Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Setting up SSO with SNC/Kerberos

Former Member
0 Kudos
948

I'm trying to setup SSO for SAPGui with backend ECC5 on Windows 2003. I have followed the section of the install guide called SAP WebAS 6.40 SR1 because I can't find a ECC5 version so possibly what I am trying to do is not possible?

Steps that I did...

1. I've downloaded the gsskrb5.dll and put in c:\windows\system32

2. Added the profile parameters:

snc/enable = 1

snc/identity/as = p:SAPServiceIDS{at symbol}sscit.com.au

snc/gssapi_lib = C:\WINDOWS\system32\gsskrb5.dll

3. I'm still using the local account at this stage because I'm not sure how to create a domain account that can start the sap instance on this machine. I also have played with Service Principle but again I'm not sure really what I am doing.

So anyhow, after I made the parameter changes and restarted the sap instance the dispatcher soon failed with the following errors in all the wp logs...

rdisp/reinitialize_code_page -> 0

M icm/accept_remote_trace_level -> 0

M rdisp/no_hooks_for_sqlbreak -> 0

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll

N File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.

N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed

N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): Kerberos SSPI not usable with this User account

N STOP! -- initial call to gss_indicate_mechs() failed

M *** ERROR => ErrISetSys: error info too large [err.c 931]

M Wed Oct 08 10:06:29 2008

M LOCATION SAP-Server redback_IDS_11 on host redback (wp 15)

M ERROR GSS-API(maj): Miscellaneous Failure

M GSS-API(min): Kerberos SSPI not usable with this User account

M STOP! -- initial call to gss_indicate_mechs() failed

M TIME Wed Oct 08 10:06:29 2008

M RELEASE 640

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -1

M MODULE sncxxdl.c

M LINE 452

M DETAIL SncPDLInit(

M SYSTEM CALL gss_indicate_mechs

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;

M ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;

M ;;;;STOP! -- initial call to gss_indicate_mechs() failed

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:\WINDOWS\system32\gsskrb5.dll not loaded

N [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 223]

M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 225]

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9461]

I also tried the gsstest and got the following log file...

TEST: acquiring default initiating credentials (simple)

RESULT OK

TEST: acquiring default initiating credentials (query)

RESULT OK

TEST: acquiring initiating credentials (gss_name_t)

RESULT OK

TEST: acquiring initiating credentials (printable name)

RESULT OK

TEST: acquiring initiating credentials (can. printable name)

RESULT OK

TEST: acquiring accepting credentials for target (printable name)

for identity "SAPServiceIDS{at symbol}sscit.com.au"

Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)

gss_display_status(0x00070000,GSS_S_GSS_CODE) =

"No valid credentials provided (or available)"

gss_display_status(0x1360000d,GSS_S_MECH_CODE) =

"SSPI::AccSctx#1()==Logon attempt failed"

RESULT NOT ok (rc=1)

-


TEST: acquiring accepting credentials for target (can. printable name)

Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)

gss_display_status(0x00070000,GSS_S_GSS_CODE) =

"No valid credentials provided (or available)"

gss_display_status(0x1360000d,GSS_S_MECH_CODE) =

"SSPI::AccSctx#1()==Logon attempt failed"

RESULT NOT ok (rc=1)

-


Note: I've changed the @'s to {at symbol} to get message posted.

I hope somebody is able to help me progress past this.

Thank you.

1 REPLY 1

Former Member
0 Kudos
309

Hello all,

I'm sorry if someone has invested time looking into this for me. I have resolved it. Basiscally as per OSS Note 352295, "Kerberos authentication is only available for Domain Accounts that are managed by Microsoft Active Directory, NOT for local computer users". So I went through the excercise of changing the sap services to start with a domain account instead of the local account, this also required setting up the new ops$ account in oracle, then it all seamed to work pretty much as the doco said it would.