on 10-31-2014 7:37 AM
Dear All,
In chapter "4.7.3.1.6 Using Kerberos for SNC with Users in Different
Domains" of the SAP SSO Implementation guide it is mentioned that it
might also be possible to setup SNC for users in different domains
without having a trust relationship for the different domains.
"Since it is not so easy to configure trust relationship for different
domains, the Secure Login Library also supports another option."
BASIC PARAMETERS:
CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.30 pl40
SAP GUI 7.30 PL 10 used on Windows 7 Client for testing
We are currently getting errors when trying to use SNC in another domain which has no trust to the main domain. That's the reason for this post.
I have attached the trace file of the secure login client.
Thanks & Best Regards
Matthias
Dear All,
I was able to get this fixed - I have created an SAP incident and they were able to help me.
With the config mentioned in the incident SSO & SNC are working fine.
Dear customer,
You can use SNC Client Encryption with multiple domaines. For each
domain you may configure the same Service Account with an SPN in AD
e.g. SAPServiceABC and SAP/SAPServiceABC for domainA
SAPServiceABC and SAP/SAPServiceABC for domainB
...
On ABAP side you should create/import the keytab for each domain.
In the parameter snc/identity/as you should either enter the UPN of
one domaine or the loginID of your Service Account
e.g SAPServiceABC or SAPServiceABC@domainA
On your client workstation enter the SPN without domain as Server SNC
Name in SAP GUI configuration
e.g. SAP/SAPServiceABC
Best Regards
Matthias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Mathias,
I realize this is an old topic, but I have a question regarding the last bit:
On your client workstation enter the SPN without domain as Server SNC
Name in SAP GUI configuration
e.g. SAP/SAPServiceABC
What exactly does SAP mean by this?
The SPN is defined only in the AD Service Account (and we later can check it in SPNEGO, viewing the installed keytab Service Principal Names).
In SAP GUI we can only define the SNC Name of the server we're connecting to, not the SPN.
Can you clarify this?
Also, what should the user's SNC Name be configured like in SU01?
e.g.: DomainA user -> SNC Name: JOHN@DOMAINA
DomainB user -> SNC Name: JACK@DOMAINB
Kind regards,
tao
Matthias,
Were you able to get this fixes?
Sid
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matthias,
From the traces file provided I could see that your issue happens because your client workstation did not get a ticket from the AD. Could you check if:
- You configure the SPN of your system account as server SNC Name in SAP GUI configuration and not the UPN.
- If the SPN exists in AD with the command "setspn -Q <your SPN> e.g. setspn -Q SAP/ABCD. This command should be made in your ADS
- If the SPN you configure in SAP GUI with @DOMAIN is the domain of your client workstation. You can use the command "klist" on your client workstation to check all kerberos ticket provided.
KR
Valerie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.