Configure SSO for ITS to R/3 using SNC/Kerberos

Former Member · ‎01-16-2006

Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now. We now have a requirement to configure SSO between ITS and R/3. Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library. I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name. That seems to work fine. From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate. However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.

I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it. Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:

=====================================================

[Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)

[Thr 5284] PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)

[Thr 5284] SncInit(): Trying environment variable SNC_LIB as a

gssapi library name: "C:\WINNT\system32\gsskrb5.dll".

[Thr 5284] File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.

[Thr 5284] The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

[Thr 2888] Sun Jan 15 22:44:59 2006

[Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED

[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]

[Thr 2888] Sun Jan 15 22:45:29 2006

[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]

=====================================================

Does anyone know what am I missing? Any help is greatly appreciated.

Thank you!

Diem

Former Member · ‎01-18-2006

Hi Markus,

I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation. I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS). Does that sound right to you?

I tried both options for ~extid_type parameter = "LD" and "UN". I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed". I increased the trace level for sapextaut.trc but I don't see enough detail information. Following are the errors/data from the trace file. Can you please let me know how I can tell what string is being passed for authentication?

I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem.

To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.

Thank you very much for all your help.

Diem Tran

Trace:

=====================================================

2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 437]: W sapextauth: PAS session begins...

2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 456]: sapextauth: SncNameR3 is: "p:na1adm/hpusir31.allergan.com@IRVINE.ALLERGAN.COM"

2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 462]: sapextauth: SncNameAGate is: "p:nb1adm@IRVINE.ALLERGAN.COM"

2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 468]: sapextauth: SNC_LIB is: "C:\WINNT\system32\gsskrb5.dll"

2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 568]: sapextauth: XGatConnectSession leaving....

2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....

2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...

2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.

2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...

2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....

2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...

2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389

2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.

2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem

2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...

2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....

2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...

2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389

2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.

2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem

=======================================================

Former Member · ‎01-18-2006