05-30-2008 9:31 PM
Hi Folks,
we are currenlty implementing SSO using SNC and Kerberos authentication on a windows 2003 32 bits environment (SOLMAN4), but facing the following issue. When we change the profile of that central instance to include the following parameters and restart the instance:
snc/enable = 1
snc/gssapi_lib =<DRIVE>:\%windir%\system32\<kerberos_file>.dll
snc/identity/as =p:SAPService<SAPSID>@<UPPERCASE_DNS_DOMAIN_NAME>
The disp+work.exe process stops working (it starts, then the Java processes stop, and it stops afterwards).
Any idea what is going on?
Thanks for your help,
Marco
05-30-2008 9:34 PM
Just one thing: we actually replace the values from the installation manual with actual values from our landscape so it should read:
snc/enable = 1
snc/gssapi_lib =c:\windows\system32\gsskrb5.dll.dll
snc/identity/as =p:SAPServiceERS@<ACUTAL DOMAIN IS HERE>
Thanks,
Marco
05-30-2008 9:34 PM
Just one thing: we actually replace the values from the installation manual with actual values from our landscape so it should read:
snc/enable = 1
snc/gssapi_lib =c:\windows\system32\gsskrb5.dll.dll
snc/identity/as =p:SAPServiceERS@<ACUTAL DOMAIN IS HERE>
Thanks,
Marco
05-30-2008 10:38 PM
Hi,
Can you check dev_w0 trace file (found in work directory). This file will show you if there are any snc initialisation errors which will stop your work processes from starting. If you can show me what Snc message you see in this file I can help you fix it.
Thanks,
Tim
06-02-2008 3:39 PM
HI Tim,
here's what I got from dev_W0 regarding SNC. I couldn't find anywhere describing how to set up credentials for this service.
Thanks for your help,
Marco
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/32/32)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
N File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:SAPServiceERS@<DOMAIN>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): No valid credentials provided (or available)
N GSS-API(min): SSPI u2u-problem: please add Service principal for own account
N Could't acquire ACCEPTING credentials for
N
N name="p:SAPServiceERS@<DOMAIN>"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
M Mon Jun 02 10:30:34 2008
M LOCATION SAP-Server SAPSMSVR_ERS_00 on host SAPSMSVR (wp 0)
M ERROR GSS-API(maj): No valid credentials provided (or available)
M GSS-API(min): SSPI u2u-problem: please add Service principal for own a
M name="p:SAPServiceERS@<DOMAIN>"
M TIME Mon Jun 02 10:30:34 2008
M RELEASE 700
M COMPONENT SNC (Secure Network Communication)
M VERSION 5
M RC -4
M MODULE sncxxall.c
M LINE 1432
M DETAIL SncPAcquireCred
M SYSTEM CALL gss_acquire_cred
M ERRNO
M ERRNO TEXT
M DESCR MSG NO
M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;
M ;;;;GSS-API(min): SSPI u2u-problem: please add Service principal for own a;;;;
M ;;;;name="p:SAPServiceERS@<DOMAIN>"
M DETAIL MSG N
M DETAIL VARGS
M COUNTER 1
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- ERROR: SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 230]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 232]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 10380]
06-02-2008 3:44 PM
Hi,
The Windows server needs to be a domain member for this solution to work. If it is not a domain menber, then you need to use an SNC solution available from a SAP partner instead of using the library provided by SAP for SNC.
The output you showed has p:SAPServiceERS@ as the SNC name, but this is not a valid name. The domain name in upper case needs to be added to the end of this. For example, if your AD domain is company.com the SNC name needs to have COMPANY.COM added after the @
I hope this helps.
Tim
06-02-2008 3:46 PM
I forgot to mention, the user you start SAP under, needs to be a domain account and have the SPN mapped to it that you are using in snc/identity/as parameter.
06-02-2008 3:51 PM
Hi Tim,
thanks for your promptly reply. The domain name is there in capital letters, but I had to take it out from the message because the FORUM was complaining about the e-mail address on the message ((user@DOMAIN).
You said: the user you start SAP under, needs to be a domain account and have the SPN mapped to it that you are using in snc/identity/as parameter. Could you explain to me what you mean with it? What is SPN?
Thanks again for your help,
Marco
06-02-2008 4:12 PM
Marco,
SPN = Service Principal Name. In this case it is same as SNC Name, but without the p: prefix.
You need to use an MS supplied tool to add the SPN to the computer account for the server. The SAP documentation explains this. Just search in help.sap.com for details.
Thanks,
Tim
05-12-2009 7:55 PM
Hi Tim,
We are having similar issues. In our case, the SAP server is not in the user domain (it's in a different one). Does that mean we can't use the SAP libraries? We are using 2003 and the SAP server domain trusts the account domain.
Also:
Our Kerberos Realm has the form: CORP.AD.COMP.ORG
The service user UPN is SAPServiceSID @ COMP.ORG
When I use SAPServiceSID @ CORP.AD.COMP.ORG in the snc/identity/as parameter, I get error "Caller is not the owner of the request".
When I use SAPServiceSID @ COMP.ORG, I don't get any error with the credentials. In this case I get "Specified target is unknown or unreac;;;"
Any help will be greatly appreciated.
Thanks.
Carlos
PS I put spaces around @ in order to be able to post this message
05-12-2009 8:46 PM
Carlos,
The question described in this thread has already been marked as answered by the original author (Marco). I suggest if you need help with your particular problem you open a new thread and then you will get better responses from the SDNers, including myself. of course, if you want to reference this thread in your new thread you can do that by posting the URL in the thread description.
Thanks,
Tim