on 2021 Mar 05 11:36 AM
Dear SAP-Expert,
I am trying to do the SAP-SSO-Configuration for GUI.
To explain my configuration here I am using symbolic names:
My SID is ABC
I have an AD User aduser@mydomain.xyz
My SAP Server is myserver@mydomain.xyz
My SAP-User is: mysapuser
My Windows User is: mysapuser@mydomain.xyz
my SAP Services are running with SAPServiceABC
(I tried also SAPServiceABC@mydomain.xyz)
SAP-GUI 760 Build 1902768
I set the SPNS for the AD-User:
SAP/ABC
HTTP/myserver@mydomain.xyz
I have:
Windows Server 2016 Standard 10.0.14393, VM Ware , x64
Frontend is Windows 10
SAP: NW 7.5-13
SAP_Basis 750-0013
CommonCryptolib 8.5.22
Kernel: 753 300
In SNCWizard I set the profile parameters:
snc/accept_insecure_cpic 1
snc/accept_insecure_gui 1
snc/accept_insecure_r3int_rfc
snc/accept_insecure_rfc 1
snc/data_protection/max
snc/data_protection/min
snc/data_protection/use
snc/enable 1
snc/extid_login_diag 1
snc/extid_login_rfc 1
snc/force_login_screen
snc/gssapi_lib S:\usr\sap\ABC\D00\exe\sapcrypto.dll
snc/identity/as p:CN=ABC
snc/log_unencrypted_rfc
snc/only_encrypted_gui
snc/only_encrypted_rfc
snc/permit_insecure_start 1
snc/r3int_rfc_qop
snc/r3int_rfc_secure
spnego/construct_SNC_name 111
spnego/enable 1
spnego/krbspnego_lib S:\usr\sap\ABC\D00\exe\sapcrypto.dll
In strust the SNC-Cryptolib has been created with:
CN=ABC
In SAPLogon-Entry for system ABC I set the SNC-Entry :
p:CN=ABC
I also set the snc for my sap-User:
p:CN=mysapuser@mydomain.xyz
I set my Kerberos Token to be used with SAP-SSO in SAP Secure Client:
p:CN=mysapuser@mydomain.xyz
Wenn I try to logon to system ABC I get this Error:
GSS-API(maj): Miscellaneus Failure
GSS-API(min): SSP::IniSctx#10==Specified target is unknown or unreac
target=”p:CN=ABC@mydomain.xyz”
Time ...
Component SNC(Secure Network Communication)
Release 753
Version 6
Module
D:/depot/bas/753_REL/src/krn/snc/sncxxall.c
Line 3604
Method SncPEstablishContext
Return Code -4
System Call gss_init_sec_context
Counter 25
It seems to me that It is adding my domain @mydomain.xyz to my p:CN=ABC - Entry and so it cannot find the target!
Does anybody have an Idea about this error? Why is the domain being added to my CN here at Logon time?
Thanks and Best Regards
Armin
Dear Christopher,
Thank you very much for your help:
Can I send you the Traces in a more private way ? Maybe directly toyour email,... ?
Best Regards
Armin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
68 | |
9 | |
8 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.