cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Gui Single Sign-On with Kerberos

Former Member

on ‎06-10-2015 10:37 PM

0 Kudos


Hi

I am working on the SAP GUI SSO with Kerberos. We have decided to use SAP NW-SSO Secure library to support the Kerberos.
I am following the instruction from SDN Link - http://scn.sap.com/docs/DOC-40178

1.     Create Service Id and SPN

2.     Setup SAP Parameters

3.     Setup SAP SNC Parameters

4.     Setup KeyTab

5.     Restarted.. SNC is on with Service ID and I can confirm it is working from dev_wx trace.

We setup SNC parameters in User master record and Gui properties. But when I click to log-on , we get the error message " GSS-API(maj): No credentials were supplied. Unable to establish the security context. "

I am doing this on my POC environment.  With that being said, my Window machine is setup with same domain but my SAP environment on productive domain. Do you see this an issue?

I have attached the error message received.

Did I missed anything?

Thank you in advance.

Santosh Lad

Message was edited by: Martina Kirschenmann (Removed screen shot as per request by author of the post)

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎06-11-2015 9:00 PM
0 Kudos

Hey Santosh,

Bump up the logging in SM50 for your work processes, including "security".  Then try again, and then check the timestamps on the dev_w?? and have a close look, that might help.

I know I'm having a problem if I enable AES-128 or AES-256 at the AD user.

You could run "klist" at your PC DOS prompt to see what type of ticket you get, and compare that to what SAP is trying to send to you also.

by default, our systems send RSADSI RC4-HMAC(NT) and that seems to work although our security people would prefer higher.  See note 1832706 - SPNego ABAP: Fixes for Algorithms AES128, AES256, DES

I know you're not doing SPnego, but check the AD user to see if they clicked on "AES128 or AES256" in the user profile

NICK

Show replies
Show replies
Former Member
‎06-11-2015 8:38 AM
0 Kudos

Hi Santosh,

The error you get could have many causes. You can check the SLC developer traces to verify if you get a ticket from your AD. If not, you may check the following:

- You configure the wrong SPN as your Server SNC Name in SAP GUI. Please use the command "setspn -Q SAP/SL-ABAP-AVA" on your AD

-You have duplicate SPN in AD. Please use the command "setspn -Q SAP/SL-ABAP-AVA" on your AD

- You have configure DES Only in AD and your Windows client did not support it.

KR

Valerie

Show replies
Show replies
Former Member
‎06-11-2015 6:59 PM
0 Kudos

Thanks Velerie. I have asked my AD Team to follow the command since he used arch (Domain) instead of SAP in SPN.  Refer the attach screen shot.

Secondly he mentioned the SPN can be register against server and he did create one for my SAP environment. But do we really need for specific servers. You can see the screen shot for the command used here.

Please advice.

Thank you in advance.

Santosh Lad

Message was edited by: Martina Kirschenmann (Removed screen shot as per request by author of the post)

Former Member
‎06-12-2015 6:59 AM
0 Kudos

Hi Santosh

You need an SPN to register an ABAP server if you want to configure SPNego for ABAP. Please have a look to the implementation guide here http://help.sap.com/download/sapsso/secure_login_impl_guide_en.pdf chapter 4.7.3.1.2 on how the SPN may look like if you want to configure SNC with Kerberos authentication.

After the SPN has been configured, you should use it in your SAP GUI configuration to define the Server SNC Name not the UPN.

KR

Valerie

Ask a Question