cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC connection does not work

Go to solution
Former Member

on ‎12-28-2005 9:16 AM

0 Kudos

Hi All,

We have a .Net application which runs a BAPI while the user running it connects through SNC.

The application is a WEB application when impersonates the

authenticated user runs it. It successes only when the same user is loged in to the WEB server runs this WEB application, otherwise - even when sending the user name hard coded - it fails loging into SAP.

Steps to Recreate Problem:

1. Create a .Net WEB application runs BAPI (WEB service is better)

Use SAP.Connector

2. Use the SNC connection methood

3. Run the application when log in to the WEB server

4. Run the same application from another workstation (Or

run Web service from another application)

We got the exeption on after step 4

error messsage:

Connect to SAP gateway failed Connect_PM GWHOST=mrrimt00.DEV.MERKAVA.GOV

.IL, GWSERV=sapgw40, ASHOST=mrrimt00.DEV.MERKAVA.GOV.IL , SYSNR=40 LOCAT

ION CPIC (TCP/IP) on local host ERROR SNCERR_GSSAPI An operation failed at the GSS-API level sec_avail="false" TIME Mon Dec 12 17:30:06 2005 RELEASE 640 COMPONENT SNC (Secure Network Communication) VERSION 5 RC -4 MODULE sncxx.c DETAIL SncInit COUNTER 4

This message was driven out of the exception thrown by the .Net application that consumes a Web service logs in to SAP and consumes BAPI.

The web service is working only from it's test page (i.e localy only)otherwise it gives the message above.

Does anyone know if my snc connection string is wrong? or do i have to use ITS and/or PAS? which i dont

hope you could help me i'm desperate,

Yours,

Yoav Toussia Cohen

p.s. my connection string is:

SAPProxy1 proxy = new SAPProxy1();
// connection string with SNC parameters and debug
string connStr = "ASHOST=mrrimt00 CLIENT=140 SNC_MODE=1 SYSNR=40 " + "TYPE=3 " + snc_partnername="p:SAPServiceDGL@DEV.MERKAVA.GOV.IL					
BAPIRET2Table bapiTbl = new BAPIRET2Table();
		
ILG_NUMERATOR_FOR_PERIODSTable bapiEnum = new ILG_NUMERATOR_FOR_PERIODSTable();
SAP.Connector.SAPConnection SAPc = new SAP.Connector.SAPConnection(connStr);

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

reiner_hille-doering
Active Contributor
‎12-30-2005 6:43 PM
0 Kudos

Dear Customer,

unfortunately this behaviour is by design - or to say it differently - a problem of Windows in general. The reason is that the impersonation token - even if username and password is entered - is not a full token. It doesn't have the same "power" as the token that you have with a full logon.

Therefore we recommend this version of SNC only for Smart Client Applications.

For Web Appplications there are two other alternatives:

1. Use MYSAPSSO2 ticket SSO.

2. Use SNC with External User ID and trusted connection.

For both options I have an article available in SDN:

1.: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/edb8a190-0201-0010-d398-c23...

2.: I don't find the link in the moment, but anyway it was only an excerpt from NCo documentation, so you have it anyway. The idea is to establish a so-called "trusted connection" between IIS and SAP server over an SNC connection. The user on IIS side stays constant (no impersonation - just a fixed domain user). The "real" user is passed in to SAP as "external user id" - wich is an extra parameter in the connection string. The user is mapped on SAP server side to a SAP user id.

I recommend the first approach if you have a MYSAPSSO2 ticket - which usually means that the users are authenticated by a portal.

Else option 2 is a good choice.

Hope the information helps. I'm currently on vacation and just dial in from home, so it may take some time for a "roundtrip".

Regards,

Reiner.

Show replies
Show replies
Former Member
‎12-31-2005 9:41 AM
0 Kudos

Hi Reiner,

(To avoid confusion - I'm a different Yoav).

I saw your first suggestion and was wondering if it can solve my problem in:

Please answer there in order not to "Hijack" this thread from its original issue.

To be more specific, does this authentication method requires special code in the .Net side (in which case it won't solve my problem),

or just general configuration of the server, which makes the authentication process transparent?

Thanks,

Yoav.

Former Member
‎01-01-2006 2:25 PM
0 Kudos

Hi Reiner Hille-Doering ,

Hope youre having fun in your vacation.

The main issue now is we are not sure about the parameter we need to enter the Access Control List(ACL)for systems:

1. what is my system ID ?is it my domain? or SID?

2.what is my SNC Name ?it spuse to be ASPNetUsrn in IIS 5 but i'm using IIS 6 so how do i retrive the user there?

3.should i use the default application pool? and which identity should run that?

I'm not using a portal so youre first suggestion isn't rellavent.

Thanks Ahead,

Yoav(the First One)

reiner_hille-doering
Active Contributor
‎01-01-2006 5:18 PM
0 Kudos

As I don't have access to NCo documentation from home, it's a little bit difficult to write you the answers in detail.

1. I assume it's the SID.

2. First you need to make sure that your .NET Web Service is running as a Domain User. You may configure it in IIS, but I always used an entry in web.config (or machine.config), where I specified the user and password of the trusted user that should run the Web Service.

I don't remember the exact name of section and element, but I'm sure you will quickly find it if your search in area system.web - authentication.

The name of this account will be the client side SNC name of the trusted connection. The syntax will be either <user>@<NTDOMAIN> or <NTDOMAIN>\<user>, dependending which SNC lib you are using (Kerberos or NTLM). E.g. it could be "iisuser@NT5.SAP.CORP" or "NT5\iisuser". The server side SNC name is the account that runs SAP - usually SAPService<SID>. Again the format depends on the SNC lib, e.g. "SAPServicePRD@NT5.SAP.CORP" or "NT5\SAPServicePRD".

3. This should be irrelevant, as long as the .NET app is running as correct user.

I allway create a small Web Application that shows System.Environment.Username and System.Environment.UserDomainName, so that I'm sure that everthing is correcty configured.

Regards,

Reiner.

Answers (0)

Ask a Question