cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"GSS-API(maj): No credential were supplied"

Go to solution
Former Member

on ‎11-07-2014 6:44 AM

0 Kudos

Hi all,

We are making a proof of concept on SSO on ABAP (SAP-GUI + web) via SAP Secure Login Client and SPNEGO for ABAP.

All youtube-video configrations have been performed . You know: Implementing SAP NetWeaver Single Sign-On 2.0 Based on Kerberos Tokens 2/4 - YouTube (and so on ).

When I try to logon on via SAP-GUI I get a: "GSS-API(maj): No credential were supplied Unable to establish the security context target="p:CN=SL-service-user@xyz.com"

The SNCAX_TEST programs works fine on the above service-user (defined in SPNEGO).

Service-user defined in SAP-GUI (SNC)

The end user in SU01 has been updated on SNC with the token name from the SAP Secure Login Client

Method: SncPEstablishContext

System call gss_init_sec_context

I have looked into SAP notes (error codes etc.) + googling this and other comminties without luck .

All your input/help is very welcome.

Thanks in advance

Peter

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-07-2014 8:39 AM
0 Kudos

Hi Peter,

To have more information about your issue you should configure the trace in Secure Login Client. Please check the implementation guide here http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 2.6.9 Tracing Secure Login Client.

Activate the Developer Traces and repeat your issue.

You can also check if the Server SNC Name configured in SAP GUI is the SPN of your Service Account in AD.

You can check if you get a kerberos ticket from your AD wiht the command "klist" in your client workstation.

KR

Valerie

Show replies
Show replies
Former Member
‎11-07-2014 10:15 AM
0 Kudos

We get a "Security database on the server does not have a computer account for this relationship of trust..." - our IO guys are looking into domain problems.

Do you know if all have to be in same domain?

Former Member
‎11-07-2014 10:30 AM
0 Kudos

Hi Peter,

Please check this discussion:

It looks like you have either

- SPN duplicate in your AD =>Check your AD with the command "setspn -Q "your SPN"

or

-your did not configure the SPN as SNC Name in your SAP GUI connection data

or

- No SPN exists for this Service account

KR

Valerie

Answers (1)

Answers (1)

Former Member
‎11-12-2014 9:02 AM
0 Kudos

Just to recap - we had som domain name issue.

When resolved our SSO for ABAP now works like a charm :-).

Thanks for your input.

Show replies
Show replies
Former Member
‎11-27-2014 4:11 AM
0 Kudos

Hello Peter,

Was your SAP system installed in a domain that was different than from where end users were logging in? If yes, did you have domain trust setup between these domains? The reason I ask is because I am facing a very similar error. My scenario is two separate domains with no domain trust. Any help would be greatly appreciated.

Sid

Former Member
‎11-27-2014 7:33 AM
0 Kudos

Hi Sid,

The report SNCAX_TEST (see note 2010613) helped solving my issue.

Please make sure that this report runs ok with the correct User Principal given from the SPNEGO setup.

/Peter Michael

Ask a Question