cancel
Showing results for 
Search instead for 
Did you mean: 

Using Kerberos for SNC with Users in Different Domains

0 Kudos

Dear All,

In chapter "4.7.3.1.6 Using Kerberos for SNC with Users in Different

Domains" of the SAP SSO Implementation guide it is mentioned that it

might also be possible to setup SNC for users in different domains

without having a trust relationship for the different domains.

"Since it is not so easy to configure trust relationship for different

domains, the Secure Login Library also supports another option."

  1. Is the CommonCryptoLib really supporting SNC for different donains without a trust?
  2. Where can I get further information for this option?

BASIC PARAMETERS:

CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40

SAP GUI 7.30 PL 10 used on Windows 7 Client for testing

We are currently getting errors when trying to use SNC in another domain which has no trust to the main domain. That's the reason for this post.

I have attached the trace file of the secure login client.

Thanks & Best Regards

Matthias

Accepted Solutions (0)

Answers (3)

Answers (3)

0 Kudos

Dear All,

I was able to get this fixed - I have created an SAP incident and they were able to help me.

With the config mentioned in the incident SSO & SNC are working fine.


Dear customer,

You can use SNC Client Encryption with multiple domaines. For each

domain you may configure the same Service Account with an SPN in AD

e.g. SAPServiceABC and SAP/SAPServiceABC for domainA

SAPServiceABC and SAP/SAPServiceABC for domainB

...

On ABAP side you should create/import the keytab for each domain.

In the parameter snc/identity/as you should either enter the UPN of

one domaine or the loginID of your Service Account

e.g SAPServiceABC or SAPServiceABC@domainA

On your client workstation enter the SPN without domain as Server SNC

Name in SAP GUI configuration

e.g. SAP/SAPServiceABC

Best Regards

Matthias

0 Kudos

Hi Mathias,

I realize this is an old topic, but I have a question regarding the last bit:

On your client workstation enter the SPN without domain as Server SNC
Name in SAP GUI configuration
e.g. SAP/SAPServiceABC

What exactly does SAP mean by this?
The SPN is defined only in the AD Service Account (and we later can check it in SPNEGO, viewing the installed keytab Service Principal Names).
In SAP GUI we can only define the SNC Name of the server we're connecting to, not the SPN.
Can you clarify this?

Also, what should the user's SNC Name be configured like in SU01?
e.g.: DomainA user -> SNC Name: JOHN@DOMAINA
DomainB user -> SNC Name: JACK@DOMAINB

Kind regards,
tao

Former Member
0 Kudos

Matthias,

Were you able to get this fixes?

Sid

Former Member
0 Kudos

Hi Matthias,

From the traces file provided I could see that your issue happens because your client workstation did not get a ticket from the AD. Could you check if:

- You configure the SPN of your system account as server SNC Name in SAP GUI configuration and not the UPN.

- If the SPN exists in AD with the command "setspn -Q <your SPN>  e.g. setspn -Q SAP/ABCD. This command should be made in your ADS

- If the SPN you configure in SAP GUI with @DOMAIN is the domain of your client workstation. You can use the command "klist" on your client workstation to check all kerberos ticket provided.

KR

Valerie