Hi folks,

this is another error I receive while trying to implement Windows integrated SSO to the SAPGui based on Kerberos between SAP System on Solaris 10 and Microsoft Active Directory Server.

The major error message I see in my dev_w0 when a user tries to logon is:

Key version number for principal in key table is incorrect

On SAPGui siet this is accompanied by a very unspecific mesage about an error at the Security Network Connection.

This is what I did and have so far:

SNC and Kerberos is configured on a Solaris 10 Server and connects against an MS Active Directory (native 2003 Mode).

SAP profile parameter are set as follows:

snc/gssapi_lib /usr/local/kerberos/lib/libgssapi_krb5.so

snc/identity/as p/krb5:m00t1h@MYDOMAIN.DE

snc/enable 1

…and of course the others...

I have an SAP Service User in my AD named m00t1h with password never expires and DES encryption.

The Kerberos Key of this user was exported with:

ktpass /princ m00t1h@IVV-VERBUND.DE /pass * /kvno 1 /crypto des-cbc-md5 /desonly /out key.keytab

I imported this key in my krb5.keytab on the solaris system like this:

ktutils

rkt /tmp/key.keytab

l

wkt /etc/krb5.keytab

q

I can do a succesful authentication of ANY Domain user on Solaris OS level with username/password and the SAP Service User m00t1h is automatically logged on using his key!

After a restart olf the SAP system everything looks just fine:

N SncInit(): Initializing Secure Network Communication (SNC)

N Solaris on SPARCV9 CPU (st,ascii,SAP_UC/size_t/void* = 8/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=/usr/local/kerberos/lib/libgssapi_krb5.so

N File "/usr/local/kerberos/lib/libgssapi_krb5.so" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p/krb5:m00t1h@MYDOMAIN.DE

N Wed Jan 23 22:24:31 2008

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=08h 42m 53s

As one can see, the snc identity is correct and the ex- and imported kerberos key is used to successfully obtain a TGT for the SAP System (the SAP Service User).

On the windows clients the SAP program SAPSSO.msi has been installed and the SAPGui is configured to use SNC with the snc name set to p/krb5:m00t1h@MYDOMAIN.DE.

Now, if a user tries to logon, I get the following error message immediately as a windows popup:

SAP Systemnachricht: Fehler im Security Network Layer (SNC)

I can find a corresponding error message in the dev_w0 for each failed logon request:

N Mon Jan 28 10:44:34 2008

*N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]*

N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information

N GSS-API(min): Key version number for principal in key table is incorrect

N Unable to establish the security context

M *** ERROR => ErrISetSys: error info too large [err.c 944]

M Mon Jan 28 10:44:34 2008

M LOCATION SAP-Server AT1A010_T1H_06 on host AT1A010 (wp 0)

M ERROR GSS-API(maj): Unspecified GSS failure. Minor code may provi

M GSS-API(min): Key version number for principal in key table is incorre

M Unable to establish the security context

M TIME Mon Jan 28 10:44:34 2008

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 3352

M DETAIL SncPEstablishContext

M SYSTEM CALL gss_accept_sec_context

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): Unspecified GSS failure. Minor code may provi;;;;

M ;;;;GSS-API(min): Key version number for principal in key table is incorre;;;;

M ;;;;Unable to establish the security context

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 22

N <<- ERROR: SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 976]

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 981]

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 10283]

Further down in the trace file are more information about the logopn attempt - the strange thing about these entries is, that it looks like my username was not transferred to the SAP system. And for some strange reason client 000 is mentioned, despiote the fact, that I have set the profile parameter login/systm_client to 200:

M Modeinfo for User T17/M0

M

M tm state = 2

M uid = 997

M term type = 0x4

M display = 0x8

M cpic_no = 0

M cpic_idx = -1

M usr = > <

M terminal = >r0014500 <

M client = >000<

M conversation_ID = > <

M appc_tm_conv_idx = -1

M its_plugin = NO

M allowCreateMode = YES

M blockSoftCanel = NO

M session_id = >479C10C17AE45198E10000000A010F7B<

M ext_session_id = >479C10C17AE45198E10000000A010F7B<

M imode = 0

M mode state = 0x12

M mode clean_state = 1

M task_type = 0

M lastThFc = THFCINIT

Even further down there is an entry about the logoff of an unnamed user (me again, I suspect, as I am the only person using this test system):

M ThCheckAbapDebugging: abap check returned FALSE

M ThCheckAbapDebugging: no debug for EOS, EOC, LOGOFF or CANCEL

M ThCheckAbapDebugging: debugging for TERM output ok

M DpDebuggingActive: check T17/M0

M ThCheckAbapDebugging: return 0

M ThJCheckJavaDebugging: return 0

M abap strategy ROLL / O.K.

M ThISend: set TH_LOGOFF for T17 (user= ) in state TM_NEND

M ThRqOutCheck: o.k.

M ThISend: allowed rq_type of T17/M0 = TH_ALL_RQ

M ThNewWpStat (type=0x10000011, task_switch=1, inline_hold=0, hand_shake=0, debug=0, ..)

M ThNewWpStat: new MODE_REC = 0x10

M ThNewWpStat: set mode wait

M ThNewWpStat: new state of T17/M0 = 0x11

M ThISend: new wp stat: 0x2

M Adresse Offset Data to Terminal

I know, that Kerberos based on MIT library is offically not supported by SAP but it was decided to give it a try.

So if someone could post his/her thoughts about this - any hint, or any straw is gratefully rewarded as highly needed - I'm basically without anymore ideas, as to where to look further for the root of this issue.

Kind reagrds,

Christian