on 10-16-2015 6:09 PM
Hi, I am configuring an SAP Single Sign-On 2.0 Based on Kerberos Tokens. I have already done every step mainly based on the videos that SAP provides to implement a SSO with Kerberos and following as well the implementation guide. However when I turn the parameter snc/enable from 0 to 1 and restart the server it gives me an error which I traced from the file dev_w0.
The error is the following:
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="SAPServiceDG1" NetWkstaUser="SAPServiceDG1"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll
N File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x
N Product Version = SAPCRYPTOLIB 5.5.5C pl35 (Mar 21 2013) MT-safe
N SncInit(): found snc/identity/as=p:CN=SL-ABAP-DG1@<DOMAIN>.COM
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [D:/depot/bas/74 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SL-ABAP-DG1@<DOMAIN>.COM"
N FATAL SNCERROR -- Accepting Credentials not available!
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [D:/depot/bas/74 1445]
N GSS-API(maj): No credentials were supplied
N
N Thu Oct 15 12:05:51 2015
N Could't acquire DEFAULT ACCEPTING credentials
N
N *** ERROR => (debug hint: no default acceptor cred available)
N [D:/depot/b 737]
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 272]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 274]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c 2422]
NOTE: Where is <DOMAIN> I replaced for the correct domain.
The parameters that I used are these:
snc/enable = 1
snc/gssapi_lib = E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll
snc/identity/as = p:CN=SL-ABAP-DG1
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/accept_insecure_gu = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_cpic = 1
snc/permit_insecure_start = 1
snc/r3int_rfc_qop = 8
snc/r3int_rfc_secure = 0
snc/force_login_screen = 0
Anyone have a clue about how to solve this error? I thought that it was due to the command to create file cred_v2 "sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1" which SAP warning us about a possible conflict in Windows environment. However I tried to solve that by adding -N in the end of the command as SAP told us to do, but my Command Prompt says that the command with -N is unknown.
Hello Andre,
Could you kindly ensure that you've correctly created the credentials for SAPSNCSKERB.pse?
sapgenpse seclogin -p <path>\SAPSNCSKERB.pse -x <PIN> -O <system_user>
you can verify that with command:
sapgenpse seclogin -l
(if possible, please place us the output of this command too).
Best Regards,
Guilherme de Oliveira
SAP Active Global Support
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Output of /sapgenpse seclogin -l
Output of /sapgenpse
How can I correct the "No readable SSO-Credentials"? and should not also appear in the "seclogin -l" the SAPSNCS.pse file?
I used the following commands:
1. set SECUDIR=E:\usr\sap\DG1\DVEBMGS00\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-DG1@<DOMAIN.COM>
3. sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1
Hello Andre,
The output of commands seems correct. The "No readable SSO-Credential" warning appears because the command was executed with dg1adm user and your credential was created to SAPServiceDG1 user (which is the user starting your system, so it is correct).
However, by double checking your traces we can see that you're using SAPCryptolib to configure your environment and it is not supported. Instead, make sure to use CommonCryptoLib (latest patch level):
N SncInit(): found snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll
N File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x
N Product Version = SAPCRYPTOLIB 5.5.5C pl35 (Mar 21 2013) MT-safe
The output shoudl be:
N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4...
I hope this clarifies.
Best Regards,
Guilherme de Oliveira
SAP Active Global Support
I have upgraded to CommonCryptoLib although it continues to give me the exact same error. Also, I tried to create all over again a new principal user named SAPServiceDG1 but it still gives me the same error (I generated a new SAPSNCSKERB.pse and Cred_v2 for this SAPServiceDG1. I also upgraded the profile and parameters).
The output of seclogin -l and sapgenpse are these:
Hi André
What is means SNL???
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
81 | |
24 | |
11 | |
9 | |
7 | |
5 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.