on 09-27-2013 2:32 PM
Dear All,
There is a kerberos based Secure Login Library implementation on Windows 2008. Basis version 7.31 SP8, Kernel 7.21EXT 129
sapgenpse keytab -p SAPSNCSKERB.pse -x password -y passwordofssoaccount -a SSOAccount
sapgenpse seclogin -p SAPSNCSKERB.pse -x password -O Serviceaccount
has been implemented
when I activate SNC on SAP logon and I wanto to login I can see Following error:
In Workprocess trace file:
N *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->sec_crypt_cipher_all(): Decryption error, invalid padding decrypted
[BASE sec_crypt_cipher_all] [spnego.c 2447]
N {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0
N *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->credCipher(): Decryption error, invalid padding decrypted
[BASE credCipher] [spnego.c 2447]
N {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0
N *** ERROR => SPNegoLib: ERROR(0xA0100207) in CRYPT->sec_oldpse_decryptCred(): Decryption error, invalid padding decrypted
[BASE sec_oldpse_decryptCred] [spnego.c 2447]
N {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0
N *** ERROR => SPNegoLib: Srv-80000000: Client hello parameters: no key exchange algorithm fits server preferences. [GSS analyze_cl
N {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0
N *** ERROR => SPNegoLib: Srv-80000000: < Msg ClientHello process failed : errval=d0000, minor_status=a220021e [GSS messa
N {root-id=0050568F033D1EE389EE03F8014C2948}_{conn-id=00000000000000000000000000000000}_0
keytab is stored in SAPSNCSKERB.pse:
SPNEGO works for WebGUI.
PS. Exactly the same configuration works properly on Prod environment ( please do not send that SAP/SAPService<SID> is the mandatory format because SAP/KerberosSID also works on many systems with NW SSO 2.0 )
Thanks in advance for your help.
Zsolt
Hi Zsolt,
i would suggest to create a support ticket and provide all information. Please activate Secure Login Library trace too and add to the ticket.
The simplest solution is a wrong password?
Best regards,
Frane
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Frane,
Thanks for your help.
I opened a Customer message and the problem is solved:
Workaround on Windows 2008
I had to login as Serviceaccount instead of my ID:
1. delete SAPSNCSKERB.pse and cred_v2 file
2. sapgenpse keytab -p SAPSNCSKERB.pse -x password -y passwordofssoaccount -a SSOAccount
3. sapgenpse seclogin -p SAPSNCSKERB.pse -x password -O Serviceaccount
There was cred_v2 problem and security problem with SECUDIR on Windows level.
Service Account is usually SAPServiceSID
Best regards
Zsolt
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.