Showing results for 
Search instead for 
Did you mean: 

SAPOSS connection error

0 Kudos

Hi Experts,

I have troubleshoot the test connection for SAPOSS in SM59 few days and still yet to find any solution.

I have ensure that the user id and password is correct in SAPOSS and saprouttab is maintained correctly.

also, the port 3299 is open and able to ping

i also try to reapply the cert in saprouter and ensure that the saprouter is running on correct user.

Please advise if you have any idea.

Thank you.

The error as below:

Connection Error

Error when opening an RFC connection

ERROR: SNC processing failed: SncSessionInitiatorAK

LOCATION: SAProuter 40.4 on 'Ehbsol'

DETAIL: NiSncIInitHdlSecurity: sncrc=-4;000000000253FA80

COMPONENT: NI (network interface)


MODULE: nisnc.c

LINE: 1182




TIME: Mon Dec 16 23:41:46 2013


From dev_rout

trc file: "dev_rout", trc level: 1, release: "720"

Mon Dec 16 23:41:10 2013
SAP Network Interface Router, Version 40.4

command line arg 0: D:\usr\sap\saprouter\saprouter.exe
command line arg 1: -r
command line arg 2: -W
command line arg 3: 60000
command line arg 4: -R
command line arg 5: D:\usr\sap\saprouter\saprouttab
command line arg 6: -G
command line arg 7: D:\usr\sap\saprouter\saprouter_log.txt
command line arg 8: -K
command line arg 9: p:CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
      PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/64/64)
      GetUserName()="saprouter"  NetWkstaUser="saprouter"
SncInit(): Trying environment variable SNC_LIB as a
      gssapi library name: "D:\usr\sap\saprouter\sapcrypto.dll".
  File "D:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
  SECUDIR="D:\usr\sap\saprouter" (from $SECUDIR)
  The internal Adapter for the loaded GSS-API mechanism identifies as:
  Internal SNC-Adapter (Rev 1.0) to SAPCRYPTOLIB
  Product Version = SAPCRYPTOLIB  5.5.5C pl36  (Jul  3 2013) MT,[aesni],NB
main: pid = 1572, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: 'D:\usr\sap\saprouter\saprouttab'

Mon Dec 16 23:41:46 2013
*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]
      GSS-API(maj): No credentials were supplied
      GSS-API(min): No credentials found for this name (not logged on) (USER=saprouter)
    Could't acquire INITIATING credentials for

    name="p:CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE"
<<- SncSessionInitiatorAK()==SNCERR_GSSAPI
  'target_acl_key' (addr=000000000CA9C9F4, len=86) full hexdump
  0x00000  00030401 00080606 2b240301 25010000  ........ +$..%...
  0x00010  00443042 310b3009 06035504 06130244  .D0B1.0. ..U....D
  0x00020  45310c30 0a060355 040a1303 53415031  E1.0...U ....SAP1
  0x00030  12301006 0355040b 13095341 50726f75  .0...U.. ..SAProu
  0x00040  74657231 11300f06 03550403 13087361  ter1.0..
  0x00050  70736572 7639                        pserv9          
*** ERROR => NiSncIInitHdlSecurity: SncSessionInitiatorAK failed (sncrc=-4;000000000253FA80) [nisnc.c      1185]
*** ERROR => NiSncHandleForAddr C25/-1, (rc=-17) [nirout.cpp   3275]
*** ERROR => NiRClientHandle: NiRExRouteCon for C25/-1 'EHBAPPS' failed (rc=-17) [nirout.cpp   2653]

from dev_rfc0

**** Trace file opened at 20131213 105117 Malay Peninsula Standard Time, SAP-REL 701,0,137 RFC-VER U 3 1238848 MT-SL

Error RFCIO_ERROR_SYSERROR in abrfcpic.c : 2517

LB: Hostname or service of the message server unknown





ABAP Programm: RSRFCPIN (Transaction: SM59)

User: BT_PP (Client: 100)

Destination: SAPOSS (handle: 2, , )

Best regards,


Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi ,

try saprouter -r -V 2 -K "p:CN=saprouter, OU=0001059133, OU=SAProuter, O=SAP, C=DE" -W 120000

same command to start the router not change the CN also ......CN will be saprouter .....and try ...else try sapgenpse seclogin -p local.pse -O <sidadm>,,,,,,


0 Kudos

Hi Rebleen,

I still try no luck. any idea?

Thank you.



Former Member
0 Kudos


As suggested please provide the output of the below command.

sapgenpse seclogin –l

sapgenpse get_my_name -v -n Issuer

Was this working before or this is the first time you are trying.

Have yo maintained the below entry in your host file .

# for customers in Asia     sapserv9

Below is the Doc that you should follow for the configuration.


RishI Abrol

0 Kudos

Hi Rishi,

This is new installation for the server.

I have maintained the host file in saprouter server. but, still the same.

D:\usr\sap\saprouter>sapgenpse seclogin -l
running seclogin with USER="saprouter"

0: CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE
      Options:  LIFETIME= Tue, 16 Dec 2014 05:47:20 (GMT)

1: CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE
      NOT readable for saprouter

1 readable SSO-Credentials available (total 2)

D:\usr\sap\saprouter>sapgenpse get_my_name -v -n Issuer
Opening PSE "D:\usr\sap\saprouter\local.pse"...
PSE (v2) open ok.
Retrieving my certificate... ok.
Getting requested information... ok.
SSO for USER "saprouter"
  with PSE file "D:\usr\sap\saprouter\local.pse"

Issuer  : CN=SAProuter CA, OU=SAProuter, O=SAP, C=DE



Former Member
0 Kudos


As this is a new Router please create message with sap to register your router with the below details.

XX-SER-NET-NEW to SAP. You have to attach "Remote Connection Data Sheet" to this oss-message (note 28976).

Please provide the details of the routertab file .

Can you please also go to the link as provided earlier and check if you have done all the steps.

One more thing in the start command you gave the below details

CN=Ehbsol, OU=0001155667, OU=SAProuter, O=SAP, C=DE

But your router certs are relating to

CN=Ehbsol, OU=0001155664, OU=SAProuter, O=SAP, C=DE

So the OU is different in both used the same OU in the command.


RishI Abrol

0 Kudos

Hi Rishl,

Thanks a lot.

It 's working now.

due to my careless mistake.



Former Member
0 Kudos

No Probs mate we all ways do this  but if it fixed then it's good.


Rishi Abrol

Answers (2)

Answers (2)

Active Contributor
0 Kudos

Hello Soon Joo Por,

Check that SAP Note 1178684  No service connection SNC processing failed, or follow that steps:

Secure Network Communications:

1. Register SAProuter at service marketplace. Send an oss-message with component XX-SER-NET-NEW to SAP. You have to attach "Remote Connection Data Sheet" to this oss-message (note 28976).

2. Download SAPSECULIB and SAPCRYPTO from service marketplace.

You'll find SAPSECULIB underDownload - SAP support Packages - Entry by application group - SAP Technology Components.

3. Download SAPROUTER from service marketplace.

You'll find it under Download - SAP support Packages - Entry by application group - SAP Technology Components.

4. Create directory "saprouter" at your saprouter-host. In this example I created \usr\sap\saprouter.

5. Uncar your saprouter-file and copy saprouter.exe andniping.exeinto your saprouter-folder (\usr\sap\saprouter).

6. Check if you can findntscmgr.exe in thewindows\system32-folder. If it's not there - find it and copy.

7. Create saprouter as an service.

Example: ntscmgr install SAProuter -b E:\usr\sap\saprouter\saprouter.exe -p "service -r -R E:\usr\sap\saprouter\saprouttab -S 3299"

8. Set saprouter-service to "Automatic" and user "adm".

9. Create key "saprouter" under

HKEY_LOCAL_MACHINE ? SYSTEM ? CurrentControlSet ? Services ? Event Log ? Application

Then this values:

EventMessageFile (REG_SZ): ....\saprouter\saprouter.exe

TypesSupported (REG_DWORD): 0x7

10. Check if you can find MSVCR71.DLL and MSVCP71.dll in yoursystem32-folder.

11. Download MS Runtime DLL attached to note 684106 ( Unzip and run R3DLLINS.EXE from \NTPATCH - restart if necessary.

12. Uncar SECULIB and copy files from nt-i386 (if 32-bit windows) into \usr\sap\saprouter folder.

Uncar SAPCRYPTOLIB and copy files from \ntintel into\usr\sap\saprouter. You also have to copy files directly from the uncared SAPCRYPTOLIB-folder (files as ticket) into\usr\sap\saprouter.

13. Create environment variables for user:

SECUDIR = E:\usr\sap\saprouter

PATH = E:\usr\sap\saprouter

SNC_LIB = E:\sap\saprouter\sapcrypto.dll

export SECUDIR=/home/luis/saprouter/

export PATH=/home/luis/saprouter/   

export SNC_LIB=/home/luis/saprouter/

export LD_LIBRARY_PATH=/home/luis/saprouter

14. Go to service marketplace:

Press Apply Now!

You'll receive some data. Save it and copy the Distinguished Name.

Press Continue.

15. Open dos-command at your saprouter-host and type:

sapgenpse get_pse -v -r certreq -p local.pse "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"

Just press "Enter" twice if you have to enter PIN.

16. check files, Files local.pse and certreq is now created in saprouter-folder.

Open file certreq in notepad and copy the content.

17. edit files, Go back to service marketplace (window from nr. 14) and paste the content from certreq there. Press Request Certificate.

You will then receive your certificate.

18. Copy your certificate into notepad at your saprouter-host. Save this notepad-file as srcert in your saprouter-folder.

19. Open dos-command and import the certificate:

sapgenpse import_own_cert -c srcert -p local.pse

20. Create credentials. Open dos-command and type:

sapgenpse seclogin -p local.pse

21. Verify the import of the certificate. Open dos-command and type:

sapgenpse get_my_name -v -n Issuersaprouter

Everything should be ok.

22. Create a file called saprouttab in your saprouter-folder and enter thise entries:

KT "p:CN=sapsystemsOSS, OU=0000225382, OU=SAProuter, O=SAP, C=DE" * *

KP "p:CN=sapsystemsOSS, OU=0000225382, OU=SAProuter, O=SAP, C=DE" *

P * * *

23. Go into registry at your saprouter-host.

HKEY_LOCAL_MACHINE - SYSTEM - ControlSet001 - Services - SAProuter

Modify string ImagePath.

It should look like this:

G:\saprouter\saprouter.exe service -r -R G:\saprouter\saprouttab -S 3299 -K "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"

saprouter.exe -r -R G:\saprouter\saprouttab -S 3299 -K "CN=SAPSUPPORTDES, OU=0000225382, OU=SAProuter, O=SAP, C=DE"

24. Start saprouter-service

25. Open port 3299, 3200 between SAP and your saprouter.


Former Member
0 Kudos

Hi Buddy,

Kindly follow as per the Lluis Salvador Suarez's setps.

He is given step by step.

Thank you


Active Contributor
0 Kudos


It seems that your sap router is not configured properly. 

Run following command to resolve your problem.

for running this command you have to login with SIDADM user and scroll to the saprouter folder

sapgenpse seclogin -p local.pse -O <sidadm>




0 Kudos

Hi Nimal,

Thanks for your i reply.

i have try this before. It s not working as well.