on 05-23-2014 8:00 PM
Hello,
I am currently configuring SAP SSO for ABAP in a Windows environment. (2012)
I downloaded all the latest files.
Created user SLLServiceSAP on the AD server
.
I set my profile parameters:
### SSO
snc/enable = 1
snc/gssapi_lib = C:\usr\sap\DEV\SLL\secgss.dll
snc/identity/as = p:CN=SLLServiceSAP@bowieresources.com
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 0
snc/accept_insecure_r3int_rfc = 1
snc/extid_login_diag = 1
snc/extid_login_rfc = 1
I set my environment variables:
SECUDIR C:\usr\sap\DEV\DVEBMGS00\sec
SNC_LIB C:\usr\sap\DEV\SLL\secgss.dll
I installed the Secure Library on my SAP server, Ran all setup/config commands successfully with no errors.
/sec contains:
I ran the Secure Client install on my workstation:
My SAPLogon 'Network' Tab reads: p:CN=SLLServiceSAP@bowieresources.com
My 'SNC' Tab reads:
When I execute a logon, I receive:
Any insight/help would be much appreciated.
Thanks,
Diana
Hi Samuli Kaski ,
I have the same issue (GSS-API(maj): No credentials were supplied Unable to establish the security).
sapgenpse seclogin -l doesn't display the userPrincipal Name whereas I used the command below to generate pse :
sapgenpse keytab -p SAPSNCSKERB.pse -X <UPN password> -a <UPN>
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################
WARNING: it is recommended to use -y instead of -X
Please enter PSE PIN/Passphrase: **********
Please reenter PSE PIN/Passphrase: **********
!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.
keytab: Created new keyTab entry.
keytab: KeyTab content stored:
Version Time stamp KeyType Kerberos name
1 Fri Mar 4 11:24:07 2016 DES <UPN>@domaine
1 Fri Mar 4 11:24:07 2016 AES128 <UPN>@domaine
1 Fri Mar 4 11:24:07 2016 AES256 <UPN>@domaine
1 Fri Mar 4 11:24:07 2016 RC4 <UPN>@domaine
keytab: Created PSE /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse.
sapgenpse seclogin -p SAPSNCSKERB.pse -O <sidadm>
sapgenpse seclogin -l
running seclogin with USER="<sidadm>"
0 (LPS:OFF):
(LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse
1 (LPS:OFF): CN=<UPN>@domaine
(LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCS.pse
2 (LPS:OFF):
(LPS:OFF): /usr/sap/<SID/DVEBMGS00/sec/SAPSNCSKERB.pse
3 readable SSO-Credentials available
I don't have any CN for SAPSNCSKERB.pse
Could you help me?
Regards
GSS-API(maj): No credentials were supplied Unable to establish the security
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is a trace file.
----------------------------------------------------------------------------
Trace file : "C:\usr\sap\DEV\SLL/../SLLTrace\sec-00616.trc"
Trace level : 4
Process id : 616
----------------------------------------------------------------------------
[YYYY.MM.DD HH:MM:SS.MIL][LEVEL][PROCESS ][MODULE ][THR_ID]
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE ][Loader ][ 3272] CryptoLib 2.0 (8.4.1.32) (c) 2011-2013 SAP AG for
windows-x86-64
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE ][Loader ][ 3272] SECUDIR=C:\usr\sap\DEV\DVEBMGS00/sec
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE ][Loader ][ 3272] HOMEDRIVE=NULL
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE ][Loader ][ 3272] HOMEPATH=NULL
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] Secure Login Crypto Kernel features:
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] FIPS 140-2 = NO
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] API-VERSION = 1
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] VERSION = 2.0.0.1.32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] FILE-VERSION = 8.4.1.32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] CPU-FEATURES-SUPPORTED = AES-NI
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] CPU-FEATURES-ACTIVE = AES-NI
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] HASH-ALGORITHMS =
MD2,MD4,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,RIPEMD128,RIPEMD160,CRC32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] ENCRYPTION-ALGORITHMS =
RSA,ELGAMAL,AES128,AES192,AES256,DES,TDES2KEY,TDES2KEY,IDEA,RC2,RC4,RC5_32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] ENCRYPTION-MODES =
ECB,CBC,CFB*8,OFB*8,CTR,CTSECB,CTSCBC,GCM
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] PADDING-MODES =
PKCS1BT01,PKCS1BT02,PKCS1PSS,PKCS1OAEP,X.923,PEM,B1,XML,SSL
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] KEYEDHASH-ALGORITHMS = HMAC
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] SIG-ALGORITHMS = RSA,DSA
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] KEYEXCHANGE-ALGORITHMS = DH
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE ][SDK loader ][ 3272] RANDOM-ALGORITHMS = CTR_DRBG
[2014.05.23 13:36:35.730][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'
successful
[2014.05.23 13:36:35.730][TRACE][disp+work.EXE ][GSS ][ 3272] Initializing GSS library by call to
gss_indicate_mechs
[2014.05.23 13:36:35.746][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading XML file 'C:\usr\sap\DEV\SLL\gss.xml'
successful
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading config file 'C:\usr\sap\DEV\SLL\pkcs11.xml'
successful
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] GSS configuration:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Profile: FullClient
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] NameCharSet: latin1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] NameAliases: 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Server:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Protocol1993:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Available : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] AcceptEncMode : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] AcceptSigMode : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] SigModeMaxTTL : 86400
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Encryption algs : aes256 aes192
aes128 des3
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Hash algs : sha512 sha384
sha256 sha1 ripemd160
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Protocol2010:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Available : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] RulesAlgs : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] CacheSize : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] AcceptAnonClient : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] SigModeMaxTTL : 86400
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Handshake hash algs : SHA256 SHA512
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Data MAC algs : HMAC-SHA256
HMAC-SHA1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Encryption algs : AES256 AES128
RC4
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Handshake PRFs : PHASH-SHA256
PHASH-SHA512
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Data encoding : DataHeaderV1
NoDataHeader
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Key exch. algs : cl-rsa kerberos
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Name source : Subject
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Client:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Service : NULL
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Protocol1993:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Available : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] AuthMode : auto
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Encryption algs : aes256 aes192
aes128 des3
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Hash algs : sha512 sha384
sha256 sha1 ripemd160
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Protocol2010:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Available : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] ParallelSessions : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] CacheSize : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Handshake hash algs : SHA256 SHA512
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Data MAC algs : HMAC-SHA256
HMAC-SHA1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Encryption algs : AES256 AES128
RC4
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Handshake PRFs : PHASH-SHA256
PHASH-SHA512
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Data encoding : DataHeaderV1
NoDataHeader
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272] Key exch. algs : cl-rsa kerberos
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE ][GSS ][ 3272]
---------------------------------------------------------------
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] gss_import_name input buffer (35 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272]
434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] ??????+$??%????-0+1)0'??U???
SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272]
0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272]
434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] gss_import_name input buffer (61 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272] ??????+$??%????-0+1)0'??U???
SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE ][GSS ][ 3272]
0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'
successful
[2014.05.23 13:36:35.855][WARN ][disp+work.EXE ][SDK loader ][ 3272] Failed to load sbuspse
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][SDK loader ][ 3272] Loading SEC_PSE_1 unsuccessful
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][PSE ][ 3272] Trying to open credentials file C:\usr\sap\DEV
\DVEBMGS00\sec\cred_v2.
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][PSE ][ 3272] Refreshing PSE content
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][LOADER ][ 3272] Opened credentials file C:\usr\sap\DEV\DVEBMGS00\sec
\cred_v2
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE ][PSE ][ 3272] Try open PSE for GSS with given name
(CN=SLLServiceSAP@bowieresources.com)
[2014.05.23 13:36:35.855][INFO ][disp+work.EXE ][Loader ][ 3272] USER=SAPServiceDEV
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] Searching own certificate ...
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] Found 0 suitable certificates
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] Adding token 'tokpse:c:\usr\sap\DEV\DVEBMGS00\sec
\SAPSNCSKERB.pse' without provided password to PSE successful
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][GSS ][ 3272] Searching credentials for desired name
'CN=SLLServiceSAP@bowieresources.com'
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] Searching own certificate ...
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] SUBJECTNAME=CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][PSE ][ 3272] Found 0 suitable certificates
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE ][GSS ][ 3272] Didn't found a certificate
[2014.05.23 13:36:35.933][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'
successful
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] Inquire creds (get cred info)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] ??????+$??%????-0+1)0'??U???
SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272]
0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272]
434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] gss_import_name input buffer (61 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272] ??????+$??%????-0+1)0'??U???
SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE ][GSS ][ 3272]
0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE ][LOADER ][ 3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'
successful
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE ][PSE ][ 3272] Trying to open credentials file C:\usr\sap\DEV
\DVEBMGS00\sec\cred_v2.
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE ][PSE ][ 3272] Refreshing PSE content
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE ][LOADER ][ 3272] Opened credentials file C:\usr\sap\DEV\DVEBMGS00\sec
\cred_v2
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE ][PSE ][ 3272] Try open PSE for GSS with given name
(CN=SLLServiceSAP@bowieresources.com)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] Searching own certificate ...
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] Found 0 suitable certificates
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] Adding token 'tokpse:c:\usr\sap\DEV\DVEBMGS00\sec
\SAPSNCSKERB.pse' without provided password to PSE successful
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] Searching credentials for desired name
'CN=SLLServiceSAP@bowieresources.com'
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] Searching own certificate ...
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] SUBJECTNAME=CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][PSE ][ 3272] Found 0 suitable certificates
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] Didn't found a certificate (may be kerberos is used)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] Inquire creds (get cred info)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] ??????+$??%????-0+1)0'??U???
SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272]
0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272] CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE ][GSS ][ 3272]
434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It looks like you are trying to use certifcates together with SNC for SSO but you are using the Kerberos format for the SNC name. If you really want to use certificates, the SCN name has to in format CN=SLLServiceSAP, OU=BOWIERESOURCES and there needs to be a matching server certificate in STRUST.
Hi Samuli,
We do not use certificates together with SNC for SSO . We just want to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.
Thanks,
Diana
In that case you should use the correct format for SNC name, see SAP note 1696905 for details. I assume you watched the video tutorials and did all the required steps? If yes and it's still not working, I would just double check that you have in fact created the Kerberos keytab on the server and the service principal names in Active Directory.
Hi Samuli,
Yes, I did watch the videos and did the required steps. I checked the service principal names and my keytab is there.
I went through the steps again. Now when I try to log in, I receive this.
These were my commands:
C:\set SECUDIR=c:\usr\sap\DEV\DVEBMGS00\sec
sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSAP@BOWIERESOURCES.COM
sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDEV
sapgenpse seclogin -l
Can you share your version of SAP_BASIS including SP level and the version of your kernel, including patch level? For Kerberos to work in AS ABAP, you will have to meet the requirements listed in SAP note 1798979. In order to troubleshoot Kerberos in AS ABAP, see SAP note 1732610.
I just noticed that you are using Secure Login Library, it doesn't have Kerberos authentication for SAP GUI. You will have to upgrade to CommonCryptolib, see SAP note 1848999 for details. CommonCryptolib requires 7.20 kernel pl 513 or higher.
Hi Samuli,
I want to mention that I got this working on a different system that was SAP_BASIS 702, kernel 720 patch 401.
Is this correct?
c:\usr\sap\DEV\SLL>sapgenpse cryptinfo
Properties of Secure Login Crypto Kernel:
FIPS 140-2 = NO
API-VERSION = 1
VERSION = 8.4.18
FILE-VERSION = 8.4.18.0
CPU-FEATURES-SUPPORTED = AES-NI
CPU-FEATURES-ACTIVE = AES-NI
HASH-ALGORITHMS = MD2,MD4,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,RIPEMD1
28,RIPEMD160,CRC32
ENCRYPTION-ALGORITHMS = RSA,ELGAMAL,AES128,AES192,AES256,DES,TDES2KEY,TDES3K
EY,IDEA,RC2,RC4,RC5_32
ENCRYPTION-MODES = ECB,CBC,CFB*8,OFB*8,CTR,CTSECB,CTSCBC,GCM
PADDING-MODES = PKCS1BT01,PKCS1BT02,PKCS1PSS,PKCS1OAEP,X.923,PEM,B1,
XML,SSL
KEYEDHASH-ALGORITHMS = HMAC
SIG-ALGORITHMS = RSA,DSA
KEYEXCHANGE-ALGORITHMS = DH
RANDOM-ALGORITHMS = CTR_DRBG
Making progress! I changed to the CommonCryptolib. My trace files went from:
Found 0 suitable certificates
Adding token 'tokpse:C:\usr\sap\DEV\DVEBMGS00\sec
to:
Found 1 suitable certificates
Found a certificate
Inquire creds (get cred info)
But I still get:
Should I just do my SSO config over again since I have to correct CRYPTO now?
Thanks so much.
Diana
I don't think there is need to do the config over again. Try different cases for the SNC name or use the method described in SAP note 1819808, notice the kernel requirement for the instance profile parameter.
C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l
running seclogin with USER="devadm"
0:
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
NOT readable for devadm
NO readable SSO-Credentials available (total 1)
But if I do this:
C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l -O SAPServiceDEV
running seclogin with USER="devadm"
listing credentials for user "BR\SAPServiceDEV" ...
0:
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
Options: MSCryptProtect
1 readable SSO-Credentials available
I ran STRUST and regenerated my SNC SAPCryptolib PSE. Now I receive this:
C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l
running seclogin with USER="devadm"
0:
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
NOT readable for devadm
1: CN=SLLServiceSAP
C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse
NOT readable for devadm
NO readable SSO-Credentials available (total 2)
That looks just weird, the keytab doesn't have a User Principal Name. See the 2nd Kerberos SSO video tutorial at the 6 minute mark for an example how it should look like.
I don't know, I haven't seen it before. Regardless, the User Principal Name is still missing in SAPSNCSKERB.pse. Try to recreate the Kerberos keytab. Notice that you should always use the same value for SECUDIR, the PSEs get stored and retrieved from there.
Edit: LPS seems to be some kind of encryption, I don't think it's related.
Hello,
I think you mixed up some things:
Hope this clearify this a litle bit.
BTW: the LPS:OFF indication by the seclogin command has nothing to do with the kerberos SNC configuration and can be ignored.
best regards
Alexander Gimbel
Hi Diana,
I had the same problem and I resolved with this SAP note 1878155 - A2210231 kerberos ticket no yet valid.
There may bi a time synchronization problem between Active Directory and the Server, Verifies NTP service (Network Time Protocol).
KR
Alejandro Dumont
Alexander,
It is my understanding that the AD Principal user can be anything you want to use. I choose SLLServiceSAP. I create the keytab, than add the actual SAP service ID....in my case SAPServiceDEV . My commands:
sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSAP@bowieresources.com
sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDEV
That should be fine assuming you have also added the Service Principal Name SAP/SLLServiceSAP to SLLServiceSAP@bowieresources.com and HTTP/hostname if you plan to use SPNEGO. Your commands look fine, can you maybe share the output of those commands? There must be something wrong since sapgenpse seclogin -l doesn't display the User Principal Name SLLServiceSAP@bowieresources.com.
Hi Samuli,
This still has not been resolved. I've opened a message with SAP and they have not figured it out yet either. Per your request, here is the output of my commands. Also, we are not using SPNEGO.
C:\usr\sap\DEV\SLL>set
SECUDIR=c:\usr\sap\DEV\DVEBMGS00\sec
C:\usr\sap\DEV\SLL>sapgenpse keytab -p SAPSNCSKERB.pse -a
SLLServiceSAP@bowieres
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC
Client Encryption.
Please note that for single sign-on you require a license
for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only
without SSO is free
as described in SAP Note 1643878.
#############################################################################
Please enter PIN: **********
Please reenter PIN: **********
Please enter keyTab password: *********
Please reenter keyTab password: *********
keytab: Created new keyTab entry.
keytab: KeyTab content stored:
KeyTab:
Realm :bowieresources.com
Component :SLLServiceSAP
Name type
Time stamp :1401749390
Version :1
Key type :3
Key length :8
KeyTab:
Realm :bowieresources.com
Component :SLLServiceSAP
Name type
Time stamp :1401749390
Version :1
Key type :17
Key length :16
KeyTab:
Realm :bowieresources.com
Component :SLLServiceSAP
Name type
Time stamp :1401749390
Version :1
Key type :18
Key length :32
KeyTab:
Realm :bowieresources.com
Component :SLLServiceSAP
Name type
Time stamp :1401749390
Version :1
Key type :23
Key length :16
C:\usr\sap\DEV\SLL>sapgenpse seclogin -p SAPSNCSKERB.pse
-O SAPServiceDEV
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC
Client Encryption.
Please note that for single sign-on you require a license
for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only
without SSO is free
as described in SAP Note 1643878.
#############################################################################
running seclogin with
USER="devadm"
creating credentials
for user "BR\SAPServiceDEV" ...
Please enter PIN: **********
Adjusting credentials
and PSE ACLs to include "BR\SAPServiceDEV"...
c:\usr\sap\DEV\DVEBMGS00\sec\cred_v2
... ok.
C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse
...
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse ... ok.
Added SSO-credentials
for PSE "c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse"
"CN=SLLServiceSAP@bowieresources.com"
C:\usr\sap\DEV\SLL>sapgenpse seclogin -l
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC
Client Encryption.
Please note that for single sign-on you require a license
for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only
without SSO is free
as described in SAP Note 1643878.
#############################################################################
running seclogin with
USER="devadm"
0:
CN=SLLServiceSAP@bowieresources.com
C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse
NOT readable for
devadm
1: CN=SLLServiceSAP@bowieresources.com
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
NOT readable for
devadm
NO readable
SSO-Credentials available (total 2)
Now the User Principal Name is shown which is good. Since you got it working on another system, I would suggest you change the kernel to the latest 7.21 kernel which is pl 300 and retry. You can always return to the previous kernel if it doesn't help. Going forward please include logs/traces as attachments, not embedded in the body of the message since they are subject to all kind of formatting.
Hi All,
I got my SSO working at my customer site. It turns out, the issue was,
the network group were giving me a ‘domain’ name to use(bowieresources.com),
that wasn’t a domain at all. It was a UPN name. Once I got that figured out and
reconfigured everything (in the same domain) it worked. My customer actually had multiple domains, and I was afraid that would be an issue. But since the trust was setup properly between domains, all I had to do was enter the proper Kerberos ticket (from secure login client install) name in the SNC Tab in SU01 and everything worked fine.
Thanks all!
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.