Hello Experts,
I had initially raised another message for SSO , but that was with SAP Cryptolib, but after confirmation from SAP, we cannot go for a NW SSO2.0 license, thus we are looking at alternative methods like kerberos.
I am trying to get SNC (SSO) on the SAPGUI working after migrating from Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase .
Currently we are testing on the target LINUX [RHEL 6.4 ] server, against a Windows AD domain.
I was following the realtech document and it was a very good starting point.
The OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO.
Kinit works fine with the Linux server getting authenticated at the Windows AD [via root]
[root@orsapbisbx01 ~]# kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_0
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
[root@orsapbisbx01 ~]#
Kinit via sbadm
--------------------------
orsapbisbx01:sbqadm 51> kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_500
Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
Klist shows us the
Klist shows us the ticket [ both via root / sbqadm]
--------------------------------------------------------------------------------
orsapbisbx01:sbqadm 54> klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
Valid starting Expires Service principal
07/23/14 18:01:01 07/24/14 04:01:06 krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
renew until 07/30/14 18:01:01
orsapbisbx01:sbqadm 55
SNC Is correctly initialized ,as seen in the dev_w* traces
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N UserId="sbqadm" (500), envvar USER="sbqadm"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.
N The SNC-Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=09h 30m 53s
M SNC (Secure Network Communication) enabled
A
On the Front end, I have done the below settings
In the SAPGUI
-----------------------
Under the SNC tab, the SNC name is as below
SNC Name: p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
On the SAP server, the SNC name is typed as below under the SNC tab of user account properties?
On the front end system
-------------------------------------
I'm using the "gsskrb5.dll" library, which I moved into the directory %windir%\system32
After that I had to add the system variable SNC_LIB with the value "gsskrb5.dll". I tried both manually as well as via the installer from SAP Note 595341 alternatively.
Inspite of all these settings, the ABAP stack doesnt authenticate the users, the All I get is a funny error popup "SAP System Message: S".
The corresponding errors are noticed in the ABAP stack dev_w* work process traces.
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3364]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No key table entry found for SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]
M {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0
Additionally I have verified using Kerbtray.exe on the frontend that the kerberos ticket on the Linux server is also received at the front end .
Ticket
-->krbtgt/<MYDOMAIN.COM>
|
-->Service Principal [krbtgt/<MYDOMAIN.COM>@MYDOMAIN.COM
Service Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Target Name krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
Is there something wrong with my configuration , I feel the issue is at the front end, do I need to change my snc/gssapi_lib library [ as we are on RHEL 6.4 ] , since we are using /usr/lib64/snckrb5.so , which was compiled for linux from the snc adapter downloaded from SCN.
Any help will be greatly appreciated , as we have started going in circles after nearly 2 weeks of configuration.
Regards
Prashant Vijaydas