Quantcast
Channel: SCN: Message List
Viewing all articles
Browse latest Browse all 9080

SNC - GSS/API Kerberos related errors

$
0
0

Hello Experts,

 

I had initially raised another message for SSO , but that was with SAP Cryptolib, but after confirmation from SAP, we cannot go for a NW SSO2.0 license, thus we are looking at alternative methods like kerberos.

 

I am trying to get SNC (SSO) on the SAPGUI working after migrating from Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase .

Currently we are testing on the target LINUX  [RHEL 6.4 ] server, against a Windows AD domain.


I was following the realtech document and it was a very good starting point.

http://www.realtech.com/wInternational/sap-consulting/sap-technologie/sap-identity-managementW3DnavidW26173.php


The OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO.

Kinit works fine with the Linux server getting authenticated at the Windows AD  [via root]


[root@orsapbisbx01 ~]# kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

Using default cache: /tmp/krb5cc_0

Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

Authenticated to Kerberos v5

[root@orsapbisbx01 ~]#

 

Kinit via sbadm

--------------------------

orsapbisbx01:sbqadm 51> kinit -V -k SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

Using default cache: /tmp/krb5cc_500

Using principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

Authenticated to Kerberos v5

Klist shows us the

 

Klist shows us the ticket [ both via root / sbqadm]

--------------------------------------------------------------------------------

orsapbisbx01:sbqadm 54> klist

Ticket cache: FILE:/tmp/krb5cc_500

Default principal: SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

 

 

Valid starting     Expires            Service principal

07/23/14 18:01:01  07/24/14 04:01:06  krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>

        renew until 07/30/14 18:01:01

orsapbisbx01:sbqadm 55

 

SNC Is correctly initialized ,as seen in the dev_w* traces

 

N  SncInit(): Initializing Secure Network Communication (SNC)

N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="sbqadm" (500), envvar USER="sbqadm"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so

N    File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.

N    The SNC-Adapter identifies as:

N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N  SncInit():   found snc/identity/as=p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=09h 30m 53s

M  SNC (Secure Network Communication) enabled

A


On the Front end, I have done the below settings

 

In the SAPGUI

-----------------------

Under the SNC tab, the SNC name is as below

SNC Name: p/krb5:SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

 

On the SAP server, the SNC name  is typed as below under the SNC  tab of user account properties?

p:pvijayda@MYDOMAIN.COM

 

On the front end system

-------------------------------------

 

I'm using the "gsskrb5.dll" library, which I moved into the directory %windir%\system32

After that I had to add the system variable SNC_LIB with the value "gsskrb5.dll".  I tried both manually as well as via the installer from SAP Note 595341 alternatively.

 

Inspite of all these settings, the ABAP stack doesnt authenticate the users,  the All I get is a funny error popup "SAP System Message: S".

The corresponding errors are noticed in the ABAP stack dev_w* work process traces.


N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3364]

N        GSS-API(maj): Unspecified GSS failure.  Minor code may provide more information

N        GSS-API(min): No key table entry found for SAPServiceSBQ/<hostname.mydomain.com>@<MYDOMAIN.COM>

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1035]

M  {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0

 

 

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1040]

M  {root-id=00221982BAFF1EE484E27E91C40A025A}_{conn-id=00000000000000000000000000000000}_0

 

 

Additionally I have verified using Kerbtray.exe on the frontend that the kerberos ticket on the Linux server is also received at the front end .

 

Ticket

 

-->krbtgt/<MYDOMAIN.COM>

     |

     -->Service Principal  [krbtgt/<MYDOMAIN.COM>@MYDOMAIN.COM   

 

Service Name          krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>

Target Name            krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>

 

 

Is there something wrong with my configuration , I feel the issue is at the front end, do I need to change my snc/gssapi_lib library  [ as we are on RHEL 6.4 ] , since we are using /usr/lib64/snckrb5.so  , which was compiled for linux from the snc adapter downloaded from SCN.

 

Any help will be greatly appreciated , as we have started going in circles after nearly 2 weeks of configuration.

 

Regards

Prashant Vijaydas


Viewing all articles
Browse latest Browse all 9080

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>