on 05-29-2015 10:50 AM
Hi Everyone,
I am trying to set up SAP SSO btw SAP on Linux and MAD.. everything looks fine but when I change the snc/enable parameter to 1 my sap system doesn't come up.. please assist me in the right direction with your knowledge...
please find the initial image ...please guide to provide info u want
thanks for ur time
Regards,
Amit Sharma
Hi All,
Please guide if I have to configure an LDAP(RFC)to connect . I have not configured my LADAP connection can this be the cause of the error.
Regards,
Amit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amit,
What is your use case. Did you want to configure SNC wiht kerberos or SPNego for ABAP or both.
Like Christian says, you are using a quite old SLL Library and it is recommand to switch to the CommonCryptoLib (CCL) for your profile parameter snc/gssapi_lib . Please configure the same library as you use for SPNego (libsapcrypto.so.The migration from SLL 1.0 to the CCL is explained in the implementation guide: http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.4
To configure your keytab on the server please refer to the the SAP Note 1837595 and use the Service Account UserID@DOMAIN instead of the SPN (SAP/...).
KR
Valerie
Hi Valerie,
I want to configure SNC with Kerberos ......I had to configure the SPNego because when I ran the Tcode = SPNego I was getting the error that Kerberos library was not loaded than I used the CommonCryptoLib and was able to run the spnego tcode for creating a Kerberos Keytab for SPNego (is this step needed to be configured ??I m bit confused ).....When I run the snc command in DVE/SLL directory I find everything ok..please find the snapshot helpful
Your guideline in this matter vil b heplful
Thanks,
Amit
Hi Amit,
You are using a quite old version of SLL and your configuration will lead to error even the command "snc status" seems to be OK.
Could you check if you can run the tcode sncwizard? If yes, please migrate your SLL 1.0 to the latest CCL like I wrote in my last post and configure your SNC keytab using the transaction spnego or kerberos. the Service Account UserID@DOMAIN should be use instead of the SPN (SAP/...).
If you cannot run the tcode sncwizard, please follow my instruction fro my last post:
-switch to the CommonCryptoLib (CCL) for your profile parameter snc/gssapi_lib
- The migration from SLL 1.0 to the CCL is explained in the implementation guide:http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.4
To configure your keytab on the server please refer to the the SAP Note 1837595 and use the Service Account UserID@DOMAIN instead of the SPN (SAP/...).
In all cases, please configure your snc/identity/as= p:<your SAPCRYPTO Server PSE DName from strust >
KR
Valerie
Thanks Vale,
I performed as it was guided by you, changed the SSO 1.0 to SSO2.0SP3 , I kept the parameter snc/gssapi_lib to CommonCryptolib ...kudos that did help...I was able to bring my system up after the snc/enable parameter changed to 1...but now I get the same error when I activate the snc in Network property in saplogon system entry property.......please guide further..
Regards,
Amit
The scenario is i generated the SAPSCNCKERB.pse file from /DVE/SLL which got created in /DVE/sec directory....when i fire the sapgenpse keytab command i create 1 SSO credential for my user SAPServiceIDS , than i setup the secure login client at the end user, i get the Kerberos Token for the SAPServiceSID user , now when i activate the SNC in SAPlog on screen I get the error shown in the pic
When i see the trace file in Secure login client i get below error
Please guide
Hi Amit,
The Secur Login Client could not get a ticket from the Service Account configured. Normally you muss configure the SPN of your Service Account on your Client workstation as Server SNC Name in SAP GUI. Could you please verify, that your Service Account SPN exists in AD or that you have no duplicate.
Please use the command "setspn -Q "your SPN". E.g.: setspn - Q SAP/ServiceIDS
The output of this command muss link to a unique User.
KR
Valerie
Hello Amit,
Can you describe what configuration steps you have done so far, you cannot expect people to guess what parameters are set, what activities have been done.
It might save everyone lot of time if you also describe what activities you have tried to start SAP, any notes that you have tried ? what areas you have excluded for analysis.
Regards,
Siddhesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the fast reply I followed the blow link to proceed...
http://scn.sap.com/docs/DOC-45138
I created a SAPServiceSID user in my Microsoft active directory . When i go to /usr/sap/SID/DVE/SLL directory and fire snc command everything seems to be good.. When I enable the snc/enable parameter in the profile and take a system restart , the sap system doesn't come up and throws the error mention in the first snapshot in my post..
here is the snapshot of snc command if that can help
Hello Amit,
The document you share suggests that the Domain should be in all caps,
try changing the parameter to snc/identity/as = p:CN=SAP/SAPServiceIDS@DSPL.COM
Regards,
Siddhesh
Hi Tim,
I have my SAP ECC system in one domain and MAD in other domain....The key tab file which I created in my MAD using command ktpass /princ .......the file got stored at C:\ , I than transferred it to my Linux server under /etc where my krb5.conf(made changes to it) file resides
please guide if nething that I m missing.
You are using the MIT Kerberos lirbaries for key table etc. but you are trying to use the SAP SNC library called libsecgss.so (snc/gssapi_lib param). This SNC library doesn't recognise the Kerberos key table format which you have used. That is why you are getting an error. Your setup is very mixed up 😞
Hi Tim
Thanks for the guidance , that means either I have to use only Kerberos or SNC library only??please correct if m on wrong track...plz it would b very helpful on ur part if u can provide me with an apt doc for the SSO for SAP on Linux and MS-AD.
or suggest if ne thing that can b done in my present system to deal vid the situation.
Regards,
Amit
Hi Amit,
you also seem to be using a very old version of the SNC library. I suggest you implement the current version of SAP Single Sign-On 2.0. This is rather simple as you can see from the tutorials at http://scn.sap.com/docs/DOC-40178 .
In that case you do not need your own kerberos library. Everything is covered by the SNC library from the product.
Best regards,
Christian
Hi Christian ,
Thank u for sharing ur knowledge ....I have gone through the video u shared and performed the steps....but what I want is to carry on vid the present installation if v can solve this by ne means...it vil b gud because I believe v r very close to make it....yap I vil surely try vid SAP Single Sign-On 2.0....please guide....
Regard,
Amit
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.