2008 Oct 08 2:26 AM
I'm trying to setup SSO for SAPGui with backend ECC5 on Windows 2003. I have followed the section of the install guide called SAP WebAS 6.40 SR1 because I can't find a ECC5 version so possibly what I am trying to do is not possible?
Steps that I did...
1. I've downloaded the gsskrb5.dll and put in c:\windows\system32
2. Added the profile parameters:
snc/enable = 1
snc/identity/as = p:SAPServiceIDS{at symbol}sscit.com.au
snc/gssapi_lib = C:\WINDOWS\system32\gsskrb5.dll
3. I'm still using the local account at this stage because I'm not sure how to create a domain account that can start the sap instance on this machine. I also have played with Service Principle but again I'm not sure really what I am doing.
So anyhow, after I made the parameter changes and restarted the sap instance the dispatcher soon failed with the following errors in all the wp logs...
rdisp/reinitialize_code_page -> 0
M icm/accept_remote_trace_level -> 0
M rdisp/no_hooks_for_sqlbreak -> 0
N SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gsskrb5.dll
N File "C:\WINDOWS\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
N *** ERROR => SncPDLInit(): gss_indicate_mechs() failed
N [sncxxdl.0457]*** ERROR => SncPDLInit(()==SNCERR_INIT [sncxxdl.c 452]
N GSS-API(maj): Miscellaneous Failure
N GSS-API(min): Kerberos SSPI not usable with this User account
N STOP! -- initial call to gss_indicate_mechs() failed
M *** ERROR => ErrISetSys: error info too large [err.c 931]
M Wed Oct 08 10:06:29 2008
M LOCATION SAP-Server redback_IDS_11 on host redback (wp 15)
M ERROR GSS-API(maj): Miscellaneous Failure
M GSS-API(min): Kerberos SSPI not usable with this User account
M STOP! -- initial call to gss_indicate_mechs() failed
M TIME Wed Oct 08 10:06:29 2008
M RELEASE 640
M COMPONENT SNC (Secure Network Communication)
M VERSION 5
M RC -1
M MODULE sncxxdl.c
M LINE 452
M DETAIL SncPDLInit(
M SYSTEM CALL gss_indicate_mechs
M ERRNO
M ERRNO TEXT
M DESCR MSG NO
M DESCR VARGS GSS-API(maj): Miscellaneous Failure;;;;
M ;;;;GSS-API(min): Kerberos SSPI not usable with this User account;;;;
M ;;;;STOP! -- initial call to gss_indicate_mechs() failed
M DETAIL MSG N
M DETAIL VARGS
M COUNTER 1
N *** ERROR => SncPDLInit()==SNCERR_INIT, Adapter (#0) C:\WINDOWS\system32\gsskrb5.dll not loaded
N [sncxxdl.0604]<<- ERROR: SncInit()==SNCERR_INIT
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000001) [thxxsnc.c 223]
M *** ERROR => ThSncInit: SncInitU (SNCERR_INIT) [thxxsnc.c 225]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9461]
I also tried the gsstest and got the following log file...
TEST: acquiring default initiating credentials (simple)
RESULT OK
TEST: acquiring default initiating credentials (query)
RESULT OK
TEST: acquiring initiating credentials (gss_name_t)
RESULT OK
TEST: acquiring initiating credentials (printable name)
RESULT OK
TEST: acquiring initiating credentials (can. printable name)
RESULT OK
TEST: acquiring accepting credentials for target (printable name)
for identity "SAPServiceIDS{at symbol}sscit.com.au"
Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)
gss_display_status(0x00070000,GSS_S_GSS_CODE) =
"No valid credentials provided (or available)"
gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
"SSPI::AccSctx#1()==Logon attempt failed"
RESULT NOT ok (rc=1)
-
TEST: acquiring accepting credentials for target (can. printable name)
Status: gss_acquire_cred Acc() == (GSS_S_NO_CRED)
gss_display_status(0x00070000,GSS_S_GSS_CODE) =
"No valid credentials provided (or available)"
gss_display_status(0x1360000d,GSS_S_MECH_CODE) =
"SSPI::AccSctx#1()==Logon attempt failed"
RESULT NOT ok (rc=1)
-
Note: I've changed the @'s to {at symbol} to get message posted.
I hope somebody is able to help me progress past this.
Thank you.
2008 Oct 08 7:29 AM
Hello all,
I'm sorry if someone has invested time looking into this for me. I have resolved it. Basiscally as per OSS Note 352295, "Kerberos authentication is only available for Domain Accounts that are managed by Microsoft Active Directory, NOT for local computer users". So I went through the excercise of changing the sap services to start with a domain account instead of the local account, this also required setting up the new ops$ account in oracle, then it all seamed to work pretty much as the doco said it would.