on 12-02-2015 11:45 AM
Hi, I am trying to configure Single Sign-On based on Kerberos/SPNEGO. I have sucessfully already configured in other servers however in this one I am not able to success.
The error I am getting in dev_w0 is the following:
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
N GetUserName()="SAPServiceSH1" NetWkstaUser="SAPServiceSH1"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
N File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.1) to CommonCryptoLib
N Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.42 pl40 (Sep 24 2015) MT-safe
N SncInit(): found snc/identity/as=p:CN=SL-ABAP-SH1@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [D:/depot/bas/74 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=SL-ABAP-SH1@<DOMAIN>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 271]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 273]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c 2393]
Note: Where is <DOMAIN> I replaced with the correct domain.
Possible solution:
How can i set permanetly the SECUDIR to F:\usr\sap\SH1\DVEBMGS01\sec instead of C:\Users\sapservicesh1.SNL\AppData\Local\sec
I have executed the following commands:
1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>
3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N
Profile Parameters:
snc/enable=1
snc/gssapi_lib=F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
snc/identity/as= p:CN=SL-ABAP-SH1@<DOMAIN>
snc/data_protection/min=2
snc/data_protection/max=3
snc/data_protection/use=3
snc/accept_insecure_gui=1
snc/accept_insecure_rfc=1
snc/accept_insecure_cpic=1
snc/permit_insecure_start=1
snc/r3int_rfc_qop=8
snc/r3int_rfc_secure=0
snc/force_login_screen=0
spnego/enable=1
spnego/krbspnego_lib= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
SAPCRYPTOLIB= F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll
Information:
Command sapgenpse:
Command sapgenpse seclogin -l
Checked the RSBDCOS0 (t-code SE38) and executed the command sapgenpse seclogin -l 2>&1
Command setspn -L SL-ABAP-SH1
Command klist
Hello Andre,
Have your other servers where you have done it also been windows servers ?
Anyway, open a command window as sh1adm and run the "set" command. This will confirm if SECUDIR is set properly/permanently.
For windows you do have to set it permanently in the windows user environment.
Hope that helps.
KR,
Amerjit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andre,
It's a bit odd that it's not working as you expect on this machine if you have already set it up as per your other windows systems.
When you ran SET from a cmd prompt, I guess you didn't find SECUDIR in the output ?
Wherever you have defined user sh1adm you will set it there in the user environment.
I'm not in front of a Windows Server machine but this is how you'd go about it on Windows Desktop machines.
Logged on as sh1adm:
Open file explorer.
Right Click on Computer
Select properties
Advanced System Settings
Environment Variables
On the following screen you can set system wide or user specific environment variables. Set SECUDIR just for the user (you can use %variable% if you want).
Hope it helps.
KR,
Amerjit
I didn't understand your question of "When you ran SET from a cmd prompt, I guess you didn't find SECUDIR in the output ?"
The commands I ran are these:
1. set SECUDIR=F:\usr\sap\SH1\DVEBMGS01\sec
2. sapgenpse keytab -p SAPSNCSKERB.pse -a SL-ABAP-SH1@<DOMAIN>
3. sapgenpse seclogin -p SAPSNCSKERB.pse -O snl\SAPServiceSH1 -N
The output where we can see that the environmental variable is defined is below:
It could be confirmed also in RZ11 and SECUDIR parameter:
I have never defined the environmental variable in the windows environment and I have aswell checked in the configurations which I succeeded and there is nothing related with the SECUDIR or SNC_LIB. However I can try do it, which is the variable I should add in the Environmental Variables?
One question:
I think my problem is with the user I am logging to the server. I have checked in the AD and the user sh1adm is not created there, could it be the problem? For my succeeded configurations the users are created in AD like dg1adm, qg1adm etc...
Hello André,
1. Have you cross checked as per the suggestion of
You must make sure that the SETENV_05 is unique (no other SETENV_05 entries) and that there are no other entries trying to set SECUDIR.
2. Please run the following commands from RSBDCOS0 when logged on to SH1 and check what is returned for SECUDIR. Please also do this in a system where you have SNC working properly and compare the results.
Run: SET
Run: sapcontrol -nr 01 -function GetEnvironment
3. Please see the following OSS notes that will help you with environment setting.
1827566 - How to set environment variables for SAP system?
31559 - Setting/changing environment variables
800240 - FAQ: SAP Cryptographic Library error analysis (App. Server)
Kind Regards,
Amerjit
Hi André
Does the ABAP system have the SETENV, SECUDIR parameter set within the instance profile?
i.e. SETENV_05 = SECUDIR=$(DIR_INSTANCE)/sec
Rgrds
Craig
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Craig,
I have that parameters already set, but doesn't work.
In the trace file dev_w0 is normal that this appear?
N File "F:\usr\sap\SH1\DVEBMGS01\SLL\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
N SECUDIR="C:\Users\sapservicesh1.SNL\AppData\Local\sec" (from APPDATA)
Instead of "C:\Users\sapservicesh1.SNL\AppData\Local\sec" in my case it should not be "F:\usr\sap\SH1\DVEBMGS01\sec"?
Other question:
My SNC SAPCRYPTOLIB pse generated in STRUST should have which name when I create it?
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.