Skip to Content
avatar image
Former Member

SSO with MIT Kerberos 5 under Linux


Hi,

i´m trying to get this runnnig but it didn´t work.

Has anybody a solution or currently that running under this environment?

uname -a
Linux <SERVER> 3.0.93-0.5-default #1 SMP Tue Aug 27 08:17:02 UTC 2013 (925d406) x86_64 x86_64 x86_64 GNU/Linux

gcc -v
gcc version 4.3.4 [gcc-4_3-branch revision 152973] (SUSE Linux)

I use the documentation from Realtech.

We create the SPN and get a kerberos ticket at the linux server via kinit.

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: SAPService/<SERVER>.<DOMAIN>.DE@<DOMAIN>.DE

Valid starting     Expires            Service principal
01/30/14 06:01:01  01/30/14 16:01:01  krbtgt/<DOMAIN>.DE@<DOMAIN>.DE
        renew until 01/31/14 06:01:01


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

After that i have activated the SNC Config for the ABAP system and i´m able to start the system with snc.

In the dev traces i can the snc entries.

snc/identity/as = SAPService/<SERVER>.<domain>.DE@<DOMAIN>.DE

snc/identity/as = SAPService/<SERVER>.<domain>.DE

works fine

But i´m not able to logon via GUI:

error message:

GSS-API(maj) failure

gss-api (min): SSPI::IniSctx#1()==specified target is unknown or unreac

target="p:SAPService/<SERVER>.<domain>@<DOMAIN>.DE

Error in SNC

SNC String into SAPGui:

p/krb5:SAPService/<SERVER>.<DOMAIN>@<DOMAIN>.DE

I have attached the output from gsstest

If anybody has information, ideas or solutions please answer.

Thankx.

Regards

Mirko 

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Feb 17, 2014 at 11:00 AM

    Hello Mirco,

    please verify, that port numbers  in the  /etc/krb5.conf

    looks like <

    kdc=<SERVER>.<domain>@<DOMAIN>.DE:88

    admin_server=<SERVER>.<domain>@<DOMAIN>.DE:749

    >

    Add comment
    10|10000 characters needed characters exceeded