cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NW SSO 2.0 problem A221021E: Server refuses kerberos key exchange

Go to solution
Former Member

on ‎09-27-2013 2:32 PM

0 Kudos

Dear All,

There is a kerberos based Secure Login Library implementation on Windows 2008. Basis version 7.31 SP8, Kernel 7.21EXT 129

sapgenpse keytab -p SAPSNCSKERB.pse -x password -y passwordofssoaccount -a SSOAccount

sapgenpse seclogin -p SAPSNCSKERB.pse -x password -O Serviceaccount

has been implemented

when I activate SNC on SAP logon  and I wanto to login I can see Following  error:

In Workprocess trace file:

N  *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->sec_crypt_cipher_all(): Decryption error, invalid padding decrypted

[BASE sec_crypt_cipher_all] [spnego.c     2447]

N  {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0

N  *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->credCipher(): Decryption error, invalid padding decrypted

[BASE credCipher] [spnego.c     2447]

N  {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0

N  *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->sec_oldpse_decryptCred(): Decryption error, invalid padding decrypted

[BASE sec_oldpse_decryptCred] [spnego.c     2447]

N  {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0

N  *** ERROR => SPNegoLib: Srv-80000000: Client hello parameters: no key exchange algorithm fits server preferences. [GSS analyze_cl

N  {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0

N  *** ERROR => SPNegoLib: Srv-80000000: <   Msg ClientHello         process failed : errval=d0000, minor_status=a220021e [GSS messa

N  {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0

keytab is stored in SAPSNCSKERB.pse:

SPNEGO works for WebGUI.

PS. Exactly the same configuration works properly on Prod environment ( please do not send that SAP/SAPService<SID> is the mandatory format because SAP/KerberosSID also works on many systems with NW SSO 2.0  )

Thanks in advance for your help.

Zsolt

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

frane_milicevic
Active Participant
‎10-09-2013 10:11 AM
0 Kudos

Hi Zsolt,

i would suggest to create a support ticket and provide all information. Please activate Secure Login Library trace too and add to the ticket.

The simplest solution is a wrong password?

Best regards,

Frane

Show replies
Show replies
Former Member
‎10-09-2013 1:06 PM
0 Kudos

Hi Frane,

Thanks for your help.

I opened a Customer message and the problem is solved:

Workaround on Windows 2008

I had to login as Serviceaccount instead of my ID:

1. delete SAPSNCSKERB.pse and cred_v2 file

2. sapgenpse keytab -p SAPSNCSKERB.pse -x password -y passwordofssoaccount -a SSOAccount

3. sapgenpse seclogin -p SAPSNCSKERB.pse -x password -O Serviceaccount

There was cred_v2 problem and security problem with SECUDIR  on Windows level.

Service Account is usually SAPServiceSID

Best regards

Zsolt

Answers (0)

Ask a Question
Related Content