cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with Kerberos for sicf services

Go to solution
Former Member

on ‎02-07-2015 8:51 PM

0 Kudos

Dear All,

We are trying to set up SSO (Kerberos / SPNego) for our Fiori Development system. Reference to the URL http://scn.sap.com/docs/DOC-50394 and the Secure Login Implementation Guide, I am able to set up SSO for SAP GUI successfully but when I access the Fiori Launchpad (and any other html gui aka webgui service), the system still prompts me for a user name and password.

I also looked at the SPNego ABAP Troubleshooting note (Note 1732610 - point 3.2.12) but it seems irrelevant to our case as our ABAP system release is NW 7.4 SR1. Further, if I check alternate logon procedure for the ushell service, I can select the "SPNego Authentication" in the list but it does not work.

Can anyone please advise if there are any additional steps that have to be performed for SICF services to enable SSO?

Thanks a lot..

Kind regards,

Amer.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member195979
Explorer
‎02-09-2015 8:11 PM
0 Kudos

Amer,

I currently have SSO working in a 7.4 SPS7 system. I tested the url for the webgui with the address of  /sap/bc/gui/sap/its/webgui?sap-client=000 and it worked

All I did in addition for the spnego configuration was set the 2 parameters

     spnego/enable = 1

     spnego/krbspnego_lib= $(DIR_INSTANCE)/SLL/libsapcrypto.so

and execute transaction spnego to create the keytab file.

I have also found that if there are 2 users in the same ABAP client that have the same SNC Name, then single sign on will not work and you will get the logon screen.

John Heintzberger

Show replies
Show replies
Former Member
‎02-09-2015 9:22 PM
0 Kudos

Hi John,

Thank you for your reply.

I have set the same parameters as well; however, the only difference is that our OS is HP-UX. So, according to page 126 of the Secure Login Implementation Guide, I have put the value of spnego/krbspnego_lib=$(DIR_INSTANCE)/SLL/libsapcrypto.sl ... I do not have libsapcrypto.so file in my SLL directory. Apart from this, I also checked the entries in the USRACL table for SNC entries. All user ids have their respective SNC names and there is no duplication.

The problem is that when I test the service, the system shows the SAP screen of the ABAP system (screenshot below). There is no indication of AD credentials.

Further, when I activated the SPNego trace, I got the following entry.

SPNegoValidateToken: Calling sec_kerberos_spnego_ParseToken(...) to parse the received token value

SPNegoLib: ERROR(0xA2600214) in KERBEROS module. Function sec_kerberos_spnego_ParseToken failed: Authentication token is of type

[Kerberos sec_kerberos_spnego_ParseToken]

SPNegoLib: SPNego: Token checked successfully [Kerberos sec_kerberos_spnego_ParseToken]

SPNegoLib: SPNegoToken: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== [Kerberos sec_kerberos_spnego_ParseToken]

SPNegoLib: InitialContextToken: NULL [Kerberos sec_kerberos_spnego_ParseToken]

SPNegoValidateToken: Error when parsing received SPNego token via sec_kerberos_spnego_ParseToken (rc=-1570766316)

   Received an NTLM token. This is not supported.

SPNegoValidateToken: Finished (rc=-62)

Look forward to your advice.

Kind regards,

Amer.

former_member195979
Explorer
‎02-10-2015 12:56 AM
0 Kudos

Amer,

The only other thing that comes to mind is how the Windows user id is defined that was used in the spnego transaction to create the keytab. On a few systems I forgot to add the SPN of each ABAP server to the Windows id. The SAP GUI would work without the SPN but spnego would not.

Hope that helps,

John Heintzberger

Former Member
‎02-10-2015 1:09 PM
0 Kudos

Hi Amer,

Please check the point 3.2.3 NTLM token received of the Note 1732610. Please review the issues listed there.

You can also check if you have configured users SNC Name using transaction SU01.


KR


Valerie

Former Member
‎02-10-2015 1:54 PM
0 Kudos

Hi John,

The SPN that I have defined is as below:

C:\Windows\system32>setspn -L SL-ABAP-FDV

Registered ServicePrincipalNames for CN=ABAP FDV,OU=Service Accounts,OU=IT,DC=xxxx,DC=com

        host/basishost.xxxx.com

        SAP/SL-ABAP-FDV

        HTTP/basishost.xxxx.com

Hope this is correct.

Kind regards,

Amer.

former_member195979
Explorer
‎02-10-2015 2:06 PM
0 Kudos

Amer,

The SPNs look correct to me. Just verify no other users have the same SPNs.

John

Former Member
‎02-10-2015 2:14 PM
0 Kudos

Thanks John,

No other users have the same SPNs.

Kind regards,

Amer.

Former Member
‎02-11-2015 6:48 AM
0 Kudos

Hi Amer,

I post my reply again:

Please check the point 3.2.3 NTLM token received of the Note 1732610. Please review the issues listed there.

You can also check if you have configured users SNC Name using transaction SU01.


KR


Valerie

Former Member
‎02-11-2015 7:25 AM
0 Kudos

Hi Valerie,

Thank you for your post. I checked point 3.2.3 NTLM token received in Note 1732610. It is the exact problem that is appearing in the trace. However, as referenced in the note, I have made the following observations.

1. The local intranet site list previously had https://*.mycompany.com but now we have explicitly defined https://basishost.mycompany.com

2. Integrated windows authentication is enabled in the browser.

3. We checked from another host. The SSO is not working for the service.

4. We verified that the defined SPN SL-ABAP-FDV is unique throughout the LDAP repository.

5. We also verified that our ABAP system has only one entry in DNS in both forward and reverse lookup zones.

6. My user's SNC name has been configured as p:CN=BASIS@MYCOMPANY.COM (upper case letters).

7. Below is the output of the sapgenpse command. Should we permanently add the environment variable for the user fdvadm in .login?

basishost:fdvadm 23> ./sapgenpse seclogin -l -v

**********************************************************************

**   sapgenpse WARNING:  Environment variable "USER" not defined!   **

  ** ---------------------------------------------------------------- **

  ** Please define the USER environment variable *AND* insert        **

  **  the definition into the startup script of your Unix shell,      **

  **  or you may get problems accessing credentials created           **

  ** through 'seclogin'! **

** **

** Examples additions for your shell startup scripts: **

** **

  ** (sh):  if [ "$USER" = "" ];then USER="`whoami`";export USER;fi  **

  ** (csh):  if ( $?USER == 0 ) setenv USER "`whoami`" **

** **

  **  You appear to have a csh-style login shell **

**********************************************************************

running seclogin with USER="fdvadm"

Credentials for username 'fdvadm':

0 (LPS:OFF):

(LPS:OFF): /usr/sap/FDV/DVEBMGS00/sec/SAPSNCSKERB.pse

1 (LPS:OFF):

(LPS:OFF): /usr/sap/FDV/DVEBMGS00/sec/SAPSNCSKERB.pse

NOT readable for fdvadm

1 readable SSO-Credentials available (total 2)

basishost:fdvadm 25> setenv USER fdvadm

basishost:fdvadm 26> ./sapgenpse seclogin -l -v

running seclogin with USER="fdvadm"

Credentials for username 'fdvadm':

0 (LPS:OFF):

(LPS:OFF): /usr/sap/FDV/DVEBMGS00/sec/SAPSNCSKERB.pse

1 (LPS:OFF):

(LPS:OFF): /usr/sap/FDV/DVEBMGS00/sec/SAPSNCSKERB.pse

NOT readable for fdvadm

1 readable SSO-Credentials available (total 2)

basishost:fdvadm 27>

In addition to the above, here are my SPNego entries and the alternate logon procedures that I have defined for the service.

Kind regards,

Amer.

Former Member
‎02-11-2015 7:44 AM
0 Kudos

Hi Amer,

Could you please enable the traces for Secure Login Library?

Create a file sectrace.ini in the "SLL" folder (where the libsapcrypto.so is located) with the following content:

  directory=%.BINDIR.%/trace

  level=4

Repeat your issue.

Trace files are placed in the sub folder "trace" of the "SLL" folder

Please check all files which were changed while running the problematic issue.

Don't forget to remove sectrace.ini afterwards.  You will have more information about your issue.

KR

Valerie

Former Member
‎02-11-2015 8:14 AM
0 Kudos

Hi Valerie,

Just one change - Our OS is HP-UX so instead of libsapcrypto.so, we have libsapcrypto.sl file. The libsapcrypto.so file is located in /usr/sap/FDV/DVEBMGS00/sec.

I ran the trace and it generated two files with the below outputs:

File 1 - sec-dev_w1.trc

basishost:fdvadm 35> more sec-dev_w1.trc

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "hpux-b.11.31-ia-64"

InstDir      : "/usr/sap/FDV/DVEBMGS00/sll"

Trace file   : "/usr/sap/FDV/DVEBMGS00/sll/trace/sec-dev_w1.trc"

Trace level  : 4

Process id   : 19377

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2015.02.11 08:01:00.234602][ERROR][                    ][Kerberos    ][     1] ERROR(0xA2600214) in KERBEROS module. Fu

nction sec_kerberos_spnego_ParseToken failed: Authentication token is of type NTLM instead of SPNEGO

[2015.02.11 08:01:00.234926][TRACE][                    ][Kerberos    ][     1] SPNego: Token checked successfully

[2015.02.11 08:01:00.234958][TRACE][                    ][Kerberos    ][     1] SPNegoToken: TlRMTVNTUAABAAAAl4II4gAAAAA

AAAAAAAAAAAAAAAAGAbEdAAAADw==

[2015.02.11 08:01:00.234986][TRACE][                    ][Kerberos    ][     1] InitialContextToken: NULL

File 2 - sec-dev_w2.trc

basishost:fdvadm 36> more sec-dev_w2.trc

----------------------------------------------------------------------------

Version      : 8.4.30 (Sep 25 2014)

System       : "hpux-b.11.31-ia-64"

InstDir      : "/usr/sap/FDV/DVEBMGS00/sll"

Trace file   : "/usr/sap/FDV/DVEBMGS00/sll/trace/sec-dev_w2.trc"

Trace level  : 4

Process id   : 19378

----------------------------------------------------------------------------

[YYYY.MM.DD HH:MM:SS.MIKROS][LEVEL][PROCESS             ][MODULE      ][THR_ID]

[2015.02.11 08:00:00.754829][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_import_sec_context

[2015.02.11 08:00:00.755132][TRACE][                    ][GSS         ][     1] Srv-80000000: Context imported

[2015.02.11 08:00:00.755159][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_import_sec_context

[2015.02.11 08:00:00.755195][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_unwrap

[2015.02.11 08:00:00.755265][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_unwrap

[2015.02.11 08:00:00.757041][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_delete_sec_context

[2015.02.11 08:00:00.757113][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_delete_sec_context

[2015.02.11 08:00:00.757142][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_release_buffer

[2015.02.11 08:00:00.757170][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_release_buffer

[2015.02.11 08:00:57.216309][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_import_sec_context

[2015.02.11 08:00:57.216401][TRACE][                    ][GSS         ][     1] Srv-80000001: Context imported

[2015.02.11 08:00:57.216428][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_import_sec_context

[2015.02.11 08:00:57.216465][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_unwrap

[2015.02.11 08:00:57.216522][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_unwrap

[2015.02.11 08:00:57.224390][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_context_time

[2015.02.11 08:00:57.224465][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_context_time

[2015.02.11 08:00:57.224493][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_wrap

[2015.02.11 08:00:57.224627][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_wrap

[2015.02.11 08:00:57.224658][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_release_buffer

[2015.02.11 08:00:57.224687][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_release_buffer

[2015.02.11 08:00:57.225230][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_release_buffer

[2015.02.11 08:00:57.225263][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_release_buffer

[2015.02.11 08:00:57.225290][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_export_sec_context

[2015.02.11 08:00:57.225352][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_export_sec_context

[2015.02.11 08:00:57.225385][TRACE][                    ][SAPCRYPTOLIB][     1] { gss_release_buffer

[2015.02.11 08:00:57.225411][TRACE][                    ][SAPCRYPTOLIB][     1] } gss_release_buffer

Kind regards,

Amer.

Former Member
‎02-12-2015 7:33 AM
0 Kudos

Hi Amer,


You seem to have an issue on the Client. Could you check the output of the command "klist" on the client side? If you did not get a ticket for the service user you have configured for SPNego, then the issue is between your Client and your AD and not the Client and your ABAP server.

You can check if the Client is in the same domain as your AD or in a sub domain. If the client is in a sub domain, you have to create a keytab using the transaction SPNEGO for this sub domain too (No need to create a new Service account).

KR

Valerie


Former Member
‎02-12-2015 9:04 AM
0 Kudos

Hi Valerie,

The issue has been resolved. While the SPN for the service user SL-ABAP-FDV was indeed unique, closer analysis revealed that there was a duplicate SPN registered for our AS ABAP system (output below) which I remembered had been created while trying to configure SSO through another product some time back.

C:\Windows\system32>setspn -X

HTTP/basishost.xxxx.com is registered on these accounts:

    CN=HTTP-basishost-xxxx-com,OU=Service Principals,OU=SAP Servers,DC=xxxx,DC=com

    CN=sl-abap-fdv,OU=Service Accounts,OU=IT, DC=xxxx,DC=com

     

Removing the basishost-xxxx-com SPN enabled SSO to start working.

Many thanks to you and John for your advice and pointers. It is sincerely appreciated!

Kind regards,

Amer.

Note: For all who might see this post later, the command to check duplicate SPNs is setspn -X.

Answers (1)

Answers (1)

former_member146669
Participant
‎11-19-2015 9:25 AM
0 Kudos

Dear Amer,

I'm also having to setup SSO for fiori.

I read through

which is quite helpful.

However, I still have some question about the setup, may you help to answer if you can?

My landscape:

Frontend server (SAP gateway)  (ABAP only?) --> ERP 6.07 (ABAP)

1.  So both servers are in same r network with user windows domain, so it is intranet scenario.

     Then i can use SPNEGO right.

     But does it mean i have to install JAVA + ABAP Frontend server       (SAP gateway)?  or I can      use ABAP only for Gateway server?

   ( I did SPNEGO SSO before for other landscape but all of them involve Portal (JAVA).

2. how about SSO between gateway <---> ERP ? 

3. so the user mapping should be Windows User mapping to Gateway SAP user? or /and ERP SAP   user?

Sorry and I'm hope my explanation is clear enough...please advise..

Thank you.

Gary

Show replies
Show replies
Ask a Question