Solved: SSO Could not establish between SAPGUI and ECC Ser...

Former Member · ‎11-05-2013

Hello firends:

we have 2 ECC systems , small one runs on windows+Oracle ,and the other on runs on AIX +Oracle , both are ECC 6 ehp4 with kernel version 721 401, and we also have AD (winddows 2008 R2) we have already implement the netweaver SSO 1.0 (only SSO client and SSO library) on small on which running on windows , after user loggon to the windows AD they could login to ECC without password ,now we plan to implement same thing on the ECC running on AIX , and we use the SSO 2.0 (client and library), but It could not work at all .

we have done the following config:

1. use the windows DC as DNS server for AIX

R3DEV02:d02adm 168> more resolv.conf

nameserver 10.68.113.102

domain SAPSSO.com

2 create the user SAPServiceD02 in windows DC and set the SPN SAP/SAPServiceD02 for this user.

3. download the SSO 2.0 and patch (SP1 level 4) .

4. use SAPCAR to install the files to /usr/sap/<sid>/<instancename>/SLL ,set the SECUDIR and SNC_LIB env var.

5. use sapgenpse to create PSE file

./sapgenpse keytab -p SAPSNCSKERB.pse -x Init123! -y Init1234 -a SAPServiceD02@SAPSSO.COM -nopsegen

6. use sapgenpse to set seclogin for user d02adm

./sapgenpse seclogin -p /usr/sap/D02/DVEBMGS00/sec/SAPSNCSKERB.pse -O d02adm

7. add the following parameter into instance profile

snc/force_login_screen = 0

snc/permit_insecure_start = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/identity/as = p:CN=SAP/SAPServiceD02@SAPSSO.COM

snc/gssapi_lib = /usr/sap/D02/DVEBMGS00/SLL/libsapcrypto.so

snc/enable = 1

and we restart application server , we could found log in dev_w* trace

SncInit(): Initializing Secure Network Communication (SNC)

IBM RS/6000 with AIX (st,ascii,SAP_UC/size_t/void* = 16/64/64)

SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

SncInit(): found snc/gssapi_lib=/usr/sap/D02/DVEBMGS00/SLL/libsapcrypto.so

File "/usr/sap/D02/DVEBMGS00/SLL/libsapcrypto.so" dynamically loaded as GSS-API v2 library.

The internal Adapter for the loaded GSS-API mechanism identifies as:

Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

SncInit(): found snc/identity/as=p:CN=SAP/SAPServiceD02@SAPSSO.COM

Tue Nov 5 12:59:22 2013

SncInit(): Accepting Credentials available, lifetime=Indefinite

SncInit(): Initiating Credentials available, lifetime=Indefinite

***LOG R1Q=> 1& [thxxsnc.c 261]

SNC (Secure Network Communication) enabled

so SNC was enabled on application , and we set the SNC Name "p:CN=SAP/SAPServiceD02@SASSO.COM" in SAPGUI , and confirmed SSO client has get the correct Kerberos token and used it for SAP application. once I try to logon to SAP system , system repsonse is :

No credentials were supppied unable to establish the security context , target = "p:CN=SAP/SAPServiceD02@SAPSSO.COM"

we open the trace for SSO library on ECC server , and trace shows :

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] gss_import_name input buffer (57 bytes)

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] ??????+$??%????)0'1%0#??U????SAP/SAPServiceD02@SAPSSO.

COM

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] 0401000806062B2403012501000000293027312530230603550403

0C1C5341502F534150536572766963654430324053415053534F2E434F4D

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_import_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_acquire_cred

[2013.11.05 04:59:45.000][TRACE][ ][LOADER ][ 1] Loading config file '/usr/sap/D02/DVEBMGS00/SLL/sll/bas

e.xml' successful

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Trying to open credentials file /usr/sap/D02/DVEBMGS00/

sec/cred_v2.

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Refreshing PSE content

[2013.11.05 04:59:45.000][TRACE][ ][LOADER ][ 1] Opened credentials file /usr/sap/D02/DVEBMGS00/sec/cred

_v2

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Try open PSE for GSS with given name (CN=SAP/SAPService

D02@SAPSSO.COM)

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Searching own certificate ...

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Found 0 suitable certificates

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Adding token 'tokpse:/usr/sap/D02/DVEBMGS00/sec/SAPSNCS

KERB.pse' without provided password to PSE successful

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] Searching credentials for desired name 'CN=SAP/SAPServi

ceD02@SAPSSO.COM'

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Searching own certificate ...

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] SUBJECTNAME=CN=SAP/SAPServiceD02@SAPSSO.COM

[2013.11.05 04:59:45.000][TRACE][ ][PSE ][ 1] Found 0 suitable certificates

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] Didn't found a certificate (may be kerberos is used)

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_acquire_cred

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_release_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_release_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_inquire_cred

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] Inquire creds (get cred info)

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_inquire_cred

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_canonicalize_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_canonicalize_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_export_name

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] gss_export_name output buffer (57 bytes)

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] ??????+$??%????)0'1%0#??U????SAP/SAPServiceD02@SAPSSO.

COM

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] 0401000806062B2403012501000000293027312530230603550403

0C1C5341502F534150536572766963654430324053415053534F2E434F4D

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_export_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_display_name

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] gss_display_name output buffer (31 bytes)

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] CN=SAP/SAPServiceD02@SAPSSO.COM

[2013.11.05 04:59:45.000][TRACE][ ][GSS ][ 1] 434E3D5341502F534150536572766963654430324053415053534F

2E434F4D

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_display_name

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } aux_free_error

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] { gss_release_buffer

[2013.11.05 04:59:45.000][TRACE][ ][SAPCRYPTOLIB][ 1] } gss_release_buffer