cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC ERROR - The verification of the Kerberos ticket failed

Go to solution
Former Member

on ‎11-05-2015 7:08 PM

0 Kudos

Hi, I am configuring a Single Sign-On AS ABAP with Kerberos, however when I try to logon in SAP GUI it gives me the following error:

Note: I have also tried p:CN=SAPServicePG1@<DOMAIN> and it gives me the same error.

The profile parameter I used are the following:

snc/enable=1
snc/gssapi_lib=E:\usr\sap\DG1\DVEBMGS00\SLL\sapcrypto.dll
snc/identity/as= p:CN=SAPServicePG1@<DOMAIN>
snc/data_protection/min=2
snc/data_protection/max=3
snc/data_protection/use=3
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/r3int_rfc_qop=8
snc/r3int_rfc_secure=0
snc/force_login_screen=0
spnego/enable=1
spnego/krbspnego_lib= E:\usr\sap\PG1\DVEBMGS00\SLL\sapcrypto.dll

SAPCRYPTOLIB= E:\usr\sap\PG1\DVEBMGS00\SLL\sapcrypto.dll


Note: Where appears <DOMAIN> I replaced it with the correct domain.


The output of sapgenpse and sapgenpse seclogin -l are the following:

What could I do to solve this error? I have already generate the SAPSNCSKERB.pse all over again and it give me the same error.

One question, PIN/password of Keytab can include characters like !, &, $?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-11-2015 9:04 PM
0 Kudos

Hello André,

An interesting thread ......

1. What version of SSO2 are you working with ? Please try with at least SP05.

2. For your AD user make sure that "user cannot change password" and "password never expires" are selected.

3. Make sure that your UPN is SAPServicePG1@<DOMAIN>


4. Make sure that your SPN is SAP/SAPServicePG1


5. I had a issue with special characters (think it was @) in the password of the AD user. Please initially try with a simple UPPERCASE/lowercase/numbers mix for your password.


6. As already suggested by please do not use the SLL (legacy). Download and extract in your kernel directory the latest commoncryptolib.

7. Set SECUDIR permanently in the environment of pg1adm.

8. Run the following commands (post output of all commands please)

sapgenpse keytab -p SAPSNCSKERB.pse -x <password of AD user> -X <password of AD user> -a SAP/SAPServicePG1@<DOMAIN>


sapgenpse seclogin -p /usr/sap/PG1/DVEBMGS00/sec/SAPSNCSKERB.pse -x <password> -O pg1adm

sapgenpse seclogin -l


sapgenpse get_my_name -p /usr/sap/PG1/DVEBMGS00/sec/SAPSNCSKERB.pse

9. Set parameters and restart instance.

snc/enable = 1

snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

snc/identity/as = p:SAPServicePG1@<DOMAIN>

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 1

snc/accept_insecure_r3int_rfc = 1

Please go through the above and let us know how you get on.

KR,

Amerjit

Show replies
Show replies

Answers (6)

Answers (6)

Former Member
‎11-19-2015 11:49 AM

It is solved the problem, thankx for the helpfull answers from everyone.
It was a problem from the AD Team when created the user, probably the password was wrong. When I created by my self it was solved

Show replies
Show replies
Former Member
‎11-10-2015 4:17 PM
0 Kudos

Dear Valerie,
I am trying first to test all the options I have to solve this before open a support ticket.

The server trace error is the following:


[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][GSS][4656]  ??????+$??%????'0%1#0!??U????SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][GSS][4656]  0401000806062B24030125010000002730253123302106035504030C1A5341505365727669636550473140534F4E414E474F4C2E505654

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][SAPCRYPTOLIB][  4656] } gss_import_name

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][SAPCRYPTOLIB][  4656] { gss_acquire_cred

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] BEGIN: sec_io_statFile (E:\usr\sap\PG1\DVEBMGS00\sec\cred_v2)

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] END  : sec_io_statFile

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] BEGIN: sec_io_statFile (E:\usr\sap\PG1\DVEBMGS00\sec\SAPSNCSKERB.pse)

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] END  : sec_io_statFile

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] BEGIN: sec_io_statFile (E:\usr\sap\PG1\DVEBMGS00\sec\SAPSNCS.pse)

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][IO][4656] END  : sec_io_statFile

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][GSS][4656] Cached PSE environment (0) found (usage=2, checked for PSE modification)

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][GSS][4656] Searching credentials for desired name 'CN=SAPServicePG1@<DOMAIN>'

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE][PSE][4656] Searching own certificate ...

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]       SUBJECTNAME=CN=SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]     Certificate tokpse:E:\usr\sap\PG1\DVEBMGS00\sec\SAPSNCS.pse (SKnew) is not suitable because of the following attribute

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]       SUBJECTNAME=CN=SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]     Found 0 suitable certificates

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Didn't find a certificate

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][SAPCRYPTOLIB][  4656] } gss_acquire_cred

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][SAPCRYPTOLIB][  4656] { gss_release_name

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][SAPCRYPTOLIB][  4656] } gss_release_name

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][SAPCRYPTOLIB][  4656] { gss_accept_sec_context

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: ################## Start accepting session ##################

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][IO          ][  4656] BEGIN: sec_config_isContentModified (E:\usr\sap\PG1\DVEBMGS00\SLL\gss.xml)

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][IO          ][  4656] END  : sec_config_isContentModified

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Reading ClientHello::parameters

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Preferences controlled by server.

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Creating new session.

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   New session not cacheable.

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Searching key

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656]   Type   : Sig

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656]   Name   : CN=SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656]   Target : Not specified

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656]   PeerCAs: Not specified

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656] Searching own certificate ...

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]       SUBJECTNAME=CN=SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]          KEYUSAGE=digitalSignature

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]     Certificate tokpse:E:\usr\sap\PG1\DVEBMGS00\sec\SAPSNCS.pse (SKnew) is not suitable because of the following attribute

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]       SUBJECTNAME=CN=SAPServicePG1@<DOMAIN>

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][PSE         ][  4656]     Found 0 suitable certificates

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: No own key found

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Supported Versions [1]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     1.0

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   MACs for application data[2]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       HMAC-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       HMAC-SHA1

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: HMAC-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: HMAC-SHA1

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: HMAC-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   ciphers for application data[3]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       AES256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       AES128

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       RC4

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: AES256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: AES128

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: RC4

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: AES256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Hashes for handshake MACs[2]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       SHA512

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: SHA512

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Pseudo random functions[2]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       PHASH-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       PHASH-SHA512

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: PHASH-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: PHASH-SHA512

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: PHASH-SHA256

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Data encoding modes[2]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       DataHeaderV1

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       NoDataHeader

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: DataHeaderV1

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server alg: NoDataHeader

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: DataHeaderV1

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:   Key exchange modes[1]:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     client algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       kerberos

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     server algs:

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:       kerberos

[2015.11.10 15:48:18.445000][TRACE][disp+work.EXE       ][GSS         ][  4656] Srv-80000000:     picked alg: kerberos

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: <-- Msg ClientHello         process successful

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Verifying peer's Kerberos ticket

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] ERROR(0xA2600204) in KERBEROS module. Function decryptTicket failed: Kerberos ticket decryption failed

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] ERROR(0xA2600204) in KERBEROS module. Function sec_kerberos_serviceVerifyTicket failed: Kerberos ticket decryption failed

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] Verifying ticket returned a2600204

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] Ticket:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   tkt_vno     :5

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Principal name:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     name_type   :2

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     Name:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]       element#no="1":SAP

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]       element#no="2":SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Encrypted part:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     etype       :23

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     kvno        :3

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     Cipher       (size="1069" ):<Not displayed>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :8

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :3

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :8

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :17

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :16

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :18

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :32

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :23

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :16

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] global keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160708

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :24

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :16

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] ERROR(0xA2600204) in KERBEROS module. Function decryptTicket failed: Kerberos ticket decryption failed

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] ERROR(0xA2600204) in KERBEROS module. Function sec_kerberos_serviceVerifyTicket failed: Kerberos ticket decryption failed

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] Verifying ticket returned a2600204

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] Ticket:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   tkt_vno     :5

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Principal name:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     name_type   :2

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     Name:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]       element#no="1":SAP

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]       element#no="2":SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Encrypted part:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     etype       :23

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     kvno        :3

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]     Cipher       (size="1069" ):<Not displayed>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] supplied keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160340

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :3

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :8

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] supplied keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160340

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :17

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :16

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] supplied keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160340

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :18

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :32

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656] supplied keyTab:

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Realm       :<DOMAIN>

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Component   :SAPServicePG1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Name type  

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Time stamp  :1447160340

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Version     :1

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key type    :23

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][Kerberos    ][  4656]   Key length  :16

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Kerberos ticket verification failed with global keyTab configured in SPNEGO

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: Error verifying kerberos ticket

[2015.11.10 15:48:18.445000][ERROR][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: <-- Msg KeyExchangeKey      process failed : errval=d0000, minor_status=a2200217

[2015.11.10 15:48:18.445000][INFO ][disp+work.EXE       ][GSS         ][  4656] Srv-80000000: --> Msg Alert               create  successful

The klist command output:

Show replies
Show replies
Former Member
‎11-11-2015 6:30 AM
0 Kudos

Hi André,

The verification of the keytab you create using the transaction spnego failed. Pleas open go to the transaction spnego, select the UPN and open the tap SPN and check if all SPNs are green. If not, delete the keytab and recreate it again with the righ password. If this issue still exist, pleas open a ticket, you will have the help you need faster.

KR

Valerie

Former Member
‎11-11-2015 10:01 AM
0 Kudos

I have checked it but nothing appears, however I also checked in my sucessfully configuration of Single Sign-On and it doesnt appear nothing as well. So, I assume that this error has nothing to do with SPNEGO, because I deleted the UPN from the sucessfully configuration and it works as well.

One question:

If my Active Directory is a Windows 7 environment instead a Windows Server do I need to do some different configurations?

Former Member
‎11-11-2015 12:10 PM
0 Kudos

Hi André,

You should open a ticket.

KR

Valerie

Former Member
‎11-18-2015 1:40 PM
0 Kudos

Did you manage to resolve your pb ?

former_member201756
Explorer
‎11-10-2015 4:02 AM
0 Kudos

Hi André,

How did you configure the snc info of the server in your SAP Logon GUI? You should enter p:CN=<SPN>@<domain name> instead of the p:CN=<service user name>@<Domain name>. So in your case it should be p:CN=SAP/SAPServicePG1@<domain name>.

Please try.

Cheers

Xuan

Show replies
Show replies
Former Member
‎11-09-2015 7:50 AM
0 Kudos

Hi,

please check if the cred_v2 is accessible for both users SIDADM and SAPServerSID.

sapgenpse seclogin -l -O <USERID>

the specific PSE must be readable for at least SAPServiceSID.

if this wont help then pls port the dev_w1 trace together with

sapgenpse get_my_name -p SAPSNCSKERB.pse

and

setspn -L <USERID>

greetings

Oliver

Show replies
Show replies
Former Member
‎11-09-2015 10:04 AM
0 Kudos

I executed the command sapgenpse get_my_name -p SAPSNCSKERB.pse and the output was the following:

What could it be? Some inconsistency between the password used in the keytab and in AD? Some problem in the STRUST PSE?

The commands I executed to create the SAPSNCSKERB.pse and cred_v2 was the following:

set SECUDIR=E:\usr\sap\PG1\DEVBMGS00\sec

sapgenpse keytab -p SAPSNCSKERB.pse -a SAPServicePG1@<DOMAIN>

sapgenpse seclogin -p SAPSNCSKERB.pse -O SNL\SAPServicePG1 -N

(I checked to be sure that my service user is SNL\SAPServicePG1, since the last configuration I did I had a problem with that)

Former Member
‎11-09-2015 11:25 AM
0 Kudos

Hi you have to set the SECUDIR variable to ...\usr\sap\SID\DV..\sec

Former Member
‎11-09-2015 11:32 AM
0 Kudos

Sorry it was a typing error here.

I have checked through command sapgenpse and the Environment variable SECUDIR is defined to "E:\usr\sap\PG1\DVEBMGS00\sec"

Former Member
‎11-09-2015 12:13 PM
0 Kudos

ok when it is set then you should be able to execute the commands

sapgenpse get_my_name -p SAPSNCSKERB.pse

and

setspn -L SAPServicePG1

Former Member
‎11-09-2015 12:18 PM
0 Kudos

This is the output of the commands:

Former Member
‎11-09-2015 12:21 PM
0 Kudos

Hi normaly i would say that the SAPSNCSKERB.pse is located in the sec folder.

and due to setspn the parameter should look like

snc/identity/as = p:CN=SAP/SAPServicePG1

Former Member
‎11-09-2015 12:26 PM
0 Kudos

I have checked and SAPSNCSKERB.pse is located in sec folder.

In the instance profile my snc/identity/as is p:CN=SAPServicePG1@<DOMAIN>, I am going to try the p:CN=SAP/SAPServicePG1

Former Member
‎11-09-2015 1:29 PM
0 Kudos

Dear André,

Your snc/identity/as is correct. The error you get is related to the client ticket verification on server side.

You can have different reason why:

- The password of the Service Account uses to create the keytab is wrong.

- The UPN uses to create the keytab must be like loginID@DOMAIN, where the logon ID is case sensitive and the domain is in upper case and there is an error on how you create the keytab.

- The Client sent a ticket encrypted with an alg. not available in the keytab like RC4 and the keytab has been created for AES.

- ..

Please create a ticket with the component BC-IAM-SL and attach the server and client traces, not only the client.

KR


Valerie

Former Member
‎11-09-2015 1:57 PM
0 Kudos

Which is the server trace I should see?

How can I confirm the ticket encrypt used, in order to correct it?

One question:

1. The User Principal Account (UPN) is the user I created in the Active Directory or is it the Service Account?

The user I defined in Active Directory is SAPServicePG1 and my System User is SNL\SAPServicePG1.



The commands I used to create Keytab are the following:

set SECUDIR=E:\usr\sap\PG1\DVEBMGS00\sec

sapgenpse keytab -p SAPSNCSKERB.pse -a SAPServicePG1@<DOMAIN>

(Here I used the password that was defined when I created in the Active Direcotry the SAPServicePG1 user. Also here, I defined the password for the SAPSNCSKERB.pse)

sapgenpse seclogin -p SAPSNCSKERB.pse -O SNL\SAPServicePG1 -N

Former Member
‎11-10-2015 6:23 AM
0 Kudos

Dear André,

Please open a ticket. Server traces can be configured like described in the SAP Note 1848999 in the troubleshooting part if you are using the CCL or if you are using SLL in the Secure Login implementation guide chapter 4.6.1

KR

Valerie

Former Member
‎11-06-2015 4:13 PM
0 Kudos

The traces in the Secure Login Client of the error I originally posted are the following:

[2015.11.06 12:41:41.899000][TRACE][saplogon.exe][SAPCRYPTOLIB][  6072] { gss_init_sec_context

[2015.11.06 12:41:41.899000][INFO][saplogon.exe][GSS][  6072] Cli-40000000: Received alert code A2210217

[2015.11.06 12:41:41.899000][ERROR][saplogon.exe][GSS][  6072] Cli-40000000: Alert

[2015.11.06 12:41:41.899000][ERROR][saplogon.exe][GSS][  6072] Cli-40000000: <-- Msg Alert process failed : errval=d0000, minor_status=a2210217

[2015.11.06 12:41:41.899000][TRACE][saplogon.exe][GSS][  6072] Sending finish to PSE('NULL','NULL')

I have tested with "PG1\DVEBMGS00\exe\sapcrypto.dll" however it gives me the same error. I have already configured it in the SAP development server environment and followed in this new configuration the exact same steps (obsiously adapting the domain, SAPService..).

Show replies
Show replies
LutzR
Active Contributor
‎11-06-2015 8:35 AM
0 Kudos

Hi André,

this very much looks like something is wrong with your cred_v2 file content.

Did you already check troubleshooting note http://service.sap.com/sap/support/notes/1525059 ?

Regards, Lutz

Show replies
Show replies
Former Member
‎11-06-2015 9:44 AM
0 Kudos

Hi Lutz,

How can I verify the following steps?

  • the environment variable SECUDIR is correctly set for the active user

This step is confirmed from the output of sapgenpse which I posted above.

  • the container file for credentials (named 'cred_v2') is found in the directory indicated by SECUDIR

How can I confirm this step? (Just need to go to the directory of <path_location>\sec and confirm if there exists any cred_v2 file? If that is the case then I checked it and the file exists)

  • a readable credential exists for the active user for the PSE in question

Here I checked the RSBDCOS0 (t-code SE38) and executed the command sapgenpse seclogin -l 2>&1 the output was the following:

former_member200373
Participant
‎11-06-2015 9:58 AM
0 Kudos

André,

it´s recommended to use CommonCryptoLib "PG1\DVEBMGS00\exe\sapcrypto.dll" as part of the ABAP Kernel instead of the legacy stand-alone Secure Login Library "\SLL\sapcrypto.dll".

So you should update your CCL version (current one is 8.4.44) and change your profile accordingly.

Then you may turn on CCL traces (see SAP Note 1848999 for details) and check the resulting output for your work process (i.e. in sec-dev_w*.trc).

Same on user side: In Secure Login Client (current version is 2.0 SP06), turn on traces in Fie > Options.

But please open a ticket to upload such trace information.

-- Stephan

Ask a Question