cancel
Showing results for 
Search instead for 
Did you mean: 

SNC does not work on additional application servers

AK31
Participant
0 Kudos

Hi,

I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="<SID>adm"  NetWkstaUser="<SID>ADM"

N  SncInit():  found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():  found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():  found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll

N    File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():  found snc/identity/as=p:CN=<…>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=<….>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N          sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.

I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.

Does anyone know how what the problem might be?

Regards

Andreas

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

Below link helped me resolved the issue. Basically set all snc parameters and scn/enable=0.While creating SNC entries in STRUST, make sure all your application severs are up and running.  After creating the certs update snc/enable=1 and restart all servers.

http://scn.sap.com/community/erp/60-upgrade/blog/2013/07/03/fatal-sncerror--accepting-credentials-no...

Former Member
0 Kudos

you are right, after creating the certs update snc/enable=1. It worked.

Former Member
0 Kudos

For what it's worth, I resolved my problem:

http://scn.sap.com/thread/3419955

I hope this helps with your problem.

Former Member
0 Kudos

Did you ever resolve this?  I'm having a similar problem: http://scn.sap.com/thread/3419955

AK31
Participant
0 Kudos

Hello Philip,

no, I haven't solved it yet.

Regards

Andreas

AK31
Participant
0 Kudos

I still have one problem left:

This is a system with a central instance and one additional AppServer. I am logged on using the OS user that the SAP Service is running under. When I execute SNC, it shows me that I am logged in to the pse and the seclogin command display that I have access. But SNC.exe does not show any Trusted certificates and the AppSrv will not start with SNC enabled. The error is the "credentials could not be acquired" in the log file.

Could anyone give me any pointers on what to check?

Regards

Andreas

Excerpt from trace file:

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SIDadm"  NetWkstaUser="SIDADM"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=\\<hostname>\sapmnt\SID\SYS\global\sll\secgss.dll

N    File "\\<hostname>\sapmnt\SID\SYS\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x

N    FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7

N  SncInit():   found snc/identity/as=p:CN=<identity name>

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=<identity>"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

Former Member
0 Kudos

Hi Andreas,

from what you posted, I would look for the pse file name. The first screen shows the seclogin searching for a pse file, that does not exist.

regards,

Patrick

AK31
Participant
0 Kudos

Hi Patrick,

thanks for your input. I am not an expert, so please correct me if I am wrong:

The pse.zip file is only needed if you assigned a password to the pse file which I did not. On all other application servers that I operate, the file is missing as well but SNC works.

I assume that the cred_v2 is the credentials file to open the pse. Without it, I get access errors.

Regards

Andreas

Former Member
0 Kudos

You say that you logged on with SAPService<SID> but the trace says SIDADM which you obviously edited but still.

AK31
Participant
0 Kudos

Hi Samuli,

not all our system use the SAPServiceSID User for the SAP Services. In this case I was logged on with the user that is also used for the SAP Services but is not the default SAPServiceSID user.

I did make double sure that I was using the right user since I made that mistake before.

Regards

Andreas

Former Member
0 Kudos

Hi Andreas,

haven't searched the docs yet, but as far as I recall, the pse.zip is always there, as it is the container for the keys. This is also in line with the message you get from the app server about not being able to find the keys.

Regards,

Patrick

AK31
Participant
0 Kudos

Hi Patrick,

none of our SAP systems has a pse.zip file and SSO works on all of them, irrespective of single or multiple instance installations. Judging by that experience, I do not think that a pse.zip is mandatory.

Regards

Andreas

guilherme_deoliveira
Participant
0 Kudos

Hello Patrick and Andreas,

The pse.zip file is used when performing Kerberos authentication (it stores the kerberos keytabs and credentials). If you're maintaining STRUST (SNC PSE) and authenticating via X.509 certificates, then the SNC PSE and cred_v2 file is the one being taken into account.

Therefore, the existance of pse.zip file is mandatory only when logging in via Kerberos token.

I hope this clarifies.

Best Regards,

Guilherme de Oliveira.

Former Member
0 Kudos

Right, this is also outlined in the installation and configuration guide. To my understanding, we are talking about Kerberos based sso, however I may be wrong on this, in which case the pse.zip file is not required.

BTW: just saw the following message, when reviewing the thread again:

SncInit():   found snc/identity/as=p:CN=<identity name>

did you replace the string from the system or is this the real text? If yes, the profile parameter

snc/identity/as is set incorrectly or not at all.

For X.509 it needs to be set to p:<X.509_Distinguished_Name>

for example p:CN=<somename>, OU=<some subgroup>, O=<org>

For Kerberos you need to specify p:CN=SAP/Kerberos<SID>@<YourADDomain>

Regards,

Patrick

AK31
Participant
0 Kudos

I have edited the string before posting it here since it is sensitive data. The correct identity has been set in the default.pfl and is therefore identical on the central instance as well as the dialogue instance.

Regards

Andreas

Former Member
0 Kudos

The attachments are missing. I see that you are using NWSSO 1.0 but what SP/patch level? See if SAP note 1782703 is relevant to you. Are the SAP servers in the same domain as the user accounts? Is there at least a one-way domain trust? Are the machine accounts of the application servers accessible from the user domain? Do the application servers have full access to SECUDIR? If SECUDIR is local (instead of central), are the files identical to the central instance? Is the environment variable set on the application servers for SAPServiceSID?


https://service.sap.com/sap/support/notes/1782703

AK31
Participant
0 Kudos

Hi Samuli,

when I created the post yesterday the portal refused to upload the jpgs. Here they are now:

Central instance

Additional App Server, accessing PSE on Central Instance

Additional Application Server, accessing local pse

To answer your questions:

I see that you are using NWSSO 1.0 but what SP/patch level? See if SAP note 1782703 is relevant to you.

--> We are using SP4 PL1

Are the SAP servers in the same domain as the user accounts? Is there at least a one-way domain trust? Are the machine accounts of the application servers accessible from the user domain?

--> Servers and User Accounts are in the same domain. (No need for domain trust)

Do the application servers have full access to SECUDIR? If SECUDIR is local (instead of central), are the files identical to the central instance? Is the environment variable set on the application servers for SAPServiceSID?

--> all answers: yes

I also tried redistributing via STRUST but it also did not have an effect.

When configuring snc on the additional application servers: Do I have anything else to do apart from setting Secudir and changing the RZ10 profile?

Regards

Andreas

Former Member
0 Kudos

I guess you have noticed that on the application servers, regardless whether SECUDIR is central/local, it says PSE logged in "no". That is probably the problem. When importing the PSE into STRUST, did you distribute it to all application servers?

AK31
Participant
0 Kudos

I created the pse's in STRUST in every system so far. I suppose an import is not necessary then. The pse's are always distributed during a system restart to all application servers.

I guess I just have to make them log into the pse. The question would be: how?

Former Member
0 Kudos

If you assign a password to the SNC PSE in STRUST, you can create credentials on the application servers which will allow them to use the PSE. See the attached link.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/32/ce2e3ad962a51ae10000000a11402f/frameset.htm

Former Member
0 Kudos

Furthermore see SAP note 1525059 in order to troubleshoot the problem. If you in fact have the problem of having multiple credentials and only the first one being used, the solution would be to have local SECUDIRs and local credentials.

http://service.sap.com/sap/support/notes/1525059

AK31
Participant
0 Kudos

Hi Samuli,

just wanted to give an update to my findings so far:

I managed to enable SNC on most application servers. One mistake on my side was to check snc.exe and sapgenpse seclogin -l using the wrong OS user (not the one the SAP Service was running under).

However, setting the SECUDIR on the additional instances to the sec folder on the central instance did not work. Although there was only one user credential maintained. I switch the SECUDIR env. variable to the local pse and it worked.

BTW, there was no need to create an SNC password in STRUST to get it working.

Regards

Andreas