The solution described in the Help Portal is the official solution:
By using a file-based keytab storage (SAPSNCSKERB.pse) instead of the DB-based keytab storage (using ABAP t-code SPNEGO) you achieve what you intend: the file-based keytab will only be utilized for SNC but not for SPNego.

The SNCWIZARD was designed for enabling the full SSO offering: SNC and SPNego.
But you are free to choose the manual configuration approach, if you don't like to take the offering.

There's no need to wait for an (unlikely) change - since there's already a solution, available.

How many other customers are desiring to disable SPNego when using the SNCWIZARD (and thus: using the CommonCryptoLib as SNC library)?
So far, I only count 2. Are there more?

Hi Wolfgang,

I reverted to the file based keytab approach, it's not critical. The wizard is great in that we can configure the profile parameters and create the SNC PSE file, and also the SPNego transaction provides the ability to validate the service account credentials.

We are using SAML2 for the web application, and SPNego bypasses SAML2 based on the Default Logon Procedure.

Many thanks,

Jason

Jason Moors wrote:

We are using SAML2 for the web application, and SPNego bypasses SAML2 based on the Default Logon Procedure.

Oh, I understand.

Well, the rationale behind the default order of credential validation is the following:

1. Validate all credentials which have been provided with the request

2. If none are provided, request those you get via an additional roundtrip:
      a) without user interaction (SPNego),
      b) potentially with user interaction (SAML).
3. If this also fails, prompt the user for credentials (FORM-based logon or Basic Authentication)

Whether SPNego or SAML are available (i.e. configured at the server side) will be checked at runtime. So, in your case you do want to use SAML but not SPNego. In that case you can either deactivate SPNego (as described above by removing the keytab information visible in t-code SPNEGO and using a keytab file for SNC) or you have to switch from "Default Logon Procedure" to "Alternative Logon Procedure" and either switch the ordering of SPNego and SAML or simply remove SPNego from the list. If you do this on the root node (in t-code SICF) this setting will be "inherited" along the ICF tree down to the "leaf" nodes. But be warned: "inheritance" can be stopped - there's an option called "Ignore inherited settings" (under tab "Service Data", section "Service Options"):

If you do not want to use SPNego at all, I recommend to use the first approach (deleting the keytabs shown in t-code SPNEGO and using a keytab PSE for SNC). That's easier to achieve and more robust. And you can revert it more easily, if required.

Best regards,
Wolfgang

Jason Moors wrote:

The wizard is great in that we can configure the profile parameters and create the SNC PSE file, and also the SPNego transaction provides the ability to validate the service account credentials.

Thank you - I'll forward this positive feedback to the team.

Yes, you can still use SNCWIZARD for the basic configuation (creating the PSE file and setting the profile parameters in compliance - to ensure that the server starts up, afterwards...). You might simply not use t-code SPNEGO afterwards, but decide to use the "legacy" method (described in the Help Portal😞 file SAPSNCSKERB.pse (generated by using command line tool sapgenpse).

Hi Wolfgang,

Thanks for your reply, that's what we have done, I did explore the option of changing the logon procedure but didn't feel it was a very clean or reliable approach.

We've used the SNCWIZARD to create the SNC PSE and set the SNC profile parameters, then removed the spnego\enabled parameter that the wizard adds. I've used the sapgenpse to create the keytab file, which is working, it just doesn't provide the same level of validation of the service account as the SPNEGO transaction does, which is a nice feature.

As I say it's not a big deal, just would be nice to configure in one place.

Many thanks,

Jason

Jason Moors wrote:

As I say it's not a big deal, just would be nice to configure in one place.

We've decided to make this possible:
You'll be able to configure the Kerberos keytab using ABAP t-code SPNEGO which can then be used for both, SNC and SPNego (like it is the case right now) - provided that you are using the "CommonCryptoLib" as SNC library.

In the near future you'll be able to use a new customizing switch for "deactivating SPNego". That switch will also be visualized in ABAP t-code SPNEGO.

Stay tuned - as soon as the SAP Note is available, I'll update this posting.

--------------------------------------------------------------

Message was edited by: Wolfgang Janzen (2016-05-11)

Now that announced SAP Note is available:

See http://service.sap.com/sap/support/notes/2287976