on 06-13-2013 3:33 PM
Hi,
I have set quite a few servers to connect with SSO to ABAP Stacks. It is not a problem when it is a single instance system but I struggle with distributed systems. The central instance will start without a problem but the additional dialogue instances (on different servers) do not start and I have to disable snc on those servers. The error is always
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="<SID>adm" NetWkstaUser="<SID>ADM"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=\\sapprod\sapmnt\P01\sys\global\sll\secgss.dll
N File "\\servername\sapmnt\SID\sys\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7
N SncInit(): found snc/identity/as=p:CN=<…>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=<….>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
We have several distributed systems and it is the same problem on all systems. Only the central instance can use SNC.
I have added screenshots of the snc.exe from the central instance and the app server to this post. Irrespective of using the (replicated) pse on the app server or using the one on the central instance (via SECUDIR variable), snc cannot log in to the pse.
Does anyone know how what the problem might be?
Regards
Andreas
Below link helped me resolved the issue. Basically set all snc parameters and scn/enable=0.While creating SNC entries in STRUST, make sure all your application severs are up and running. After creating the certs update snc/enable=1 and restart all servers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For what it's worth, I resolved my problem:
http://scn.sap.com/thread/3419955
I hope this helps with your problem.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you ever resolve this? I'm having a similar problem: http://scn.sap.com/thread/3419955
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I still have one problem left:
This is a system with a central instance and one additional AppServer. I am logged on using the OS user that the SAP Service is running under. When I execute SNC, it shows me that I am logged in to the pse and the seclogin command display that I have access. But SNC.exe does not show any Trusted certificates and the AppSrv will not start with SNC enabled. The error is the "credentials could not be acquired" in the log file.
Could anyone give me any pointers on what to check?
Regards
Andreas
Excerpt from trace file:
SncInit(): Initializing Secure Network Communication (SNC)
N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)
N GetUserName()="SIDadm" NetWkstaUser="SIDADM"
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=\\<hostname>\sapmnt\SID\SYS\global\sll\secgss.dll
N File "\\<hostname>\sapmnt\SID\SYS\global\sll\secgss.dll" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SAP Netweaver Single Sign-On v1.x
N FileVersionInfo: InternalName= CryptoLib, FileVersion= 8.3.7.7
N SncInit(): found snc/identity/as=p:CN=<identity name>
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
N GSS-API(maj): No credentials were supplied
N Could't acquire ACCEPTING credentials for
N
N name="p:CN=<identity>"
N FATAL SNCERROR -- Accepting Credentials not available!
N (debug hint: default acceptor = "p:CN=DummyCredential")
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Patrick,
thanks for your input. I am not an expert, so please correct me if I am wrong:
The pse.zip file is only needed if you assigned a password to the pse file which I did not. On all other application servers that I operate, the file is missing as well but SNC works.
I assume that the cred_v2 is the credentials file to open the pse. Without it, I get access errors.
Regards
Andreas
Hi Samuli,
not all our system use the SAPServiceSID User for the SAP Services. In this case I was logged on with the user that is also used for the SAP Services but is not the default SAPServiceSID user.
I did make double sure that I was using the right user since I made that mistake before.
Regards
Andreas
Hello Patrick and Andreas,
The pse.zip file is used when performing Kerberos authentication (it stores the kerberos keytabs and credentials). If you're maintaining STRUST (SNC PSE) and authenticating via X.509 certificates, then the SNC PSE and cred_v2 file is the one being taken into account.
Therefore, the existance of pse.zip file is mandatory only when logging in via Kerberos token.
I hope this clarifies.
Best Regards,
Guilherme de Oliveira.
Right, this is also outlined in the installation and configuration guide. To my understanding, we are talking about Kerberos based sso, however I may be wrong on this, in which case the pse.zip file is not required.
BTW: just saw the following message, when reviewing the thread again:
SncInit(): found snc/identity/as=p:CN=<identity name>
did you replace the string from the system or is this the real text? If yes, the profile parameter
snc/identity/as is set incorrectly or not at all.
For X.509 it needs to be set to p:<X.509_Distinguished_Name>
for example p:CN=<somename>, OU=<some subgroup>, O=<org>
For Kerberos you need to specify p:CN=SAP/Kerberos<SID>@<YourADDomain>
Regards,
Patrick
The attachments are missing. I see that you are using NWSSO 1.0 but what SP/patch level? See if SAP note 1782703 is relevant to you. Are the SAP servers in the same domain as the user accounts? Is there at least a one-way domain trust? Are the machine accounts of the application servers accessible from the user domain? Do the application servers have full access to SECUDIR? If SECUDIR is local (instead of central), are the files identical to the central instance? Is the environment variable set on the application servers for SAPServiceSID?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Samuli,
when I created the post yesterday the portal refused to upload the jpgs. Here they are now:
Central instance
Additional App Server, accessing PSE on Central Instance
Additional Application Server, accessing local pse
To answer your questions:
I see that you are using NWSSO 1.0 but what SP/patch level? See if SAP note 1782703 is relevant to you.
--> We are using SP4 PL1
Are the SAP servers in the same domain as the user accounts? Is there at least a one-way domain trust? Are the machine accounts of the application servers accessible from the user domain?
--> Servers and User Accounts are in the same domain. (No need for domain trust)
Do the application servers have full access to SECUDIR? If SECUDIR is local (instead of central), are the files identical to the central instance? Is the environment variable set on the application servers for SAPServiceSID?
--> all answers: yes
I also tried redistributing via STRUST but it also did not have an effect.
When configuring snc on the additional application servers: Do I have anything else to do apart from setting Secudir and changing the RZ10 profile?
Regards
Andreas
If you assign a password to the SNC PSE in STRUST, you can create credentials on the application servers which will allow them to use the PSE. See the attached link.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/32/ce2e3ad962a51ae10000000a11402f/frameset.htm
Furthermore see SAP note 1525059 in order to troubleshoot the problem. If you in fact have the problem of having multiple credentials and only the first one being used, the solution would be to have local SECUDIRs and local credentials.
Hi Samuli,
just wanted to give an update to my findings so far:
I managed to enable SNC on most application servers. One mistake on my side was to check snc.exe and sapgenpse seclogin -l using the wrong OS user (not the one the SAP Service was running under).
However, setting the SECUDIR on the additional instances to the sec folder on the central instance did not work. Although there was only one user credential maintained. I switch the SECUDIR env. variable to the local pse and it worked.
BTW, there was no need to create an SNC password in STRUST to get it working.
Regards
Andreas
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.