Error while connecting via SSO using SNC parameter...

former_member197445 · ‎03-10-2015

Our SAP systems at my company are not SSO. But we have recently developed quite a few ASP.NET web applications that use the SAP .NET Connector to read and write data into and out of SAP. We would really like to have these transactions be executed by each user using their own SAP login. I know we need to use RfcCustomDestniation, but we'd rather not force users to login.

Tried doing a unit test setting these parameters:

Dim newDest As RfcCustomDestination = ECCConnection.CreateCustomDestination()

newDest.SncMode = "1"

newDest.SncPartnerName = "p:CN=SAPServiceS71"

newDest.Client = "001"

newDest.SncMyName = "p:CN=USERXYZ@AD.COMPANY.COM"

Couldn’t find the sap crypto library since it was looking in Program Files (x86) instead of plain Program files. So I added this:

newDest.SncLibraryPath = "C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll"

Now I hit a new road block. Error during SncPDInit. No specific error message is given other than --

STOP! -- initial call to gss_indicate_mechs()

Any insights? Is my 64-bit machine a problem? I'm only guessing that because the SncLibraryPath was pointed at the 32-bit library in my Environment Variables, but my web app is 64-bit using 64-bit connector.

former_member197445 · ‎03-10-2015

Full error below:

LOCATION CPIC (TCP/IP) on local host with Unicode

ERROR GSS-API(maj):

STOP! -- initial call to gss_indicate_mechs() failed

TIME Tue Mar 10 10:41:22 2015

RELEASE 720

COMPONENT SNC (Secure Network Communication)

VERSION 6

RC -1

MODULE sncxxdl.c

LINE 578

DETAIL SncPDLInit

SYSTEM CALL gss_indicate_mechs

COUNTER 2

Former Member · ‎03-12-2015

Hello,

Just to confirm, is your SAP system configured for SNC SSO or not?

Thanks

Shaik

former_member197445 · ‎03-13-2015

I have a single instance in our non-production environment that has SSO set up. We are trying to develop a proof of concept before moving forward with SSO.

Former Member · ‎10-28-2015

Hello,

I am trying to achieve the same thing and have the exact same error as you do. Could you please indicate if you solved your problem ?

I am trying to login with SSO to our SAP server. We already have a working SSO configuration using SAP GUI. I am using the v3 of the .Net connector in 64bits. My app is only made for x64 architecture (desktop app, not ASP). Logging manually works fine. My parameters are correct (SncMode,SncPartnerName,Client,SncMyName and SncLibraryPath)

Hint : Architecture doesn't seem to be a problem, I am pointing to the same directory as you, and it is indeed the 64bit version of sapcrypto.dll. If I change the path to the x86 Program Files dir, I get an error saying "Error 193 = "C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll is not a valid Win32 application".

One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.

tim_alsop · ‎10-28-2015

Please check my comment below, dated Mar 16, 2015 2:58 PM. I suspect this is the reason for your problem.

Thanks

Tim

tim_alsop · ‎10-28-2015


Frederic Wojnarowski wrote:


One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.

The SAP Cryptolib which is free for use only supports x.509 certificates. The SAP Cryotlib that is included with the licensed SAP SSO product only supports using Kerberos for Client -> Server (e.g. SAP GUI --> SAP ABAP) and not for applications like .net Servers. This is why you are getting the error in gss_indicate_mechs()

Former Member · ‎10-29-2015

Thanks for your help, but I am not trying to create a .net server app. I am coding a .net SAP client app...

tim_alsop · ‎10-29-2015

ok. Anyway, I have used SNC with many .net applications on desktops and on servers, using Kerberos and not had any issues - works well.

former_member200373 · ‎11-04-2015

Frederic,

SNC is designed to be independent of concrete credentials. Each SNC provider product comes with one or a set of supported credential types; in case of SAP Single Sign-On Secure Login Client (the frontend part) and SAP CommonCryptoLib (the backend part which is installed with the NetWeaver Kernel) you have the choice of using Kerberos and/or X.509 certificates.

The same SAP CommonCryptoLib instance on NetWeaver can handle both peer credential types, Kerberos and X.509, in parallel.

A server to server SNC connection with SAP CommonCryptoLib must use X.509 certificates. Unlike end user clients, the adminstrative efforts to configure X.509 on both sides are quite low, and is completely independent of Microsoft domain services.

If your .NET client app uses SAP NCO for RFC and SNC, then you have the choice of using Kerberos or X.509 on end user side once you run SAP SSO SLC on such client. The backend component is already in place.

Any SNC product should work if configured properly. The question is what you need (not just today, but also in future), and what effort you like to invest in rollout, configuration and operation.

-- Stephan

tim_alsop · ‎03-16-2015

It looks like you are trying to use the SAP Cryptolib as the SNC library, which only supports Kerberos protocol (with proprietary SNC name format) and x.509 certificates for incoming SNC connections, and x.509 certificates for outbound connections.

So, you need to use an SNC library on the .net server that supports Kerberos protocol for outbound connections, and an SNC library on the server running SAP NetWeaver that supports Kerberos for incoming connections.

Error while connecting via SSO using SNC parameters of SAP .NET Connector