on 03-16-2015 1:06 PM
Hi everyone,
we try to configure Single Sign-On for the users with SAP GUI for Windows.
The ABAP application server has been configured, and I think the config is OK, since in the log file I see:
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N UserId="sidadm" (1002), envvar USER="sidadm"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.
N The SNC-Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:SAPServiceSID/sapsid.intranet.ufz.de@INTRANET.UFZ.DE
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=07h 37m 16s
So, I think there is no error on the server side. But whenever a user tries to log in, he/she gets an error in SAP GUI:
---snip---
GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI u2u-problem: please add Service principal for targe
target="p:myuser@INTRANET.UFZ.DE"
Error in SNC
---pins---
What's wrong here? Do I have to execute the "setspn" command for each user? And how would this look like? On the command line, the output of "setspn -l myuser" is empty, "setspn -l myuser@INTRANET.UFZ.DE" results in an error.
The entry in the Network tab in the SAP GUI reads either "p/krb5:myuser@INTRANET.UFZ.DE" or "p:myuser@INTRANET.UFZ.DE" or simply "P:myuser", the error remains always the same.
Can someone please help me?
Werner
Hi,
I believe below steps would be necessary for you.
1) Set SNC Parameters
snc/enable = 1
snc/gssapi_lib = <Drive>\Windows\SysWOW64\gx64krb5.dll
snc/identity/as = p:SAPService<SID>@DOMAIN.COM
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/accept_insecure_gui = 1
2) Perform setspn for User SAPService<SID>
Setspn -A http/FQDN HOSTNAME SAPService<SID>
3) Activate SNC at SAPGUI
4) Handover to Security Team for their steps (Activate SNC at User level)
Hope above information helps.
Thanks,
Mofizur
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Very long thread but just checking, have you assigned the SNC name to the user?
As in the following blog
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, all users got their respective entries. In our case, it is p:username@INTRANET.UFZ.DE. But I think that the SAP system is not involved.
I expect to get errors like "User name or password is wrong" when I use a non-existing SAP user, or "Duplicate Principal" when I try to log in, since I have accounts in clients 000 and 100 of that system.
Hi Ralf,
I am sorry I was not able to solve it. I still have problems with the encryption between my Linux SAP hosts and the Windows Domain Controllers.
Unfortunately, we had several severe problems in the meantime, so I was not able to investigate here further. I remeber a multi-hour phone call to the Domain admin, but it left no usable results.
But I still have to try the last proposal from Amerit Chahal, just no time. The SAP basis admin team for our 12 systems consists only of me ...
Regards,
Werner
Hi Werner:
Maybe can be crazy what i going to ask, but sometimes we forgot the small details, if everything it´s setup, do you install in the SAP Gui PC the SAPOSS.MSI software?
if there is everything correct in you server side, in the Gui you only need the software and in the configuration:
p:SAPService/<SAP full domain host>@<your domain in CAPS>
i hope that you can solve your problem quickly.
Best Regards;
Ricardo Nolasco
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ricardo,
Yes, I used the .msi package to deploy the libraries on the client (a Windows Desktop server) and set the environment variable SNC_LIB accordingly. Before, there was an error explicitly stating that the SNC lib could not be found.
When I do not use my own userPrincipalName in the SAP GUI but "p:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE", the error changes to
---snip---
GSS-API(maj): Miscellaneous Failure
GSS-API(min):SSPI::IniSctx#1()==Unknown SSPI error
0x80090342
target="p:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE"
Error in SNC
---pins---
But why would I enter the name of the SAP Service user in AD? Why do I have (in TA SU01) an entry for the SNC name when everyone uses the same entry in SAP GUI? Or does the name translation take place at the AD?
Then I may have an encryption problem, when I search for the error number, as mentionend in for example (the text of this error should be "The encryption type requested is not supported by the KDC"). Or the domain's KERBEROS DISTRIBUTION KEY (KDC) service must be restartetd on the 3 domain masters.
OK, the domain admin will be back next week, he's ill just now...
Regards,
Werner
Amerjit,
thank you for remembering me . Today, I had a phone call with the AD admin, 3 hours...
We found out that the AD is not OK with the encryption we use. The manuals you find are always about earlier versions of Windows, and the encryption methods vary between them. We tried a lot, with enabling additional encryptions on the AD and defining various default_tgs_enctypes, default_tkt_enctypes and permitted_enctypes on the side of the SAP host.
In real life, 3 systems are involved: the client, where the SAP GUI resides (for most clients this is a Windows 7 PC); the AD running on Windows Server 2008 R2, and the SAP host running SUSE Linux Enterprise Server 11 SP3.
Currently, the invocation of "./gsstest -l /usr/lib64/snckrb5.so -a 'SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE'" on the SAP host shows the first error as:
TEST: acquiring accepting credentials for target (can. printable name)
RESULT OK
TEST: acquiring *default* accepting credentials (simple)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
But later on, we see in the "Context establishment functions" section a lot like
TEST: Testing sec_context est.: ini_cred=SIMPLE, acc_cred=GSSNAMED
Status: gss_init_sec_context #1() == (GSS_S_FAILURE)
gss_display_status(0x000d0000,GSS_S_GSS_CODE) =
"Unspecified GSS failure. Minor code may provide more information"
gss_display_status(0x96c73a0e,GSS_S_MECH_CODE) =
"KDC has no support for encryption type"
WARNING: gss_init_sec_context() failed and returned min_stat but no mech_oid!
ERROR: sap_try_context(): context establishment error after #0 contexts!
RESULT NOT ok (rc=1)
And this may be the reason for the 0x80090342 error we get in the SAP GUI for windows. And we are back to the question of enctypes... But even after 3 hours of discussing and trying, we did not find the point to click
Hey Werner,
In the context of only setting up SNC.... Please indulge me and proceed as follows.
1. Download and install the software as mentioned in the note.
1684886 - License conditions of SNC Client Encryption
2022906 - Downloading Secure Login Library for SNC Client Encryption 1.x
You can use SNC without a license. Only SSO with SNC becomes a licensed product.
2. Please follow the setup using the guides and references we (myself and others) have already pointed you to.
3. Concerning the SPN and then cross checking with"snc" please follow verbatim.
Please go through the above and revert back to us.
There is always a method in what may be perceived as madness
KR,
Amerjit
Amerijt,
I do all the things here only to provide SSO in the end. If I succeed in setting up SNC with the SAP Secure Login Client Library, I am not allowed to use it for the desired purpose. That is why I did not install this software.
Next week I'll try it though. Currently I think the libraries on the client cause the problems, since I get no log entries at all in the SAP system regarding failed logon attempts, not even in the files in $DIR_INSTANCE/work.
Regards,
Werner
Werner,
I've understood your end goal which is SNC with SSO and understand the licensing constraint for the SSO part.
In such situations I always like to get back to basics and in that context that you manage to get SNC working. Then you've at least won half the battle (glass half full or half empty ?).
The packages in the note I mentioned also contain a client side package which is what you'll need.
If I were you, I'd scratch what you've done so far and take it from zero using the packages (see note) and procedures that have been mentioned.
prorsum et sursum.
Amerjit
Amerjit,
it took a while, but I finally managed to install the Secure Client libraries. I got a VM with Win 7 Prof, and installed SAP GUI 7.40 SP 2 HF 2, which brought the libraries along (I checked the option during install).
Nice to see, that even on this newly installed VM I get the message I am so accustomed to, the 0x80090342 error
Since the AD admin told me every possible encryption is enabled for the host sapuft.intranet.ufz.de and for the user with the SPN SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE I do not know how to proceed.
Regards,
Werner
Ok this thread talked about using another encryption. Have you tried RC4-HMAC?
http://scn.sap.com/thread/3222921
Cheers
Donald
Yes, that was about the first attempt. We tested many settings, and enabled every kind of encryption mentioned in the settings for the user and the host.
Now, I only set default_tgs_enctypes and default_tkt_enctypes and do not modify permitted_enctypes in /etc/krb5.conf.
What is making me feel exhausted is that neither side of the communication logs which type of encryption is used. But we found that aes256-cts-hmac-sha1 is an active encryption on our AD controllers (W 2008 R2), and the first default_*_enctype is set to aes256-cts-hmac-sha1-96 on the SAP Linux host.
I'd suggest to restart all 3 DCs simultaneously, but this will get me rid of any friends I have left among the 1000+ Windows users in the company
Hi Werner,
Totally forgot to reply to you.
I'll repeat I understand your end goal is SSO with SNC and that your constraint is licensing. The licensing only comes into play for the SSO part and NOT the SNC part.
Now where you are right now is that you have this 0x80090342 error that is taking years away from your life
1. You've installed the SNC libs from the SAPGUI 740 media.
2. You're still running with native libraries on the SUSE side.
If you really would indulge me and install the SAP package on the server side and configure as per the various posts/blogs.
All I'm interested in at this stage is to get a known working combination working. Once that's done it should help in the process of elimination of your current problem with your current config.
Willing to join in ?
Amerjit
Hi Werner,
Correct value for the parameter snc/identity/as should be like "p:<DOMAIN_NAME>\SAPService<SID>"
Also you can follow below steps to check if SNC and SSO are configure correctly or not.
• is SSO working?
To check: execute function module (SE37) create_rfc_reentrance_ticket and confirm that a long alpha-numerical string is returned without any exception.
Example of ticket: AjExMDABAAxTSEFIREVFICAgICACAAMwMDADAAhROTkgICAgIAQADD...... (Length 255 char)
• is SNC active?
To check: execute function module (SE37) SNC_GET_MY_INFO and confirm it is active.
Let us know if you observe any issue in checks?
Regards,
Prithviraj.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prithviraj,
what is the difference between 'p:<DOMAIN_NAME>\SAPService<SID>' and 'p:SAPService<SID>/<hostname>@<DOMAIN_NAME>' in an AD running on Win 2008R2? I followed the documentation available from Realtech system consulting GmbH when it came to the name.
Function create_rfc_reentrance_ticket creates a nice long output
SNC is active, as it is stated in SU01. The output of SNC_GET_MY_INFO is:
---snip---
PNAME_APPL | p:SAPServiceSID/sapsid.intranet.ufz.de@INTRANET.UFZ.DE |
SNC_QOP_MIN | 1 |
SNC_QOP_MAX | 3 |
SNC_QOP_USE | 3 |
PNAME_USER
PNAME_CPIC
GUI_CONN_TYPE
LOGIN_TYPE | ND |
RC | 0 |
---pins---
I do not regard the output as issue
Hi,
Please check the below link section "Adding SPNs"
https://technet.microsoft.com/en-us/library/cc731241.aspx
and
Last reply from the discussion, if that helps.
Regards,
Prithviraj.
Hi,
I don't see the point. The AD admin created an account named ad_sapuft and used the command "setspn -A SAPServiceUFT/sapuft.intranet.ufz.de INTRANET\ad_sapuft". The key was exported and imported into the keytab on the SAP host. For the SAP system user uftadm, kinit works and is executed via cron job every 4 hours.
I read the thread you mentioned, and especially the last reply, many times before I posted here, but I do not see the point where it would help me
Using Active Directory Explorer (by sysinternals.com), I see that the user with sAMAccountName "ad_sapuft" got the userPricipalName "SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE". I do not know what should be changed, since that is exactly the value I use for snc/identity/as in the system's profile.
Regards,
Werner
Hello Werner,
Can you provide us with five things please.
Q1) As user <sid>adm, please run "snv" and post the output.
A)
Q2) Please tell us the values set for:
snc/gssapi_lib
snc/identity/as
A)
Q3) The Windows AD Account that has been setup along with the SPN
A)
Q4) Did you generate the Kerberos Keytab (PSE) on the Backend ?
A)
Q5) What version of SAP SSO are you using (SSO1 or SSO2) ?
A)
For me I'm of the same opinion as @Samuli Kaski
Kindest Regards,
Amerjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
A1) the command snv is unknown. The shell proposes env instead. The output of env is:
---snip---
vsapuft /home/uftadm> env | sort
BR_RSC=1
BR_RSH_CMD=/usr/bin/ssh
COLORTERM=1
CPU=x86_64
CSHEDIT=emacs
CSHRCREAD=true
CVS_RSH=ssh
dbms_type=ORA
DBSIDBASE=UFT
DBSID=UFT
DB_SID=UFT
dbs_ora_schema=SAPUFT
dbs_ora_tnsname=UFT
DIR_LIBRARY=/usr/sap/UFT/SYS/exe/run
ENV=/etc/bash.bashrc
FROM_HEADER=
G_BROKEN_FILENAMES=1
G_FILENAME_ENCODING=@locale,UTF-8,ISO-8859-1,CP1252
GROUP=sapsys
HOME=/home/uftadm
HOSTNAME=vsapuft.intranet.ufz.de
HOSTTYPE=x86_64
HOST=vsapuft
INFODIR=/usr/local/info:/usr/share/info:/usr/info
INFOPATH=/usr/local/info:/usr/share/info:/usr/info
INPUTRC=/etc/inputrc
KRB5_KTNAME=/home/uftadm/krb5.keytab
LANG=de_DE.UTF-8
LD_LIBRARY_PATH=/sapmnt/UFT/exe:/usr/sap/UFT/SYS/exe/run:/oracle/UFT/11203/lib
LESS_ADVANCED_PREPROCESSOR=no
LESSCLOSE=lessclose.sh %s %s
LESSKEY=/etc/lesskey.bin
LESS=-M -I
LESSOPEN=lessopen.sh %s
LOGNAME=uftadm
LS_COLORS=no=00:fi=00:di=01;34:ln=00;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=41;33;01:ex=00;32:*.cmd=00;32:*.exe=01;32:*.com=01;32:*.bat=01;32:*.btm=01;32:*.dll=01;32:*.tar=00;31:*.tbz=00;31:*.tgz=00;31:*.rpm=00;31:*.deb=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.lzma=00;31:*.zip=00;31:*.zoo=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.tb2=00;31:*.tz2=00;31:*.tbz2=00;31:*.avi=01;35:*.bmp=01;35:*.fli=01;35:*.gif=01;35:*.jpg=01;35:*.jpeg=01;35:*.mng=01;35:*.mov=01;35:*.mpg=01;35:*.pcx=01;35:*.pbm=01;35:*.pgm=01;35:*.png=01;35:*.ppm=01;35:*.tga=01;35:*.tif=01;35:*.xbm=01;35:*.xpm=01;35:*.dl=01;35:*.gl=01;35:*.wmv=01;35:*.aiff=00;32:*.au=00;32:*.mid=00;32:*.mp3=00;32:*.ogg=00;32:*.voc=00;32:*.wav=00;32:
LS_OPTIONS=-N --color=tty -T 0
MACHTYPE=x86_64-suse-linux
MAIL=/var/spool/mail/uftadm
MANPATH=/usr/local/man:/usr/share/man
MINICOM=-c on
MORE=-sl
NLS_LANG=AMERICAN_AMERICA.UTF8
NNTPSERVER=news
ORACLE_BASE=/oracle
ORACLE_HOME=/oracle/UFT/11203
ORACLE_SID=UFT
OSTYPE=linux
PAGER=less
PATH=/oracle/UFT/11203/bin:.:/home/uftadm:/usr/sap/UFT/SYS/exe/run:/home/uftadm/bin:/usr/local/bin:/bin:/usr/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/games:/opt/kde3/bin:/usr/lib/mit/bin:/usr/lib/mit/sbin
PWD=/home/uftadm
PYTHONSTARTUP=/etc/pythonstart
QT_HOME_DIR=/usr/share/desktop-data
SAPDATA_HOME=/oracle/UFT
SAPSYSTEMNAME=UFT
SECUDIR=/usr/sap/UFT/DVEBMGS00/sec
SHELL=/bin/csh
SHLVL=1
SLIC_HW_VERSION=2
TERM=xterm
THREAD=NOPS
TNS_ADMIN=/usr/sap/UFT/SYS/profile/oracle
USER=uftadm
VENDOR=suse
WINDOWMANAGER=/usr/bin/startkde
XCURSOR_THEME=DMZ
XDG_CONFIG_DIRS=/etc/xdg
XDG_DATA_DIRS=/usr/local/share:/usr/share:/etc/opt/kde3/share:/opt/kde3/share:/usr/share/gnome/help
XKEYSYMDB=/usr/share/X11/XKeysymDB
XNLSPATH=/usr/share/X11/nls
---pins---
A2)
snc/gssapi_lib = /usr/lib64/snckrb5.so
snc/identity/as = p/krb5:SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE
A3) yes
A4) yes
A5) SSO2, since the system is connected with a SAP NW 7.3 Java working as Portal.
Then I also ask you: in what way does snc/identity/as look incorrect?
BTW, all SAP systems are running on SLES 11 SP3, and the Domain Controllers are running Windows 2008R2.
Hi Werner,
The command "snc" will be found in the directory where you unpacked the contents of SECURELOGINLIB.SAR (or equivalent) of.
Here's what I have working in my environment for years now.
snc/identity/as = p:CN=SAP/KerberosXXX@MYCO.COM
My AD User = <DOMAIN>\Kerberos<SID>
ServicePrincipalName = SAP/Kerberos<SID>
In my SAPGUI I have: p:CN=SAP/KerberosXXX@MYCO.COM
If as I assume you are using the document from "Matthias Schlarb" from RealTech. I used this as a basis for my setup on AIX and had to work around certain assumptions (not documented) that were made.
In addition to the above, please have a look at the following succinct but good guide by @Phillip Hofmeister
MFG,
Amerjit
Hi Amerjit,
I am not allowed to use SECURELOGINLIB.SAR because we do not have a license for "SAP NetWeaver Single Sign-On". If this were the case, I'd rather open a service call with SAP instead of starting a discussion here - even if this discussion might be a lot more helpful than the support call, not to speak of the months of retention time until the first supporter picks the call .
You are right that the document I used was written by Matthias Schlarb.
When I look at the docu you mentioned, I see that I need "SNC Client Encryption/Libraries". When I try to download these, I read on the page before I reach the download links "Note: The SNC Client Encryption package must not be used in Single Sign-On scenarios. If Single Sign-On or other value added scenarios (e.g. SSF at the client) are required customers need to acquire the SAP NetWeaver Single Sign-On product".
So I think I really should not use those
Looking at my dev_w0 content, I think that I reached the end of point 4) of that docu successfully by following the steps Mr Schlarb wrote.
Regards,
Werner
setspn is executed once for SAPService<SID>. To me snc/identity/as looks incorrect, that is probably the source of your problems.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Werner Flamme wrote:
In what way looks snc/identity/as incorrect?
The correct format of SPN is SAP/XXX@DOMAIN, there are several possible values for XXX including host name but the one you have used isn't correct. Reading your other replies, you are on the right track meaning you can't use SSO with the SNC Client Encryption library since it is free and provided only for SNC encryption purposes. The only library allowing client SSO that SAP provides, especially in a heterogeneous SAP environment, is the one in SAP Single Sign-On which is a separately licensed product.
User | Count |
---|---|
78 | |
9 | |
9 | |
7 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.