cancel
Showing results for 
Search instead for 
Did you mean: 

FATAL SNCERROR - GSS-API(maj): No credentials were supplied

Former Member
0 Kudos

Hi, I am configuring an SAP Single Sign-On 2.0 Based on Kerberos Tokens. I have already done every step mainly based on the videos that SAP provides to implement a SSO with Kerberos and following as well the implementation guide. However when I turn the parameter snc/enable from 0 to 1 and restart the server it gives me an error which I traced from the file dev_w0.

The error is the following:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceDG1"  NetWkstaUser="SAPServiceDG1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

N    File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

N    Product Version = SAPCRYPTOLIB  5.5.5C pl35  (Mar 21 2013) MT-safe

N  SncInit():   found snc/identity/as=p:CN=SL-ABAP-DG1@<DOMAIN>.COM

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SL-ABAP-DG1@<DOMAIN>.COM"

N      FATAL SNCERROR -- Accepting Credentials not available!

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/74 1445]

N        GSS-API(maj): No credentials were supplied

N Thu Oct 15 12:05:51 2015

N      Could't acquire DEFAULT ACCEPTING credentials

N  *** ERROR =>     (debug hint: no default acceptor cred available)

N   [D:/depot/b 737]

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    272]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    274]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c   2422]

NOTE: Where is <DOMAIN> I replaced for the correct domain.

The parameters that I used are these:

snc/enable = 1

snc/gssapi_lib = E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

snc/identity/as = p:CN=SL-ABAP-DG1

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/data_protection/use = 3

snc/accept_insecure_gu = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/permit_insecure_start = 1

snc/r3int_rfc_qop = 8

snc/r3int_rfc_secure = 0

snc/force_login_screen = 0

Anyone have a clue about how to solve this error? I thought that it was due to the command to create file cred_v2 "sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1" which SAP warning us about a possible conflict in Windows environment. However I tried to solve that by adding -N in the end of the command as SAP told us to do, but my Command Prompt says that the command with -N is unknown.

Accepted Solutions (1)

Accepted Solutions (1)

guilherme_deoliveira
Participant
0 Kudos

Hello Andre,

Could you kindly ensure that you've correctly created the credentials for SAPSNCSKERB.pse?

sapgenpse seclogin -p <path>\SAPSNCSKERB.pse -x <PIN> -O <system_user>

you can verify that with command:

sapgenpse seclogin -l

(if possible, please place us the output of this command too).

Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Former Member
0 Kudos

Output of /sapgenpse seclogin -l

Output of /sapgenpse

How can I correct the "No readable SSO-Credentials"? and should not also appear in the "seclogin -l" the SAPSNCS.pse file?

I used the following commands:

1. set SECUDIR=E:\usr\sap\DG1\DVEBMGS00\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-DG1@<DOMAIN.COM>

3. sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDG1

guilherme_deoliveira
Participant
0 Kudos

Hello Andre,

The output of commands seems correct. The "No readable SSO-Credential" warning appears because the command was executed with dg1adm user and your credential was created to SAPServiceDG1 user (which is the user starting your system, so it is correct).

However, by double checking your traces we can see that you're using SAPCryptolib to configure your environment and it is not supported. Instead, make sure to use CommonCryptoLib (latest patch level):

N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll

N    File "E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    SECUDIR="E:\usr\sap\DG1\DVEBMGS00\sec" (from $SECUDIR)

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.1) to SAPCRYPTOLIB 5.x

N    Product Version = SAPCRYPTOLIB  5.5.5C pl35  (Mar 21 2013) MT-safe

The output shoudl be:

N    Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4...

I hope this clarifies.

Best Regards,
Guilherme de Oliveira
SAP Active Global Support

Former Member
0 Kudos

I have upgraded to CommonCryptoLib although it continues to give me the exact same error. Also, I tried to create all over again a new principal user named SAPServiceDG1 but it still gives me the same error (I generated a new SAPSNCSKERB.pse and Cred_v2 for this SAPServiceDG1. I also upgraded the profile and parameters).

The output of seclogin -l and sapgenpse are these:

Former Member
0 Kudos

Ok it is solved the problem was the incorrect system user. Instead of SAPServiceDG1 it was SNL\SAPServiceDG1.

Answers (1)

Answers (1)

BorjaSerrano
Explorer
0 Kudos

Hi André

What is means SNL???

Thanks