12-11-2007 12:03 PM
Hi,
I want to deploy a Single Sign On Solution with MIT Kerberos, Active Directory and SNC. For this solution, I have compiled MIT Kerberos 1.3.4 on a Solaris 10 server and have built a SNC Adapter.
I have edited the profile parameters
snc/enable = 1
snc/identity/as = p:SAPServiceSID/mydomain@MYDOMAIN
snc/gssapi_lib = /usr/local/lib/snckrb5.so
got an Kerberos Service Ticket
kinit SAPServiceSID/mydomain@MYDOMAIN
But when I try to startsap I got the following errors
N SncInit(): found snc/gssapi_lib=/usr/local/lib/snckrb5.so
N File "/usr/local/lib/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:SAPServiceSID/mydomain@MYDOMAIN
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): No such file or directory
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPServiceSID/mydomain@MYDOMAIN"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10283]
Is there a problem with my Kerberos configuration or with the SNC adapter?
I've read note 150380. But I'm sure, that SAP SNC with MIT Kerberos works fine on other systems.
Christian
12-11-2007 2:27 PM
Did you have checked the Kerberos implementation using GSSTEST?
Download and more information about the BC-SNC certification (moved from sap.com to new location):
SAP GSS Test Suite 1.26 (ZIP, 381 KB)
Kind regards
Frank Buchholz
12-11-2007 2:27 PM
Did you have checked the Kerberos implementation using GSSTEST?
Download and more information about the BC-SNC certification (moved from sap.com to new location):
SAP GSS Test Suite 1.26 (ZIP, 381 KB)
Kind regards
Frank Buchholz
12-11-2007 2:55 PM
I checked it, but I got the nearly the same error. The first part of the test is ok but then I got some errors:
TEST: acquiring accepting credentials for target (printable name)
for identity "SAPServiceSID@MYDOMAIN"
Status: gss_acquire_cred Acc() == (GSS_S_FAILURE)
gss_display_status(0x000d0000,GSS_S_GSS_CODE) =
"Unspecified GSS failure. Minor code may provide more information"
gss_display_status(0x00000002,GSS_S_MECH_CODE) =
"No such file or directory"
RESULT NOT ok (rc=1)
-------
TEST: acquiring accepting credentials for target (can. printable name)
Status: gss_acquire_cred Acc() == (GSS_S_FAILURE)
gss_display_status(0x000d0000,GSS_S_GSS_CODE) =
"Unspecified GSS failure. Minor code may provide more information"
gss_display_status(0x00000002,GSS_S_MECH_CODE) =
"No such file or directory"
RESULT NOT ok (rc=1)
-------
TEST: acquiring *default* accepting credentials (simple)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
-------
TEST: acquiring *default* accepting credentials (query)
Status: gss_inquire_cred Acc() == (GSS_S_DEFECTIVE_CREDENTIAL)
gss_display_status(0x000a0000,GSS_S_GSS_CODE) =
"Invalid credential was supplied"
RESULT NOT ok (rc=1)
So I don't know if this is a kerberos configuration error or maybe it doesn't work with this version of MIT kerberos.
btw: Is there a version of MIT Kerberos which is proofed to work with SAP SNC?
Christian.
12-11-2007 4:31 PM
> Is there a version of MIT Kerberos which is proofed to work with SAP SNC?
Yes, there are certified partner products.
Well, and MIT is, of course, using their Kerberos in conjunction with SAP ABAP systems, as well (but they do not offer any support services, as far as I know).