GSS-API(maj) SAP SSO btw SAP on linux and MAD

Hi Everyone,

I am trying to set up SAP SSO btw SAP on Linux and MAD.. everything looks fine but when I change the snc/enable parameter to 1 my sap system doesn't come up.. please assist me in the right direction with your knowledge...

please find the initial image ...please guide to provide info u want

thanks for ur time

Regards,

Amit Sharma

SAP Managed Tags:
SAP Single Sign-On

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (0)

Answers (2)

Hi All,

Please guide if I have to configure an LDAP(RFC)to connect . I have not configured my LADAP connection can this be the cause of the error.

Regards,

Amit

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Amit,

What is your use case. Did you want to configure SNC wiht kerberos or SPNego for ABAP or both.

Like Christian says, you are using a quite old SLL Library and it is recommand to switch to the CommonCryptoLib (CCL) for your profile parameter snc/gssapi_lib . Please configure the same library as you use for SPNego (libsapcrypto.so.The migration from SLL 1.0 to the CCL is explained in the implementation guide: http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.4

To configure your keytab on the server please refer to the the SAP Note 1837595 and use the Service Account UserID@DOMAIN instead of the SPN (SAP/...).

Valerie

Hi Valerie,

I want to configure SNC with Kerberos ......I had to configure the SPNego because when I ran the Tcode = SPNego I was getting the error that Kerberos library was not loaded than I used the CommonCryptoLib and was able to run the spnego tcode for creating a Kerberos Keytab for SPNego (is this step needed to be configured ??I m bit confused ).....When I run the snc command in DVE/SLL directory I find everything ok..please find the snapshot helpful

Your guideline in this matter vil b heplful

Thanks,

Amit

Hi Amit,

You are using a quite old version of SLL and your configuration will lead to error even the command "snc status" seems to be OK.

Could you check if you can run the tcode sncwizard? If yes, please migrate your SLL 1.0 to the latest CCL like I wrote in my last post and configure your SNC keytab using the transaction spnego or kerberos. the Service Account UserID@DOMAIN should be use instead of the SPN (SAP/...).

If you cannot run the tcode sncwizard, please follow my instruction fro my last post:

-switch to the CommonCryptoLib (CCL) for your profile parameter snc/gssapi_lib

- The migration from SLL 1.0 to the CCL is explained in the implementation guide:http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.4

To configure your keytab on the server please refer to the the SAP Note 1837595 and use the Service Account UserID@DOMAIN instead of the SPN (SAP/...).

In all cases, please configure your snc/identity/as= p:<your SAPCRYPTO Server PSE DName from strust >

Valerie

Thanks Vale,

I performed as it was guided by you, changed the SSO 1.0 to SSO2.0SP3 , I kept the parameter snc/gssapi_lib to CommonCryptolib ...kudos that did help...I was able to bring my system up after the snc/enable parameter changed to 1...but now I get the same error when I activate the snc in Network property in saplogon system entry property.......please guide further..

Regards,

Amit

The scenario is i generated the SAPSCNCKERB.pse file from /DVE/SLL which got created in /DVE/sec directory....when i fire the sapgenpse keytab command i create 1 SSO credential for my user SAPServiceIDS , than i setup the secure login client at the end user, i get the Kerberos Token for the SAPServiceSID user , now when i activate the SNC in SAPlog on screen I get the error shown in the pic

When i see the trace file in Secure login client i get below error

Please guide

Hi Amit,

The Secur Login Client could not get a ticket from the Service Account configured. Normally you muss configure the SPN of your Service Account on your Client workstation as Server SNC Name in SAP GUI. Could you please verify, that your Service Account SPN exists in AD or that you have no duplicate.

Please use the command "setspn -Q "your SPN". E.g.: setspn - Q SAP/ServiceIDS

The output of this command muss link to a unique User.

Valerie

Hello Amit,

Can you describe what configuration steps you have done so far, you cannot expect people to guess what parameters are set, what activities have been done.

It might save everyone lot of time if you also describe what activities you have tried to start SAP, any notes that you have tried ? what areas you have excluded for analysis.

Regards,

Siddhesh

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for the fast reply I followed the blow link to proceed...

http://scn.sap.com/docs/DOC-45138

I created a SAPServiceSID user in my Microsoft active directory . When i go to /usr/sap/SID/DVE/SLL directory and fire snc command everything seems to be good.. When I enable the snc/enable parameter in the profile and take a system restart , the sap system doesn't come up and throws the error mention in the first snapshot in my post..

here is the snapshot of snc command if that can help

Hi,

ese r the profile parameter I set up

plz let me know if more info or ne logs r required?

Regard,

Amit

The domain should be in upper case in snc/identity/as param value.

e.g. ...@DSPL.COM

Hello Amit,

The document you share suggests that the Domain should be in all caps,

try changing the parameter to snc/identity/as = p:CN=SAP/SAPServiceIDS@DSPL.COM

Regards,

Siddhesh

Thanks Tim and Siddhesh for ur swift reply

I tried ur suggestion and did the changes but again the system is not coming up plz find the dev_w0 file snap for the help..and suggest how to add file so that I can give u dev_disp amd dev_icm file too..

It is not starting because you haven't provided the credentials for the SNC identity you have configured.

Hi Tim,

please suggest how to create credentials for the SNC identity

Regards

amit

Please find the snapshot for snc profile

You are using Kerberos so you need to create a key table. This key table will contain keys so that the service ticket received from SAP GUI during logon can be decrypted. These same keys will be used to authenticate the work process so that work processes can initiate SNC connections.

Above still has @dspl.com instead of @DSPL.COM

Hi Tim,

Sorry I Posted the previous snapshot.....ya I made the changes @DSPL.COM but again the same problem...please guide me how to proceed with key table generation

Thanks

Hi Tim,

I have my SAP ECC system in one domain and MAD in other domain....The key tab file which I created in my MAD using command ktpass /princ .......the file got stored at C:\ , I than transferred it to my Linux server under /etc where my krb5.conf(made changes to it) file resides

please guide if nething that I m missing.

You are using the MIT Kerberos lirbaries for key table etc. but you are trying to use the SAP SNC library called libsecgss.so (snc/gssapi_lib param). This SNC library doesn't recognise the Kerberos key table format which you have used. That is why you are getting an error. Your setup is very mixed up 😞

Hi Tim

Thanks for the guidance , that means either I have to use only Kerberos or SNC library only??please correct if m on wrong track...plz it would b very helpful on ur part if u can provide me with an apt doc for the SSO for SAP on Linux and MS-AD.

or suggest if ne thing that can b done in my present system to deal vid the situation.

Regards,

Amit

Hi Amit,

you also seem to be using a very old version of the SNC library. I suggest you implement the current version of SAP Single Sign-On 2.0. This is rather simple as you can see from the tutorials at http://scn.sap.com/docs/DOC-40178 .

In that case you do not need your own kerberos library. Everything is covered by the SNC library from the product.

Best regards,

Christian

Hi Christian ,

Thank u for sharing ur knowledge ....I have gone through the video u shared and performed the steps....but what I want is to carry on vid the present installation if v can solve this by ne means...it vil b gud because I believe v r very close to make it....yap I vil surely try vid SAP Single Sign-On 2.0....please guide....

Regard,

Amit

Ask a Question

Top Q&A Solution Author

User

Count