latest levels, reinstated the SPN (as per ossnote 352295) with no luck. The weird thing is, SSO was working on this system for a couple of weeks before developing the symptoms below (NO CHANGES MADE).
N Fri Mar 30 11:30:41 2007
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): SSPI returns garbage (maybe wrong target name?)
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 973]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 978]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 9598]
M Entering ThSetStatError
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thank you for your response.
I have checked the trace files and it looks strange as I do not get any errors in the trace. Everything looks OK but I still get SNC errors when logging in
<i>SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
SncInit(): found snc/identity/as=p:SAPServiceSEQ@corp.jti.com
SncInit(): Accepting Credentials available, lifetime=Indefinite
SncInit(): Initiating Credentials available, lifetime=Indefinite SNC (Secure Network Communication) enabled
PfReadDBVersion: use compatibility mode for stat-files</i>
Please advice
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
The Sap Note 95810 - Problem analysis when using SNC with Secude says the following about your prob. Pl check.
2.1 Error in the Security Network Layer
-
During the logon a dialog box appears:
SAP system message:
'Error in the Security Network Layer'.
In this case, a problem was recognized in the SNC layer in the application server.
The cause must be checked in the trace files of the work processes (dev_w*).
Since it cannot be said in which work process the logon was attempted, you must scan the trace files of all work processes if necessary.
Transaction ST11 displays the corresponding files sorted correponding with the last access time so that you should begin with the first file shown there.
Error scenarios which can be identified in dev_w*:
2.1.1 The signature of a certificate cannot be checked.
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c ....]
GSS-API(maj): A token had an invalid signature
GSS-API(min): Certification path incomplete
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]
2.1.2 Invalid PIN
ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c ....]
GSS-API(maj): Miscellaneous failure
GSS-API(min): Invalid PIN
Unable to establish the security context
<<- SncProcessInput()==SNCERR_GSSAPI
ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc. ....]
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Manage Supply Shortage and Excess Supply with MRP Material Coverage Apps in Enterprise Resource Planning Blogs by SAP
- 10+ ways to reshape your SAP landscape with SAP Business Technology Platform – Blog 4 in Technology Blogs by SAP
- Integrate an external task system to Cloud ALM. in Technology Q&A
- Quick Start guide for PLM system integration 3.0 Implementation in Product Lifecycle Management Blogs by SAP
- Unable to configure SAP CC Catalog webservice for the 2023 version in Financial Management Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.