cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO2.0 SP4 Kerberos token - different domain setup issue

Go to solution
Former Member

on ‎11-27-2014 4:01 AM

0 Kudos


Hello,

We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.

On the server, keytab has been created

    Version  Time stamp                 KeyType   Kerberos name

          1  Wed Nov 26 17:14:47 2014   DES       SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES128    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES256    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   RC4       SL-ABAP-ED1@abc.xyz.domainA.com

T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...

0 (LPS:OFF):
         (LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse


1 readable SSO-Credentials available

In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1

In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.

Every time we get the same error message

"GSS-API(mai): No credentials were supplied. Unable to establish the

security context target= "p:CN=SL-ABAP-ED1" Error in SNC

In the Secure login client trace files, we see the following errors

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm  3 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.379000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)

[2014.11.26 20:16:07.379000][TRACE][sbus.exe            ][sbus.dll    ][  4732] } 80004005

In another trace file, we have following messages

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][INFO ][saplogon.exe        ][GSS         ][  4164] Cli-40000000: No own key found

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Have no certificate and got no kerberos ticket

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Cli-40000000: --> Msg ClientHello         create  failed : errval=70000, minor_status=0

Can someone provide any information as to what is missing?

Thanks & regards,

Sid

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-27-2014 7:25 AM
0 Kudos

Hi Sid,

You have an issue with the communication between your client workstation and your AD. Could please verify the following configuration:

On your Client workstation check the output of the following command "klist". All service accounts are listen and you can verify that the domain you are using is the domain you have configured.

On your AD check the output of the command "setspn -Q SAP/SL-ABAP-ED1"

This command check if the SPN exists and if there are duplicates.

Btw, you have to configure the keytab on your ABAP server for each non trusted domain.

KR

Valerie

Show replies
Show replies

Answers (1)

Answers (1)

Aleksandr
Participant
‎06-08-2016 8:26 AM
0 Kudos

Hello.

How did you solve the issue?

Show replies
Show replies
Ask a Question