Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNC SAPGUI -> ECC 6.0

Former Member
0 Kudos

Hi.

I'm trying to establish sso between sapgui and server. I was going through http://help.sap.com/saphelp_nw70/helpdata/EN/44/0ebf6c9b2b0d1ae10000000a114a6b/frameset.htm.

Here are my log entries wich i get from server:

Wed Apr 16 16:09:53 2008

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI sncxxall.c 3352

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): The logon attempt failed

N Unable to establish the security context

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) thxxsnc.c 976

M *** ERROR => ThSncIn: SncProcessInput thxxsnc.c 981

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) thxxhead.c 10205

and from other file:

SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)

N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)

N SncInit(): found snc/data_protection/use=3, using 1 (Authentication Level)

N SncInit(): found snc/gssapi_lib=F:\usr\sap\TEM\sys\exe\run\gssntlm.dll

N File "F:\usr\sap\<SID>\sys\exe\run\gssntlm.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to SAP's GSS-API v2 over NTLM(SSPI) Adapter

N SncInit(): found snc/identity/as=p:DOMAIN\SAPService<SID>

N SncInit(): Accepting Credentials available, lifetime=Indefinite

N SncInit(): Initiating Credentials available, lifetime=Indefinite

M SNC (Secure Network Communication) enabled

On clinet i have:

SNC_LIB = C:\Program Files\SAP\FrontEnd\SAPgui\gssntlm.dll and sncgss32.dll in ...\system32.

Also in sapgui i have p:DOMAIN\SAPService<SID>. I get error:

SAP system message:

'Error in the Security Network Layer'

I'm using client with Win Xp sp2 wich is in ad domain and ecc 6.0 is in workgroup. Is it possible to make snc between these two? If yes what i'm doing wrong? Wrong dll's or... i dont know...

Help me please, thx in advice.

(i'm also in digging mode and looking for solution)

1 ACCEPTED SOLUTION

tim_alsop
Active Contributor
0 Kudos

Jakub,

I am wondering why you are using gssntlm.dll - is there a reason why you are unable to use the Kebreros SNC libraries ? I think you will have more success if you change the protocol to Kerberos and use same dll on both server and client.

I am also not clear why you have configured SNC_LIB to point to location of gssntlm.dll and you have also mentioned the sncgss32.dll. If you specify the gssntlm.dll location in this environment variable, then sncgss32.dll will not be used. If you remove the environment variable, then SAP GUI will default to the sncgss32.dll which it will find in system32 directory without the environment variable being required.

Thanks,

Tim

8 REPLIES 8

tim_alsop
Active Contributor
0 Kudos

Jakub,

I am wondering why you are using gssntlm.dll - is there a reason why you are unable to use the Kebreros SNC libraries ? I think you will have more success if you change the protocol to Kerberos and use same dll on both server and client.

I am also not clear why you have configured SNC_LIB to point to location of gssntlm.dll and you have also mentioned the sncgss32.dll. If you specify the gssntlm.dll location in this environment variable, then sncgss32.dll will not be used. If you remove the environment variable, then SAP GUI will default to the sncgss32.dll which it will find in system32 directory without the environment variable being required.

Thanks,

Tim

Former Member
0 Kudos

Thx for reply.

I'll try with kerberos then

Why I did those steps with dll's? Well this is what u can find in up top link from my post.

Former Member
0 Kudos

Hi again,

Now i have such message... i cant find any description on sap forum even google...

      • ERROR => SncPAcquireCred()==SNCERR_GSSAPI sncxxall.c 1432

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): No Kerberos SSPI credentials available for requested name

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPService<SID>@xxxxx01"

M *** ERROR => ErrISetSys: error info too large err.c 931

and few lines below...

DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;

M ;;;;GSS-API(min): No Kerberos SSPI credentials available for requested nam;;;;

M ;;;;name="p:SAPService<SID>@xxxxx01"

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- ERROR: SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) thxxsnc.c 230

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) thxxsnc.c 232

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) thxxhead.c 10205

is that means that the SAP gss library was unable to find any

Kerberos ticket in the Microsoft credentials cache for the given user

principal name? If so what i can do to fix this...?

thx in advice again.

tim_alsop
Active Contributor
0 Kudos

Jakub,

Is the actual name you are using instead of xxxxx01 in upper case ?

Also, did you map this service principal name to your servers computer account ?

Thanks,

Tim

Former Member
0 Kudos

Hi

Well i know now that i cant use Kerberos, becouse server isnt ad domain controller (it is even not in any domain) and kerberos service is disabled and i cant turn it on.

So there is any way i can turn SNC on this server?

tim_alsop
Active Contributor
0 Kudos

Jakub,

ok, I know that the SAP snc library DOES require the server to be member of domain for Kerberos to work, since it uses SSPI interface to Kerberos functionality included in Windows. There are other Kerberos libraries available from SAP partners however, so maybe if you are interested you can check [here|www.sap.com/eapcatalog] and look for Kerberos and Active Directory using the search box - then contact one of the vendors, asking for help.

I am not familiar enough with NTLM protocol to know if this also requires online access to domain controller on network. My expertise is with Kerberos, which is preferred protocol with Active Directory. The NTLM protocol was used on Windows NT networks and was also implemented in Windows 2000 when Kerberos support was added to Active Directoy, but some Active Directory domains are running with NTLM protocol turned off - maybe that is why your use of the NTLM library failed ?

I hope this helps ?

Thanks,

Tim

Former Member
0 Kudos

Thx again for your participation.

NTLM Service is running on server and clinets so i think it is ok with NTLM. Well i think there is only whay that i must read now some Microsoft NTLM specification and see how it works.

Thx again for help

Former Member
0 Kudos

OK i've done it !

The problem was wrong SNC name i was applaying at ecc 6.0 SSO is working now.

btw SAP note 121178 was very helpfull

Edited by: Jakub Zakrzewski on Apr 18, 2008 8:52 AM

Edited by: Jakub Zakrzewski on Apr 18, 2008 9:41 AM