Hi Donka,

We are getting error : SNCWIZARD T-code does not exist.

Still we proceed further, We installed Secure login library, maintained SECUDIR parameter, maintained SNC  parameter's in RZ10 and restarted server. SNC is started in server, we generated Kerberos keytab with below command :

sapgenpse keytab -p SAPSNCKERB.pse -a SPN@DOMAIN

sapgenpse seclogin -p SAPSNCKERB.pse -O SAPServiceSID

We had deleted CRED_V2 FILE before generating keytab file.

While importing this pse in STRUST and save as for SNC SAPcryptolib.

Its showing below error:

Cannot determine public key algorithm of PSE.

Before this we had generated a user on AD server and defined SAP/SPN for this user in ADSI edit.

After login through above user and with SNC defined CN=SPN@DOMAIN, we are getting below error:

Miscellaneous failure.

A221021E: Server refuses kerberos key exchange.

Please help as we have very short time to implement SSO.

Please help, thanks in advance.

Regards

Hi Donka,

We have created the OSS ticket but not getting any solution.

Please help us.

We are still getting same error

Miscellaneous failure.

A221021E: Server refuses kerberos key exchange

Regards

Hi Donka,

SAP Ticket number:

200909 / 2016

Regards

Hi Ashu,

you did some strange things wherever. If you have time, try to proceed according to this checklist. Maybe it helps.

Service Account in Active Directory

☐Make sure, the account is not locked, has a known and never changing password

☐Make sure „Use DES encryption“ is not checked

☐Make sure the Service Principal Name in AD has the following Syntax: SAP/<sAMAccountName>

☐Check with CLI on a domain system: setspn -l SAPService<SID> if you get returned your SPN

☐Check with setspn -X -F to avoid duplicate SPNs

Example:

Your SAPs System ID is SA1

Your User Account in AD is SAPServiceSA1

Output of setspn -l <account>

Registered ServicePrincipalNames for CN=SAPServiceSA1,<YOUR OU STRUCTURE>,DC=<..>,D C=<..>: SAP/SAPServiceSA1

SAP System

SNC Library

☐Ensure by executing „sapgenpse“ you are using a up-to-date CommonCryptoLib 8.4.48+

☐Make sure the environment variable $SECUDIR is properly defined and points to /usr/sap/<SID>/DVEBMGS<..>/sec

Most important Profile parameters (according to the example above):

☐snc/identity/as = p:CN=SAPServiceSA1

☐snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)

Clean up your SECUDIR

☐Delete credentials for SAPSNCSKERB.PSE: sapgenpse seclogin -p SAPSNCSKERB.pse -d

☐Delete SAPSNCKERB.PSE

Proceed according to the manuals (for Domain names always use UPPERCASE):

☐Re-Create SAPSNCSKERB.pse (in your post above I noticed you are missing the „S“ in the file name)

☐Re-Create Credentials for the new PSE and make sure your SAPServiceSID user and/or SIDadm is able to use that credentials

☐List the credentials for the SIDadm using: sapgenpse seclogin -l (optionally with -O <SAPServiceSID>)

☐List the keytab and make sure you have 4 entries: sapgenpse.exe get_my_name -p SAPSNCSKERB.pse

Clean up your STRUST

☐Do NOT import the SAPSNCSKERB.pse into STRUST. Move to STRUST select SNC SAPCryptoLib and right click + delete

You do not need this in STRUST as it would only be required for X.509 based SNC. As the SAPSNCSKERB.pse does not contain any X.509 key pairs and certificates, you receive that error message (unable to determine public key algorithm).

Restart your ABAP System and check dev_w0 to ensure SNC was initialized correctly

SAP GUI Client

On the enable SNC. On the SNC Name enter: p:CN=SAP/SAPServiceSA1 which reflects your SPN syntax.

Regards,

Carsten