Solved: SSO issue: No Kerberos SSPI credentials available ...

christian_gnther3 · ‎01-23-2008

Hello all,

I have setup an SSO scenario for my SAPGui environment with Windows Integrated Authentication

against my Solaris based SAP Systems.

This is my szenario:

- SAP Servers are installed on Solaris 10

- Domain Controller is a Windows 2003 with the forest in native 2003 mode

- Clients are Windows XP SP2

- SAPGui is version 7.10

- SAP Service User in AD: m00t1h

- SNC Identity (as in profile parameter snc/identity/as): p/krb5:m00t1h@IVV-VERBUND.DE

- SNC Library (as in profile partameter snc/gssapi_lib): /usr/local/kerberos/lib/64/libgssapi_krb5.so

Now my problem:

Whenever I try to connect to the SAP System with SSO from the SAPGui, I receive the following error:

GSS-API (maj): No valid credentials provided

GSS-API (min): No Kerberos SSPI credentials available for requested name

name="p:2031217@IVV-VERBUND.DE"

Where 2031217 is my SAP and my Windows Domain Username.

These are the steps I took to setup the SSO scenario:

- installed the MIT library 1.6.7 on the Solaris servers.

- created technical users for my SAP Systems in active directory.

- exported the kerberos key on the windows server

- imported the key in my keytable on the solaris side

- tested ability to authenticate a domain user from solaris command line to the windows AD - SUCCESS

kinit –V –k m00t1h

Authenticated to Kerberos v5

- configured a cronjob to renew the kerberos ticket

(* 0,3,6,9,12,15,18,21 * * * /usr/bin/kinit -k m00t1h)

- set the profile parameters in my SAP Systems according to given environemnt

- installed the SAP GSSAPI Keberos Wrapper library on the WIndows Clients

- set the SNC identity of the SAP Server (p/krb5:m00t1h@IVV-VERBUND.DE) in the SAPLOGON.ini

- created the SNC mapping for my user in SU01 (p:2031217@IVV-VERBUND.DE)

- activated SNC in the SAP System

- restarted the SAP System - SUCCESS. SAP system comes up and obtains a valid kerberos ticket (lifetime 10h)

- Try to authenticate via SAPGui - BANG

I have found a similar question in this thread

but nobody answered it so far - so I thought to try my luck.

I'm in desperate need for help here, as I could not find valid information on this error in

Google or SAP help.

Kind regards (points promised),

Christian

Edited by: Christian Guenther on Jan 23, 2008 9:35 AM

Former Member · ‎01-23-2008

Christian,

I agree with Tim on the risks of using unsupported software, specifically on SAP servers, but his proposed solution is only one of many.

Your requirement can be addressed by many vendors with a SAP-certified solution (you can look in the [SAP Software Solution partner catalog|http://sspcatalog.sap.com/catalog/index.jsp]).

Specifically, there is a solution from my company ([SECUDE|http://www.secude.com]) how to use SAPCRYPTOLIB (which is delivered and officially supported by SAP on Solaris) for a Kerberos-based SSO, so that you don't have to use 3rd-party software on your SAP server.

Peter

Edited by: Peter Adams on Jan 23, 2008 1:02 PM

Edited by: Peter Adams on Jan 24, 2008 2:10 PM

tim_alsop · ‎01-23-2008

Christian,

As I mentioned in the other message, you are clearly using Kerberos libraries on UNIX which is not supported by SAP, so this is likely why you have not had much of a response. I suggest you try to imagine what would happen if you had this working, and your users were using the solution to logon to SAP in your production environment, then you had an issue which stopped users from logging on - who would you contact to get support ?

So, in this scenario you are very much on your own, and is why many companies "learn about" or "experiment" with Kerberos using open source libraries and then they realise the difficulties and contact a vendor such as CyberSafe, and purchase the TrustBroker products for SAP SNC/Kerberos.

Thanks,

Tim

Former Member · ‎01-23-2008

Christian,

I agree with Tim on the risks of using unsupported software, specifically on SAP servers, but his proposed solution is only one of many.

Your requirement can be addressed by many vendors with a SAP-certified solution (you can look in the [SAP Software Solution partner catalog|http://sspcatalog.sap.com/catalog/index.jsp]).

Specifically, there is a solution from my company ([SECUDE|http://www.secude.com]) how to use SAPCRYPTOLIB (which is delivered and officially supported by SAP on Solaris) for a Kerberos-based SSO, so that you don't have to use 3rd-party software on your SAP server.

Peter

Edited by: Peter Adams on Jan 23, 2008 1:02 PM

Edited by: Peter Adams on Jan 24, 2008 2:10 PM

tim_alsop · ‎01-23-2008

Peter,

As you know, SDN should not be used to discuss which vendors product is better, so using words like "not the best one from my perspective" should be avoided. Instead, you might want to think about using words such as "product <x> might meet your needs better because <y>"

It is obvious that since you work for Secude you will think your product is the best, but this customer has a specific set of needs and has clearly decided to use Kerberos libraries to meet their needs, and so mentioning your product, which DOES NOT use Kerberos for session security and authentication, but uses x.509 certificates instead is not very helpful to the customer in my opinion.

You also mentioned "SAPCRYPTOLIB for a Kerberos-based SSO" - this is NOT TRUE, since SAPCRYPTOLIB does not use Kerberos - it uses x.509 certificates for authentication. I need to correct you on this so that others reading this thread in future do not get wrong idea about this library.

Once again, lets NOT use SDN for vendor product comparisons. Instead, lets use SDN to help the customer by answering their questions and providing useful information related to their stated requirements.

Thanks again,

Tim

Former Member · ‎01-23-2008

Tim,

I think you reply here is hypocritical.

You are completely omitting options to address the customer's requirement - isn't that even more biased?

I want to make sure that Christian knows his options - therefore I listed the SAP Software Solution Partner Catalog.

Unfortunately, we both haven't been able to help with the specific problem Christian has about the MIT Kerberos library. And we both suggest options how to address the requirements stated in the scenario. Christian's scenario is to leverage Kerberos on the Windows clients to authenticate the user and implement a secure SSO to an SAP server on Solaris. Our solution is able to do that, based on SAPCRYPTOLIB. So, I stick with my statement that we can do "Kerberos-based SSO with SAPCRYPTOLIB."

Peter

tim_alsop · ‎01-23-2008

Peter,

If you want to discuss this further, lets make contact via email outside of SDN. As I mentioned in my last post, SDN is not appropriate for these vendor product related discussions.

To be 100% clear, the SAPCRYPTOLIB library does not implement Kerberos-SSO. If it did, then it would include Kerberos protocol support, and it doesn't - it only includes support for the x.509 gss-api mechanism only, not Kerberos gss-api mechanism. Any customer who wants Kerberos for SNC-based SAP SSO needs to use a library that implements that protocol, NOT SAPCRYPTOLIB.

Thanks,

Tim

WolfgangJanzen · ‎01-23-2008

> Peter,

>

> As you know, SDN should not be used to discuss which vendors product is better, so using words like "not the best one from my perspective" should be avoided. Instead, you might want to think about using words such as "product <x> might meet your needs better because <y>"

That's absolutely correct:

Please resist from advertising your products - and never judge on (other vendors) products (although this is now legal, even in Germany, since a few years).

I myself have to remain neutral (due to [SAP's Code of Business Conduct|http://www.sap.com/about/governance/statutes/codeofconduct.epx]). And I'd appreciate if you'd do the same.

christian_gnther3 · ‎01-23-2008

Hi all,

thanks for all your replies and the interesting disussion. As was already mentioned, in my specific case the decision was made to go and give Kerberos with the free available MIT Kerberos implementation on Solaris a try and that is what I'm doing right know.

I am sure there are a lot of good products out there to accomplish a single sign on solution between SAP Servers on Unix and Windows Active Directory. If we come to the point, after this pilot, that it is not working at all, or not working reliable, we will need to investigate in the options mentioned in this thread and others available.

But until then, I have good news: The error was solved by login in and out of the windows workstation!!! Bit strange, but who knows.

I will close this thread (after giving points for your efforts) and will need to open a new one, as I now have an even more bizarre error. This one seems to be related to kerberos protocol violations within Microsoft's Windows 2003 Server - sigh.

Again thanks to all of you,

Christian

WolfgangJanzen · ‎01-23-2008

> ... decision was made to go and give Kerberos with the free available MIT Kerberos implementation on Solaris a try and that is what I'm doing right know.

Good luck!

> ... I now have an even more bizarre error ...

Well, hopefully this is not going to continue.

Otherwise: you can always decide to steer towards one of the "safe harbors" that have been advertised ...

Former Member · ‎01-23-2008

Dear Tim and Peter,

This is not my field of expertize to remove comparative-advertizing statements on, so I would appreciate it if you could self-moderate your posts (preferably before hitting the "post message" button - as indicated by Wolfgang).

Thanks,

Julius

christian_gnther3 · ‎01-23-2008

The problem did not occur anymore after the user logged out and back in in his Windows workstation. The scenario however, is still not up and running, but now a new eror occurs, that has nothing to do with this thread.

christian_gnther3 · ‎02-25-2008

Hello all,

I found the solution to my problems and now have a working SSO with Windows Integrated Authentication.

The tools I used are:

MIT Kerberos Library,

SNC

MS Active Directory Server 2003

SAP System 4.7 and ECC 6 on Solaris 10

<removed_by_moderator>

Greetings,

Christian

Edited by: Julius Bussche on Feb 25, 2008 4:06 PM

Sorry, these are the rules. Besides, your real email address is visible in your SDN profile...

Former Member · ‎02-26-2008

Hello Christian,

In addition to the option of linking a URL to your document, I have discovered that from the moderator's tools I can add attachments to individual posts - which can then be displayed / downloaded / printed by anyone who wants to when reading the post.

If you are interested, you can send the document to me and I will attach it for you.

Regards,

Julius

SSO issue: No Kerberos SSPI credentials available for requested name