on 07-12-2016 5:38 PM
Hi experts,
I want configure the SSO with kerberos and SAP Gui.
The server is AS/400 and I can not configure correctly, my steps are:
- Configure NAS (Network Authentication Service)
- Execute the bat in Domain
- Try to register with kinit -k krbsvr400/<host>:<domain>@<DOMAIN> but it appear the error:
EUVF06014E Unable to obtain initial credentials.
Status 0x96c73adb - Security server is not defined for requested realm.
Any idea?
Thanks in advance,
Regards,
Looking at that message, the resolution is stated as
"Ensure the security server is defined in either the LDAP directory or the Kerberos configuration file and then retry the request."
Have you done that?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Victor,
Yes, the parameter snc/gssapi_lib is usually set to the libsapcrypto.<ext> which is part of the SAP Cryptographic Library.
For example:
snc/gssapi_lib /usr/sap/BWD/SYS/exe/run/libsapcrypto.so
Please see this sample file:
Sample Profile Parameter Settings for SNC - Secure Network Communications (SNC) - SAP Library
Hope this helps.
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
Ok, I execute the command correctly:
kinit -k krbsvr400/<host_with_domain>@<DOMAIN>
I add the library libsapcrypto.o
But, when I try to start SAP, appear the error:
*** ERROR => SncPGSSImportName()==SNCERR_GSSAPI [sncxxall.c 2699]
GSS-API(maj): An invalid name was supplied
Import of a name failed
name="p:krbsvr400/<host_with_domain>@<DOMAIN>"
(debug hint: default acceptor = "p:CN=DummyCredential")
<<- SncInit()==SNCERR_GSSAPI
sec_avail = "false"
***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238]
*** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]
in_ThErrHandle: 1
*** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c
11560]
I checked with the command klit that the krbsvr400/<host_with_domain>@<DOMAIN> appear it.
Any idea?
Thanks in advance,
Regards,
Hi Victor,
Just to clarify, is your SNC now configured to use Kerberos or SAPCryptolib? What is "snc/gssapi_lib" parameter set to now (Kerberos or to SAPCRYPTOLIB). If it is to kerberos, then SNC PSE won't be created and you will get such an error.
A configuration will need more steps ( just a parameter change is not enough). The best option is to choose the SNC product you want to configure in your system and configure it accordingly to its guide. For example for Kerberos SNC in AIX, the SAP solution(SAP Single Sign On 2.0) is available:
More info is available in SAP Note 150380 - Is Kerberos 5 supported for use with SNC?
Are you following any particular guide?
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
Hi Victor,
ok, then you do have mismatch ;-((
Kerberos supports SNC & SSO, but is no longer officially supported (but works great) ...
the free version with the sapcryptolib does support SNC, but NO SSO, but is supported ...
So, depending on your needs, you have to use the correct setup ... either with kerberos or with sapcryptolib ... we did the kerberos setup pretty often. It is sometimes a bit tricky, but in the end it always works fine 😉
Regards,
Volker Gueldenpfennig, consolut international ag
Hi Victor,
if you do have the keytab from the domain, you should copy it to the iSeries and try the following with qsecofr:
1. Start the PASE shell interpreter
CALL QP2TERM
2. Check the contents of the new keytab before installation
/QOpenSys/usr/bin/klist -e -k /tmp/kerberos/xxxx_SAPService.keytab
3. Check the authentication of the new keytab
/QOpenSys/usr/bin/kinit -k -t /tmp/Kerberos/xxxx_SAPService.keytab SAPService/xxxx.domain.com
The question would be, what happens here ...
I never added any "special library" here ... this is "pure" Kerberos and not the connection to SAP ...
Regards,
Volker Gueldenpfennig, consolut international ag
Hi Victor,
in my eyes, both should work - at least QP2TERM as it is all AIX executables ...
Do you see the error during start of CALL QP2TERM already or when then starting klist or kinit?
If you cannot even start QP2TERM, the setup of your iSeries is wrong ;-((
Now, it sounds like becoming consulting ...
Regards,
Volker Gueldenpfennig, consolut international ag
Hi Volker,
A colleague told me that if someone solves it's you, I think you know the forums:):)
However, I can execute CALL QP2TERM without problem, the problem is inside QP2TERM...
I can execute ls, mkdir, or similar, but, when I try to execute the kinit, klist appear the error:
/QOpenSys/usr/bin/-sh: klist: 0403-006 execute permission denied
Some checks...
- klist, kinit is not in /QOpenSys/usr/bin/klist,kinit
- klist, kinit is in /usr/bin/klist,kinit
Any idea?
Thanks in advance,
Regards,
Hi Victor,
I would hope, that I could solve this issue 😉
(at least it would be the first kerberos setup, that would fail ...)
But: Such stuff is not possible for free ;-((
A last idea from my site:
Do you have NAE & 5733SC1 installed ?
V5R4: 5722NAE
V6R1: 5761NAE
V7R1: 5770NAE
V7R2: 5770NAE
5733SC1 - IBM Portable Utilities for i5/OS
I would guess, that 5733SC1 is missing ...
The stuff in QOpenSys is the AIX stuff, that you do need and the other stuff is the iSeries stuff.
At least it is clear now, that no permission is missing, just the files are not there and then the error shows up 😉
Regards,
Volker Gueldenpfennig, consolut international ag
Hi Victor,
Unfortunately this issue requires checking the documentation and analysis by the application provider. If you by any chance get an option to migrate to SAP Single Sign-On 3.0, we can push this internally and help you with the configuration. All teh installation steps are mentioned here:
http://help.sap.com/download/sapsso30/sapsso_master_guide_en.pdf
_ _ _ _ _ _ _ __ _ _
Kind Regards,
Hemanth
SAP Product Support
_ _ _ _ _ _ _ _ _ _ _
Join me online: http://scn.sap.com/people/hemanth.kumar/content
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.