cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC on a standalone server on DMZ

Go to solution
former_member246738
Explorer

on ‎04-05-2016 3:08 PM

0 Kudos

Dear All,

We are implementing SAP SLC 2.0. One of the requirements is to have the Sell Side system(SRM 7.0 EHP3, based on NW7.4) in the DMZ. We now want to secure SAP GUI connections from Client PCs in the domain to this server, which is standalone, in the DMZ and not joined to the domain. Initially, we tried to achieve this using Secure Login Library but that did not work. SAP recommended us to use SAP Cryptolib. We have therefore, now switched to SAP Cryptolib. We used the SNCWIZARD. We have created a technical user SAPServiceXXX.CORP.XXX.COM, a domain user. As of now, snc/identity/as is set to p:CN=SAPServiceXXX@CORP.XXX.COM. SPN for the Service user is set to SAP/SAPServiceSR1.

Now when we try to connect to the server from a client PC using the SNC Name p:CN=p:CN=SAPServiceXXX@CORP.XXX.COM, we see the message :

Any help, ideas will be highly appreciated.

Regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

LutzR
Active Contributor
‎04-06-2016 9:51 AM
0 Kudos

Hi Joyee, from what you are telling the AD user's SPN is wrong. SPN has to reflect the SNC Name (snc/identity/as)

Just to make it clearer I will tell you the naming conventions we applied to our systems:

snc/identity/as=p:CN=SAPSNC-<SID>-<Installation#>

So system ABC with installation number will have

snc/identity/as=p:CN=SAPSNC-ABC-0012345678

The name of the corresponding AD account is completely arbitrary. In my case it is SAPSNC001@XYZ.COM but this does only matter on sapgenpse command line while creating the keytab.

We set this AD account's servicePrincipalName attribute is set to SAP/SAPSNC-ABC-0012345678. This is essential for the Kerberos handshake.

I am not sure if your error message reflects this issue. So there might be some other errors.

Regards,

Lutz

Show replies
Show replies
former_member246738
Explorer
‎04-06-2016 11:11 AM
0 Kudos

Hi Lutz,

In our investigation we found that environmental variable SNC_LIB is set to gsskrb5.dll, temporarily we changed it to C:\Program Files (x86)\SAP\FrontEnd\SAPGUI\Encryption\secgss.dll

Now we can access our SRM system logon page with lock sign, which describes that we have SNC now over my connection.

But now apart from SRM system, we are not able to access the other systems through SAP GUI.

I believe this is due to the switchover from gsskrb5.dll to secgss.dll.

Could you please guide us on how can we keep environmental variable SNC_LIB as gsskrb5.dll and access all systems as well as SRM.

Regards,

LutzR
Active Contributor
‎04-06-2016 11:37 AM
0 Kudos

Uups. I misunderstood your situation.

Moving from one SNC_LIB to another or mixing SNC_LIBs in a landscape is no easy task. I have never done that. Perhaps you will find something useful in note 2025528 - (Limited Support for) more than one concurrent SNC_LIB

Regards,

Lutz

Former Member
‎04-07-2016 6:37 AM
0 Kudos

Hi Joyee,

You can also use the following blog for more information on how to migrate on the client side:

KR

Valerie

Answers (1)

Answers (1)

yakcinar
Active Contributor
‎04-05-2016 3:22 PM
0 Kudos

Hello Joyee,

Can you check the blog

This may help you.

Regards,

Yuksel AKCINAR

Show replies
Show replies
former_member246738
Explorer
‎04-05-2016 3:51 PM
0 Kudos

Hi Yuksel,

The reference was very helpful. The guide in OSS Note 2185235 was also very helpful. We have cross checked our settings and looks correct. We are not sure why we get the message " Specified target is unknown or unreachable". Any help would be highly appreciated.

Regards

Ask a Question