Kerberos-Name difference SNC-Name

georg_haslinger · ‎2023 Oct 05

Hello Community,

i have the following question:
Currently we use X.509 certificates for SSO on our AS ABAP about SAP Gui and Webbrowser (EDGE).
Now, we will implement a kerberos-authentication parallel to X.509.
But we have the problem, the CN from the X.509 certificate and the SNC-Name from SU01 is different to the kerberos-token name!

For example:
X.509: CN=hasligeo
SNC-Name: p:CN=hasligeo
Kerberos-Token: HASLIGEO@<DOMAIN>.COM

The SSO-login about SAP Gui with X.509 and kerberos works fine with this parameters:
ccl/snc/server_partner_name_kerb = PrincipalOnly
ccl/snc/partner_case_upn = lower
spnego/construct_SNC_name = 122

But SSO-login with Kerberos about the Webbrowser (EDGE) don´t work:
SPNego Trace:
iSPNegoLogon: User mapping for SNC name="p:CN=hasligeo@<domain>.com" not found in client 001

Does anyone have an idea or an additional parameter to modify the SNC name from kerberos-token?

BR
Georg

Vladimir11 · ‎2023 Oct 05

Please refer to the SAP Note https://me.sap.com/notes/1696905

tim_alsop · ‎2023 Oct 05

You need to use a Kerberos SNC library that allows SNC names to be p:CN=<user principal name>. Or you need to change the SNC name for your users to p:<user principal name> and just use Kerberos.

Kerberos-Name difference SNC-Name

Know the answer?

Need more details?

Accepted Solutions (0)

Answers (2)

Answers (2)