Skip to Content
avatar image
Former Member

Could't acquire ACCEPTING credentials for name="p:CN=SLLServiceSM1"

Hi all,

I am trying to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.

As <SID>adm

I have downloaded the files and uncar'd them into my D:\usr\sap\SM1\SLL directory.

I set my environment variables: SUCDIR = D:\usr\sap\SM1\DVEBMGS02\sec, SNCLIB = D:\usr\sap\SM1\SLL\secgss.dll

I have maintained my Instance Profile with:

snc/enable = 1

snc/gssapi_lib = D:\usr\sap\SM1\SLL\secgss.dll

snc/identity/as = p:CN=SLLServiceSM1

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/accept_insecure_r3int_rfc = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I have a user on the Active Directory: SLLServiceSM1

I ran through the steps:

D:\>set SECUDIR=D:\usr\sap\SM1\DVEBMGS02\sec

D:\>cd D:\usr\sap\SM1\SLL

D:\usr\sap\SM1\SLL>sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSM1@office.xxxxx.com (no errors)

D:\usr\sap\SM1\SLL>sapgenpse seclogin -p SAPSNCSKERB.pse -O SLLServiceSM1 (no errors)

D:\usr\sap\SM1\SLL>sapgenpse seclogin -l  

(gives:  running seclogin with USER="sm1adm" 0: CN=SLLServiceSM1@office.xxxxxx.com D:\usr\sap\SM1\DVEBMGS02\sec\SAPSNCSKERB.pse NOT readable for sm1adm NO readable SSO-Credentials available (total 1))

When I try to start SAP, it Stops and my trace reads:

SncInit(): Initializing Secure Network Communication (SNC)

N        PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N        GetUserName()="SAPServiceSM1"  NetWkstaUser="SAPServiceSM1"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=D:\usr\sap\SM1\SLL\secgss.dll

N    File "D:\usr\sap\SM1\SLL\secgss.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N    FileVersionInfo: D:\usr\sap\SM1\SLL\secgss.dll, FileVersion= 8.4.1.32

N  SncInit():   found snc/identity/as=p:CN=SLLServiceSM1

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1445]

N        GSS-API(maj): No credentials were supplied

N      Could't acquire ACCEPTING credentials for

N      name="p:CN=SLLServiceSM1"

N      FATAL SNCERROR -- Accepting Credentials not available!

N      (debug hint: default acceptor = "p:CN=DummyCredential")

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

Any input would be greatly appreciated.

Thanks,

Diana

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Apr 29, 2014 at 07:16 PM

    Turns out there was a conflict between me SAProuter SNC configuration on this server and the SNC for SSO. Once I set the SNC SSO environment variables as 'user' variables (left the SAProuter variables as 'system') everything was fine.

    Thanks,

    Diana

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 28, 2014 at 04:21 PM

    Hello Diana,

    You did not tell if your SAP server is also running Windows.

    If yes, the credentials should be set for the SAPService<SID> user.

    In my company, I could successfully configure SNC Kerberos but it was not really easy for the first system... I have one difficulty because the SAP end users have windows users in a different windows domain than the SAP Servers.

    Here is briefly what I have done to generate a working keytab pse.

    I used the SAP Common Cryptolib instead of the NWSSO dll.

    Create empty PS:

    sapgenpse keytab –p SAPSNCSKERB.pse


    Create entries in the keytab

    sapgenpse keytab -x <kerberos user password> -nopsegen -a <kerberos user>@<SAP SERVER WINDOWS DOMAIN>

    Create credentials for the SAP Widows  Service user : SAPService<SID>

    sapgenpse seclogin -p D:\usr\sap\<SID>DVEBMGSxx\sec\SAPSNCSKERB.pse -O SAPService<SID>

    Verify credentials :

    sapgenpse seclogin -l -O SAPService<SID>

    When re-starting  the system I get :

    SncInit(): Initializing Secure Network Communication (SNC)

           PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

           GetUserName()="SAPService<SID>"  NetWkstaUser="SAPService<SID>"

    SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

    SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

    SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

    SncInit(): found  snc/gssapi_lib=D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll

       File "D:\usr\sap\<SID>\DVEBMGS57\exe\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

       SECUDIR="D:\usr\sap\<SID>\DVEBMGS57\sec" (from $SECUDIR)

       The internal Adapter for the loaded GSS-API mechanism identifies as:

       Internal SNC-Adapter (Rev 1.0) to Secure Login Library

       Product Version = CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.9 pl40 (2.0 SP1 Patch 4) (Sep 27 2013) MT-safe

    SncInit():   found snc/identity/as=p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN>

    SncInit(): Accepting  Credentials available, lifetime=Indefinite

    SncInit(): Initiating Credentials available, lifetime=Indefinite

    ***LOG R1Q=> p:CN=SAP/<kerberos user>@<SAP SERVER WINDOWS DOMAIN> [thxxsnc.c    267]

    SNC (Secure Network Communication) enabled

    There may be a simpler way, but it worked for me !

    Hope this helps...

    Best Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded