Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Issue configuring Kerberos SSO for ABAP

sap_cdg
Explorer
0 Kudos
373

I have facing an issue with configuring SSO Kerberos for ABAP. we have maintained all the prerequisites and it started earlier and was working successfully.

But now it started giving the below error. I'm sharing error logs received in the dev trace.

***************************************************************************************************

"N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3563]

N GSS-API(maj): Miscellaneous Failure

N GSS-API(min): SSPI::AccSctx#1()==(internal error) The LSA cannot be contacted

N Unable to establish the security context

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1033]

M {root-id=00155D01557C1EDDB79E4794C5E6943A}_{conn-id=00000000000000000000000000000000}_0

M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1038]

M {root-id=00155D01557C1EDDB79E4794C5E6943A}_{conn-id=00000000000000000000000000000000}_0

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11447]

M {root-id=00155D01557C1EDDB79E4794C5E6943A}_{conn-id=00000000000000000000000000000000}_0

M DpVmcGetVmByTmAdm: no VM found for T33/M0/I0 (locked VMs ignored)

******************************************************************************************

Can anyone please suggest the root cause?

Thanks,

Anuj jain

2 REPLIES 2

Amin_Omidy
Active Participant
136

Hi Anuj,

The error message suggests that there is an issue with the communication between the Kerberos client and the Kerberos server.

The specific error "The LSA cannot be contacted" suggests that the Local Security Authority (LSA) on the client machine cannot communicate with the Kerberos server.

Here are some possible causes and solutions for the error:

1-Check the Kerberos configuration on the client machine. Make sure that the Kerberos configuration is correct and up-to-date. Verify that the keytab file and the krb5.conf file are in the correct location and that they contain the correct information.

2-Verify that the client machine can communicate with the Kerberos server. Check the network connectivity between the client machine and the Kerberos server(like ping or nslookup). Ensure that the client machine can resolve the Kerberos server's hostname.

3-Check the status of the Local Security Authority (LSA) service on the client machine. Verify that the LSA service is running and that it is not disabled.

4-Check the Kerberos ticket cache on the client machine. Ensure that the ticket cache is valid and contains the correct ticket information. You can clear the ticket cache and obtain a new ticket by running the kinit command too.

5-Check the permissions on the keytab file. Ensure that the keytab file is readable by the user running the ABAP application server.

6-Ensure that the clocks on the client machine and the Kerberos server are synchronized. Kerberos requires that the clocks on both the client and server machines are within a certain time difference.

If none of the above works, you may need to troubleshoot further by examining the Kerberos logs on both the client and server machines. You can also consider contacting the SAP support team or the vendor of the Kerberos implementation you are using for further assistance.

Thanks,

marco_hammel2
Participant
136

Hi sap_cdg on top of what amin_omidy mentioned, I see his remarks on point 2 as the most applicable according to your description. Specifically "The LSA cannot be contacted" got my attention. This means the security security authority doesn't provide an authentication verification at all or not in time. On top of checking DNS with nslookup, I suggest to:

- check for IP and DNS address conflicts too (for example different DNS responses over time, or wrong IP failover configuration

- check if the alternate DNS provides the same response as the primary DNS

- check network performance for the Kerberos service. If the response is provided too slow this can run into a timeout for the verification. You can run a traceroute to get an idea how many hops are being taken and what's the network performance for the hops.

- check Kerberos service availability for example by checking port (default is 88) with Powershell. Maybe a firewall at the service, or on the affected client blocks something.

Test-NetConnection kerberoshostname -Port 88