on 09-20-2016 12:15 PM
Dear SAP/ SSO Experts,
I am configuring SSO with below procedure defined in SCN article:
http://scn.sap.com/docs/DOC-40178
I m getting Token Check error in Service Principal Names tab in SNCWIZARD transaction:
User mapping tab is also blank in SNCWIZARD transaction:
However i have followed step accordingly and User password test in Algorithm was also successful
Due to above issues i am unable to complete SSO as per article.
SAP GUI SSO setting and login error due to incomplete configuration:
Please help me for solution and successful SSO with this kerberos method.
Best Regards,
Qazi Jamil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
have had similar issue. You need to make sure that your user UPN (not SPN) matches domain name.
I was loggin in with DOMAIN\user.name while my service account default UPN was set to service.user@domain.com
After changing UPN and doing config from beginning token was successfully verified.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Alex,
Thanks for your reply.
I think my UPN is same as you said.
I am attaching all my steps screenshots for you. Please suggest is it same or some other solution
1)
2)
3)
4) In below screenshot i have set UPN same like my AD service id: K3D_SNC_SPNEGO@abc.com.pk Password was also validated with check button near password.
SPN define in user attribut of MS AD 2008
SAP/K3D
HTTP/SYSTENAME/IP both tried
Any further solution please.
Regards,
Qazi
It seems you would like to use K3D but not K3D_SNC_SPNEGO.
Then, could you please attach screenshot showing
1 current spn defined in active directory
2. the setting of snc/identify/as
We need to make sure Token check green, and then specify the value of snc/identify/as in SAPGUI setting.
Best regards,
Ning
Could you please take trace generated when reproducing the issue?
Best regards,
Ning
Dear Qazi,
First go through on the video guide : http://scn.sap.com/docs/DOC-40178
Kind regards,
Adrian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Qazi,
sry, did not spot the link.
anyway, you may try to configure the Kerberos SSO solution in "standard" way.
- you create a service user @ AD site, with SPN "SPN/YourServiceUserName
SAP recommends to use AD service username "SAPService<SID>" with SPN "SPN/SAPService<SID>".
- create keytab with sapgenpse keytab -p SAPSNCSKERB.pse -x <password> -y <service_user_password> -a YourServiceUser@YOURDOMAIN
- create credential file with "sapgenpse seclogin -p <path_of_SAPSNCSKERB.pse> -x <pse_password> -O system_user
note that system_user is <SID>adm and not the AD service user UPN.
- set SECUDIR environment variable, point where you store the PSE file SAPSNCSKERB
on AS ABAP side you need to adjust parameters as well (snc/gssapi_lib and snc/identity/as, etc)
snc/identity/as should be p.CN=<service_user_UPN
check your SAPGUI's SNC name as well, should be p:CN=ServiceUser@DOMAIN>
Check the implementation guide @ http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf
(chapter 3.4 for SNC Kerberos configuration)
furthermore check your Secure Login Client and your CommonCryptoLib version as well.
Regards,
Adrian
plus, the "standard" way implementation guide videos:
https://www.youtube.com/watch?v=JTPnUx6q3n4
https://www.youtube.com/watch?v=-zMcJ4_D5qc
Dear Qazi,
sapgenpse is located in your /usr/sap/SID/DVEBMGSxx/exe folder.
commands and switches are the same, you need to use the <sid>adm user to create PSE and your credential files (to avoid accessibility problems.
on linux / unix you need to set the SECUDIR via set or setenv (depends on your shell you are using), but anything else is the same.
Regards,
Adrian
In fact, it would be very helpful if you could gather secure login client and commoncryptolib trace according to SSO implementation guide http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Ensure that the SPN is set correctly.
Additionally, check if the AES encryption is enabled.
That worked for me when my token check wasn't successful.
Regards,
Tanvi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please refer to the following link to check if AES is enabled for the account property with the SPN.
Best regards,
Ning
Your service name doesn't look right, it should contain the domain name instead of just the SID. Should be something like p:CN=KerberosW3D@DOMAINNAME.
has the SPN been set on the AD account?
Regards,
Jason
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Qzai,
Could you please check the followings?
1. if you are logging on to SAP with a domain user when running SNCWIZARD
2. if you have select Kerberos token as default application in secure login client
Best regards,
Ning
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.