cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error configuring SSO with Kerberos

Former Member

on ‎09-20-2016 12:15 PM

0 Kudos

Dear SAP/ SSO Experts,

I am configuring SSO with below procedure defined in SCN article:

http://scn.sap.com/docs/DOC-40178

I m getting Token Check error in Service Principal Names tab in SNCWIZARD transaction:

User mapping tab is also blank in SNCWIZARD transaction:

However i have followed step accordingly and User password test in Algorithm was also successful

Due to above issues i am unable to complete SSO as per article.

SAP GUI SSO setting and login error due to incomplete configuration:

Please help me for solution and successful SSO with this kerberos method.

Best Regards,

Qazi Jamil

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

kaus19d
Active Contributor
‎09-26-2016 8:12 AM
0 Kudos

Hi ,

How about we try using the full form like using

"CN=k3d, OU=Installation_No, OU=SAP, O=SAP, C=DE"

Thanks,

Kaushik

Show replies
Show replies
Former Member
‎09-26-2016 8:31 AM
0 Kudos

HI,

Where to define??? your suggestion?

Regards

kaus19d
Active Contributor
‎09-26-2016 9:01 AM
0 Kudos

instead of "p:CN=K3D"

Former Member
‎09-26-2016 9:05 AM
0 Kudos

Where?? in SAP GUI??

former_member157391
Employee
Employee
‎09-26-2016 9:14 AM
0 Kudos

I tend to feel that this is a total different way to use certificate-based SSO, but not Kerberos-based.

Please correct me if I am wrong.

Former Member
‎09-26-2016 9:39 AM
0 Kudos

I didnt get you. What??

Former Member
‎09-21-2016 7:16 PM
0 Kudos

have had similar issue. You need to make sure that your user UPN (not SPN) matches domain name.

I was loggin in with DOMAIN\user.name while my service account default UPN was set to service.user@domain.com

After changing UPN and doing config from beginning token was successfully verified.

Show replies
Show replies
Former Member
‎09-21-2016 7:46 PM
0 Kudos

Dear Alex,

Thanks for your reply.

I think my UPN is same as you said.

I am attaching all my steps screenshots for you. Please suggest is it same or some other solution

1)

2)

3)

4) In below screenshot i have set UPN same like my AD service id: K3D_SNC_SPNEGO@abc.com.pk Password was also validated with check button near password.

SPN define in user attribut of MS AD 2008

SAP/K3D

HTTP/SYSTENAME/IP both tried

Any further solution please.

Regards,

Qazi

Former Member
‎09-21-2016 8:43 PM
0 Kudos

Did you define SNC in your SAP user profile?

Similar to this.

You need it in order to validate kerberos token

Former Member
‎09-21-2016 8:52 PM
0 Kudos

Also please make sure you set SPN this way:

HTTP/<youserver FQDN>abc.com.pk

SAP/<you_service_user> K3D_SNC_SPNEGO

former_member157391
Employee
Employee
‎09-22-2016 9:11 AM
0 Kudos

Dear Qazi,


It seems that although the password is checked correctly, Kerberos token could not be generated as expected.

Could you please also attach screenshot showing how the account user and associated SPN are defined at AD side?


Best regards,
Ning

Former Member
‎09-23-2016 6:00 AM
0 Kudos

Dear Alex,

Yes i have defined user SNC parameter in su01.

But problem is due to token generation its not giving user@domain name automatically in SNCWizard transaction user mapping tab

any further suggestion??

Former Member
‎09-23-2016 8:48 AM
0 Kudos

Dear Ning,

Now check AD side screenshots:

Anything else???

Regards

Former Member
‎09-23-2016 8:48 AM
0 Kudos

Yeah defined in the same way in su01

Regards

Former Member
‎09-23-2016 8:49 AM
0 Kudos

Alex,

Defined in the same way..

No luck so far

Any further help?

Regards

former_member157391
Employee
Employee
‎09-23-2016 12:39 PM
0 Kudos

Dear Qazi,


As you define spn as SAP/K3D_SNC_SPNEGO, please change snc/identify/as to P:CN=K3D_SNC_SPNEGO, and maintain SNC name in SAPGUI to P:CN=K3D_SNC_SPNEGO.

In addition, please check if there are duplicate SPNs against SAP/K3D_SNC_SPNEGO
setspn -T -* -X


Best regards,

former_member157391
Employee
Employee
‎09-23-2016 2:15 PM
0 Kudos

Instead of changing snc/idnetify/as and SNC name in SAPGUI,  you could change SPN from SAP/K3D_SNC_SPNEGO to SAP/K3D.

No matter what you are going to change,  please make sure the three of them the same.

Former Member
‎09-26-2016 6:14 AM
0 Kudos

HI Ning,

I have tried your last suggestion. But token check is fail in SPNEGO transaction
No idea what to to now:

Waiting for solution.

Regards

Former Member
‎09-26-2016 6:23 AM
0 Kudos

Check latest SAP GUI error after your latest suggestion

Regards

former_member157391
Employee
Employee
‎09-26-2016 6:55 AM
0 Kudos

It seems you would like to use K3D but not K3D_SNC_SPNEGO.

Then, could you please attach screenshot showing

1 current spn defined in active directory

2. the setting of snc/identify/as


We need to make sure Token check green, and then specify the value of snc/identify/as in SAPGUI setting.

Best regards,
Ning

Former Member
‎09-26-2016 7:11 AM
0 Kudos

RZ 10

Regards

former_member157391
Employee
Employee
‎09-26-2016 7:26 AM
0 Kudos

Thanks,  then have you restarted the system after you have done this?

Best regards,
Ning

Former Member
‎09-26-2016 7:31 AM
0 Kudos

why should i restart??

i didnt change anything in rz 10.... i have restarted system day when i start SNC wizard and snc identity created,

i just change AD this as per your suggestion SAP/K3D

former_member157391
Employee
Employee
‎09-26-2016 7:47 AM
0 Kudos

Sorry,I overlook this part.

Then could you please make sure if you have rerun SPNego while you logged to the domain with a domain account?

Please double click on token check button, press question mark, attach the popup windows.
and user mapping tab page.

Best regards,
Ning

former_member157391
Employee
Employee
‎09-26-2016 7:53 AM
0 Kudos

Let's clarify another thing.

What account are set with SPN SAP/K3D as AD side?

Is it the same user as you input in SPNego?

I see K3D_SNC_SPNEGO and KerberosK3D from past conversation.


Best regards,
Ning

Former Member
‎09-26-2016 7:58 AM
0 Kudos

Ling,

Obviously i am logged in with AD account with domain. Actually i m logged in to client PC with the same ID i am using for kerebros configuration: K3D_SNC_SPNEGO. This user.

Token information error on spnego screenshot:

Question Mark message screenshot:

Former Member
‎09-26-2016 8:02 AM
0 Kudos

Yes same account K3D_SNC_SPNEGO set in SPN on AD side.

and I m using same account with domain for running SPNEGO.

Regards

former_member157391
Employee
Employee
‎09-26-2016 8:13 AM
0 Kudos

Thanks for confirmation.


As message shows,  please have a check at 1943266 to make sure SAPGUI and Secure Login Client are the same or higher than requested.

Then take a secure login client trace according for further check.


Best regards,
Ning

Former Member
‎09-26-2016 8:30 AM
0 Kudos

Dear,

I have check this 5 days ago. I updated secure login client. and GUI was already on higher side.

any other help???

Regards

former_member157391
Employee
Employee
‎09-26-2016 8:37 AM
0 Kudos

http://help.sap.com/saphelp_nwsso20/helpdata/en/f8/2380a135104ff3ba3d89a451b4a0f4/content.htm?frames...


Could you please take trace generated when reproducing the issue?

Best regards,
Ning

former_member157391
Employee
Employee
‎09-26-2016 9:13 AM
0 Kudos

Dear Qazi,

Have you made sure Kerberos token is set to default profile for SAP application in secure login client?

Best regards,
Ning

Former Member
‎09-21-2016 12:43 PM
0 Kudos

Dear Qazi,

First go through on the video guide : http://scn.sap.com/docs/DOC-40178

Kind regards,

Adrian

Show replies
Show replies
Former Member
‎09-21-2016 4:44 PM
0 Kudos

Dear Adrian,

Atleast you have to check the whole thread before replying.

Dear i am following the same video as its defined steps in video... See first message of this thread.

If you can help do it.

Regards

Former Member
‎09-22-2016 10:46 AM
0 Kudos

Dear Qazi,

sry, did not spot the link.

anyway, you may try to configure the Kerberos SSO solution in "standard" way.

- you create a service user @ AD site, with SPN "SPN/YourServiceUserName
SAP recommends to use AD service username "SAPService<SID>" with SPN "SPN/SAPService<SID>".

- create keytab with sapgenpse keytab -p SAPSNCSKERB.pse -x <password> -y <service_user_password> -a YourServiceUser@YOURDOMAIN

- create credential file with "sapgenpse seclogin -p <path_of_SAPSNCSKERB.pse> -x <pse_password> -O system_user

note that system_user is <SID>adm and not the AD service user UPN.

- set SECUDIR environment variable, point where you store the PSE file SAPSNCSKERB

on AS ABAP side you need to adjust parameters as well (snc/gssapi_lib and snc/identity/as, etc)

snc/identity/as should be p.CN=<service_user_UPN

check your SAPGUI's SNC name as well, should be p:CN=ServiceUser@DOMAIN>

Check the implementation guide @ http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf

(chapter 3.4 for SNC Kerberos configuration)

furthermore check your Secure Login Client and your CommonCryptoLib version as well.

Regards,

Adrian

Former Member
‎09-26-2016 9:06 AM
0 Kudos

Dear Adrian,

I have seen these videos. Seems this is for windows server.

I have RHEL6 installed on which SAP system installed. Does it work??

Regards

Former Member
‎09-26-2016 9:55 AM
0 Kudos

Dear Qazi,

sapgenpse is located in your /usr/sap/SID/DVEBMGSxx/exe folder.

commands and switches are the same, you need to use the <sid>adm user to create PSE and your credential files (to avoid accessibility problems.

on linux / unix you need to set the SECUDIR via set or setenv (depends on your shell you are using), but anything else is the same.

Regards,

Adrian

former_member157391
Employee
Employee
‎09-21-2016 11:05 AM
0 Kudos

In fact, it would be very helpful if you could gather secure login client and commoncryptolib trace according to SSO implementation guide http://help.sap.com/download/sapsso30/secure_login_impl_guide_en.pdf

Show replies
Show replies
Former Member
‎09-21-2016 9:39 AM
0 Kudos

Hello,

Ensure that the SPN is set correctly.

Additionally, check if the AES encryption is enabled.

That worked for me when my token check wasn't successful.

Regards,

Tanvi

Show replies
Show replies
Former Member
‎09-21-2016 10:46 AM
0 Kudos

HI Tanvi,

SPN is set CN:K3D in SNCWIZARD transaction so i m setting in SAP GUI SNC option p:CN=K3D

How can i check that AES encryption is enabled????

I hope u have seen all my error screenshot in first message of this thread.

Regards

former_member157391
Employee
Employee
‎09-21-2016 11:01 AM
0 Kudos

Please refer to the following link to check if AES is enabled for the account property with the SPN.

Windows Configurations for Kerberos Supported Encryption Type &amp;#8211; Microsoft Open Specificati...

Best regards,
Ning

Former Member
‎09-21-2016 4:40 PM
0 Kudos

Dear Ning,

with the help of MSDN article you shared, Our MS AD guy applied option 1 on AD and option 3 on my Windows 7 PC thats on same domain.

Error is changed now...

Please help.

Regards.

Former Member
‎09-21-2016 8:52 PM
0 Kudos

Hello,

Yes i checked the screenshots.

Your MS AD consultant will be able to check the user attributes for the user you have on your SPNego screen for the encryption. DES if enabled,needs to be disabled and AES 128 bit and AES 256 bit has to be enabled.

Regards,

Tanvi

former_member157391
Employee
Employee
‎09-22-2016 9:05 AM
0 Kudos

Dear Qazi,

Would you please click on question mark on pop up window for further check?

Could you please navigate to user mapping tab page to see if there is any change?

Best regards,
Ning

jmoors
Active Contributor
‎09-20-2016 6:24 PM
0 Kudos

Your service name doesn't look right, it should contain the domain name instead of just the SID. Should be something like p:CN=KerberosW3D@DOMAINNAME.

has the SPN been set on the AD account?

Regards,

Jason

Show replies
Show replies
Former Member
‎09-20-2016 6:45 PM
0 Kudos

Hi Jason,

(Should be something like p:CN=KerberosW3D@DOMAINNAME.) You mean to say SNC setting in SAPGUI be like p:CN=K3D@DOMAINNAME ???


(has the SPN been set on the AD account?) Yes SPN has been set on ADaccount thats why passwords succesfully validated


Any further suggestions please?


Regards

jmoors
Active Contributor
‎09-20-2016 6:57 PM
0 Kudos

what service name did you specify in the SNCWIZARD, it should contain the actual domain, this should then be configure in sapgui,  but should contain the domain name to resolve.

Yout can check in RZ11 for the snc/identity/as parameter, which needs to contain the domain.

regards,

jason

Former Member
‎09-21-2016 5:48 AM
0 Kudos

Dear Jason,

Yes i have set SNC identity without Domain when i have started SNCWIZARD

But i have followed the same in video of article

Now i m trying your suggestion by changing profile parameter snc/identity/as with Domain name.

Will let you know after change.

Regards,

Qazi

Former Member
‎09-21-2016 7:36 AM
0 Kudos

Jason,

I have tried your solution for SNC identity parameter with domain name... it cause new problem dispatcher dying due to domian name.. i reverted the changes, now i defined SNC name same like in video p:CN=K3D.

Any other solution or suggestion please.

Regards.

Former Member
‎09-20-2016 6:18 PM
0 Kudos

Can you check on the below link https://scn.sap.com/thread/3594416

Thanks
,

Bharathi

Show replies
Show replies
Former Member
‎09-20-2016 6:46 PM
0 Kudos

Hi,

I didn't get same error in your suggested post nor the solution.

Regards

former_member157391
Employee
Employee
‎09-20-2016 2:28 PM
0 Kudos

Hi Qzai,

Could you please check the followings?
1. if you are logging on to SAP with a domain user when running SNCWIZARD
2. if you have select Kerberos token as default application in secure login client


Best regards,
Ning

Show replies
Show replies
Ask a Question