Skip to Content
0
Former Member
Sep 30, 2013 at 11:16 AM

Single Sign On

112 Views

Hi folks,

I am implementing SSO for a customer on six partitions. Five partitions run without problems. The work processes of the sixth partition fail to start.

Part of ST11 DEV_W0:

.........

SncInit(): Initializing Secure Network Communication (SNC)

IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 16/64/64)

UserId="p0110" (4294770762), envvar USER="P0110"

SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

SncInit(): found snc/identity/as=p:SAPService/server11.kunde.ent@KUNDE.ENT

SncInit(): Accepting Credentials available, lifetime=Indefinite

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]

GSS-API(maj): Miscellaneous failure

GSS-API(min): No credentials cache found

Could't acquire INITIATING credentials for

name="p:SAPService/server11.kunde.ent@KUNDE.ENT"

SncInit(): Fatal Initiating Credentials not available!

<<- SncInit()==SNCERR_GSSAPI

sec_avail = "false"

***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238]

*** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]

in_ThErrHandle: 1

*** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11370]

...............

When I run kinit and klist with the SAP p0110 user everything looks fine

$

> kinit -k SAPService/server11.kunde.ent@KUNDE.ENT

$

> klist

Ticket cache: FILE:/var/krb5/security/creds/krb5cc_-196541

Default principal: SAPService/server11.kunde.ent@KUNDE.ENT

Valid starting Expires Service principal

09/30/13 15:01:00 09/04/13 01:01:00 krbtgt/KUNDE.ENT@KUNDE.ENT

Renew until 10/01/13 15:01:00

$

The differences on this partition are the strange name of the credentials cache krb5cc_-196541 and the unusually high uid of user p0110.

SAP refuses support as the support Kerberos only on Windows.

Any hints ?

Thanks Fredi