Skip to Content
author's profile photo Former Member
Former Member

SNC name for AD sub domain users

Hi Experts,

We'd like to use SAPGUI SSO with Kerberos.

ERP is installed under AD root domain (ROOT.COM) in the forest.

Users are belongs to AD sub domain (SUBDOM.COM) in the same forest.

ERP is installed under ROOT.COM, service user is SAPService @ ROOT.COM.

SNC name in user profile (SU01) is p:testuser@SUBDOM.COM

SAP Logon entry for SSO has SNC name, p:SAPService @ ROOT.COM.

Then user tries to log on via the entry for SSO, the error message "No user exists with SNC name "p:testuser@SUBDOM.COM""

I guess user's SNC name should be changed but I couldn't find what should be changed.

Kindly advise what setting is missing in our environment.

best regards,

Megumi

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Best Answer
    Posted on Jun 20, 2013 at 10:03 PM

    To the best of my knowledge this is also case sensitive. You might need to put in p:Testuser@SUBDOM.COM instead of p:testuser@SUBDOM.com. The user ID should match with AD's pre-windows 2000 logon name. Atleast that this the way it works in our environment.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Salim,

      To determine what case is used for user ID and domain, I used environment variable with "set" command.

      And set ID and domain name as USERDNSDOMAIN and USERNAME.

      But still doesn't work.

      How do you determine what case is used for id and domain name in AD?

      Megumi

  • Posted on Jun 20, 2013 at 06:19 AM

    Please edit the user using su01 and change the SNC name in SNC tab to something like p:dummy@SUBDOM.COM. Then save this change. Next, change the SNC name to p:testuser@SUBDOM.COM and save this change. Then try to logon and see what happens ?

    Add a comment
    10|10000 characters needed characters exceeded

    • The case and full name of the authenticated user as defined in AD is shown in the message "No user exists with SNC name". This message shows that the user has been authenticated and their SNC name is shown in this message. The SAP user is then determined by the entry in USRACL table and there needs to be an exact match.

      I asked you to change, save, change again and save because there is a field in USRACL for each entry (like a checksum) which is generated when you save the entry, and I have seen an issue before where the checksum is not valid anymore so saving the entry again causes the new checksum to be generated. As you have tried this, it looks like the issue is something else.

      If you have checked the name is correct and the case is correct, then I cannot think of anything else which might be wrong. Maybe you can share the screen capture showing the message you see when you try to login and also showing a screen of what the SNC tab looks like in SU01 for the user.

  • author's profile photo Former Member
    Former Member
    Posted on Jun 27, 2013 at 09:00 AM

    Tim, Salim,

    Thanks to your advice, I re-set SNC name of user specifying the character of Windows logon.

    Finally solved the issue!

    Thank you very much.

    Megumi

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.