Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Error while connecting via SSO using SNC parameters of SAP .NET Connector

former_member197445
Contributor
0 Kudos
890

Our SAP systems at my company are not SSO.  But we have recently developed quite a few ASP.NET web applications that use the SAP .NET Connector to read and write data into and out of SAP.  We would really like to have these transactions be executed by each user using their own SAP login.  I know we need to use RfcCustomDestniation, but we'd rather not force users to login.

Tried doing a unit test setting these parameters:

Dim newDest As RfcCustomDestination = ECCConnection.CreateCustomDestination()

newDest.SncMode = "1"

newDest.SncPartnerName = "p:CN=SAPServiceS71"

newDest.Client = "001"

newDest.SncMyName = "p:CN=USERXYZ@AD.COMPANY.COM"

Couldn’t find the sap crypto library since it was looking in Program Files (x86) instead of plain Program files.  So I added this:

newDest.SncLibraryPath = "C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll"

Now I hit a new road block.  Error during SncPDInit.  No specific error message is given other than --

STOP! -- initial call to gss_indicate_mechs()

Any insights?  Is my 64-bit machine a problem?  I'm only guessing that because the SncLibraryPath was pointed at the 32-bit library in my Environment Variables, but my web app is 64-bit using 64-bit connector.

10 REPLIES 10

former_member197445
Contributor
0 Kudos
320

Full error below:

LOCATION    CPIC (TCP/IP) on local host with Unicode

ERROR       GSS-API(maj):

            STOP! -- initial call to gss_indicate_mechs() failed

TIME        Tue Mar 10 10:41:22 2015

RELEASE     720

COMPONENT   SNC (Secure Network Communication)

VERSION     6

RC          -1

MODULE      sncxxdl.c

LINE        578

DETAIL      SncPDLInit

SYSTEM CALL gss_indicate_mechs

COUNTER     2

0 Kudos
320

Hello,

Just to confirm, is your SAP system configured for SNC SSO  or not?

Thanks

Shaik

0 Kudos
320

I have a single instance in our non-production environment that has SSO set up.  We are trying to develop a proof of concept before moving forward with SSO.

0 Kudos
320

Hello,

I am trying to achieve the same thing and have the exact same error as you do. Could you please indicate if you solved your problem ?

I am trying to login with SSO to our SAP server. We already have a working SSO configuration using SAP GUI. I am using the v3 of the .Net connector in 64bits. My app is only made for x64 architecture (desktop app, not ASP). Logging manually works fine. My parameters are correct (SncMode,SncPartnerName,Client,SncMyName and SncLibraryPath)

Hint : Architecture doesn't seem to be a problem, I am pointing to the same directory as you, and it is indeed the 64bit version of sapcrypto.dll. If I change the path to the x86 Program Files dir, I get an error saying "Error 193 = "C:\Program Files (x86)\SAP\FrontEnd\SecureLogin\lib\sapcrypto.dll is not a valid Win32 application".

One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.

0 Kudos
320

Please check my comment below, dated Mar 16, 2015 2:58 PM. I suspect this is the reason for your problem.

Thanks

Tim

0 Kudos
320

Frederic Wojnarowski wrote:

One other thing, on the SAP server side, tech tells me that we are indeed using Kerberos for SSO.

The SAP Cryptolib which is free for use only supports x.509 certificates. The SAP Cryotlib that is included with the licensed SAP SSO product only supports using Kerberos for Client -> Server (e.g. SAP GUI --> SAP ABAP) and not for applications like .net Servers. This is why you are getting the error in gss_indicate_mechs()

0 Kudos
320

Thanks for your help, but I am not trying to create a .net server app. I am coding a .net SAP client app...

0 Kudos
320

ok. Anyway, I have used SNC with many .net applications on desktops and on servers, using Kerberos and not had any issues - works well.

0 Kudos
320

Frederic,

SNC is designed to be independent of concrete credentials. Each SNC provider product comes with one or a set of supported credential types; in case of SAP Single Sign-On Secure Login Client (the frontend part) and SAP CommonCryptoLib (the backend part which is installed with the NetWeaver Kernel) you have the choice of using Kerberos and/or X.509 certificates.

The same SAP CommonCryptoLib instance on NetWeaver can handle both peer credential types, Kerberos and X.509, in parallel.

A server to server SNC connection with SAP CommonCryptoLib must use X.509 certificates. Unlike end user clients, the adminstrative efforts to configure X.509 on both sides are quite low, and is completely independent of Microsoft domain services.

If your .NET client app uses SAP NCO for RFC and SNC, then you have the choice of using Kerberos or X.509 on end user side once you run SAP SSO SLC on such client. The backend component is already in place.

Any SNC product should work if configured properly. The question is what you need (not just today, but also in future), and what effort you like to invest in rollout, configuration and operation.

-- Stephan

tim_alsop
Active Contributor
0 Kudos
320

It looks like you are trying to use the SAP Cryptolib as the SNC library, which only supports Kerberos protocol (with proprietary SNC name format) and x.509 certificates for incoming SNC connections, and x.509 certificates for outbound connections.

So, you need to use an SNC library on the .net server that supports Kerberos protocol for outbound connections, and an SNC library on the server running SAP NetWeaver that supports Kerberos for incoming connections.