cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GSS-API(maj): No credentials were supplied Unable to establish the security

Former Member

on ‎05-23-2014 8:00 PM

0 Kudos

Hello,

I am currently configuring SAP SSO for ABAP in a Windows environment. (2012)

I downloaded all the latest files.

Created user SLLServiceSAP on the AD server

.

I set my profile parameters:

### SSO

snc/enable = 1

snc/gssapi_lib = C:\usr\sap\DEV\SLL\secgss.dll

snc/identity/as = p:CN=SLLServiceSAP@bowieresources.com

snc/data_protection/max = 3

snc/data_protection/min = 2

snc/data_protection/use = 3

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/accept_insecure_r3int_rfc = 1

snc/extid_login_diag = 1

snc/extid_login_rfc = 1

I set my environment variables:

SECUDIR C:\usr\sap\DEV\DVEBMGS00\sec

SNC_LIB C:\usr\sap\DEV\SLL\secgss.dll

I installed the Secure Library on my SAP server, Ran all setup/config commands successfully with no errors.

/sec contains:

I ran the Secure Client install on my workstation:

My SAPLogon 'Network' Tab reads: p:CN=SLLServiceSAP@bowieresources.com

My 'SNC' Tab reads:

When I execute a logon, I receive:

Any insight/help would be much appreciated.

Thanks,

Diana


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-04-2016 3:12 PM
0 Kudos

Hi Samuli Kaski ,


I have the same issue (GSS-API(maj): No credentials were supplied Unable to establish the security).


sapgenpse seclogin -l doesn't display the userPrincipal Name whereas I used the command below to generate pse :


sapgenpse keytab -p SAPSNCSKERB.pse -X <UPN password> -a <UPN>
#############################################################################
License Disclaimer SAP NetWeaver Single Sign-On
You are about to configure trust for single sign-on or SNC Client Encryption.
Please note that for single sign-on you require a license for
SAP NetWeaver Single Sign-On.
As exception, the usage of SNC Client Encryption only without SSO is free
as described in SAP Note 1643878.
#############################################################################

WARNING: it is recommended to use -y instead of -X
Please enter PSE PIN/Passphrase: **********
Please reenter PSE PIN/Passphrase: **********

!!! WARNING: For security reasons it is recommended to use a PIN/passphrase
!!! WARNING: which is at least 8 characters long and contains characters in
!!! WARNING: upper and lower case, numbers and non-alphanumeric symbols.

keytab: Created new keyTab entry.
keytab: KeyTab content stored:

    Version  Time stamp                 KeyType   Kerberos name

          1  Fri Mar  4 11:24:07 2016   DES       <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   AES128    <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   AES256    <UPN>@domaine
          1  Fri Mar  4 11:24:07 2016   RC4       <UPN>@domaine
keytab: Created PSE /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse.


sapgenpse seclogin -p SAPSNCSKERB.pse -O <sidadm>


sapgenpse seclogin -l
running seclogin with USER="<sidadm>"

0 (LPS:OFF):
         (LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCSKERB.pse

1 (LPS:OFF): CN=<UPN>@domaine
         (LPS:OFF): /usr/sap/<SID>/DVEBMGS00/sec/SAPSNCS.pse

2 (LPS:OFF):
         (LPS:OFF): /usr/sap/<SID/DVEBMGS00/sec/SAPSNCSKERB.pse


3 readable SSO-Credentials available

I don't have any CN for SAPSNCSKERB.pse

Could you help me?

Regards

GSS-API(maj): No credentials were supplied Unable to establish the security

Show replies
Show replies
Former Member
‎05-23-2014 8:44 PM
0 Kudos

Here is a trace file.

----------------------------------------------------------------------------
Trace file   : "C:\usr\sap\DEV\SLL/../SLLTrace\sec-00616.trc"
Trace level  : 4
Process id   : 616
----------------------------------------------------------------------------
[YYYY.MM.DD HH:MM:SS.MIL][LEVEL][PROCESS             ][MODULE      ][THR_ID]
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE       ][Loader      ][  3272] CryptoLib 2.0 (8.4.1.32) (c) 2011-2013 SAP AG for

windows-x86-64
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE       ][Loader      ][  3272] SECUDIR=C:\usr\sap\DEV\DVEBMGS00/sec
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE       ][Loader      ][  3272] HOMEDRIVE=NULL
[2014.05.23 13:36:35.355][INFO ][disp+work.EXE       ][Loader      ][  3272] HOMEPATH=NULL
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272] Secure Login Crypto Kernel features:
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   FIPS 140-2                = NO
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   API-VERSION               = 1
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   VERSION                   = 2.0.0.1.32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   FILE-VERSION              = 8.4.1.32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   CPU-FEATURES-SUPPORTED    = AES-NI
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   CPU-FEATURES-ACTIVE       = AES-NI
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   HASH-ALGORITHMS           =

MD2,MD4,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,RIPEMD128,RIPEMD160,CRC32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   ENCRYPTION-ALGORITHMS     =

RSA,ELGAMAL,AES128,AES192,AES256,DES,TDES2KEY,TDES2KEY,IDEA,RC2,RC4,RC5_32
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   ENCRYPTION-MODES          =

ECB,CBC,CFB*8,OFB*8,CTR,CTSECB,CTSCBC,GCM
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   PADDING-MODES             =

PKCS1BT01,PKCS1BT02,PKCS1PSS,PKCS1OAEP,X.923,PEM,B1,XML,SSL
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   KEYEDHASH-ALGORITHMS      = HMAC
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   SIG-ALGORITHMS            = RSA,DSA
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   KEYEXCHANGE-ALGORITHMS    = DH
[2014.05.23 13:36:35.699][INFO ][disp+work.EXE       ][SDK loader  ][  3272]   RANDOM-ALGORITHMS         = CTR_DRBG
[2014.05.23 13:36:35.730][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'

successful
[2014.05.23 13:36:35.730][TRACE][disp+work.EXE       ][GSS         ][  3272] Initializing GSS library by call to

gss_indicate_mechs
[2014.05.23 13:36:35.746][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading XML file 'C:\usr\sap\DEV\SLL\gss.xml'

successful
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading config file 'C:\usr\sap\DEV\SLL\pkcs11.xml'

successful
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272] GSS configuration:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]     Profile: FullClient
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]     NameCharSet: latin1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]     NameAliases: 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]     Server:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]         Protocol1993:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Available           : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             AcceptEncMode       : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             AcceptSigMode       : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             SigModeMaxTTL       : 86400
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Encryption algs     : aes256   aes192  

aes128   des3 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Hash algs           : sha512   sha384  

sha256   sha1   ripemd160 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]         Protocol2010:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Available           : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             RulesAlgs           : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             CacheSize           : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             AcceptAnonClient    : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             SigModeMaxTTL       : 86400
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Handshake hash algs : SHA256   SHA512 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Data MAC algs       : HMAC-SHA256  

HMAC-SHA1 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Encryption algs     : AES256   AES128  

RC4 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Handshake PRFs      : PHASH-SHA256  

PHASH-SHA512 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Data encoding       : DataHeaderV1  

NoDataHeader 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Key exch. algs      : cl-rsa   kerberos 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Name source         : Subject 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]     Client:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]         Service                 : NULL
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]         Protocol1993:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Available           : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             AuthMode            : auto
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Encryption algs     : aes256   aes192  

aes128   des3 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Hash algs           : sha512   sha384  

sha256   sha1   ripemd160 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]         Protocol2010:
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Available           : 1
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             ParallelSessions    : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             CacheSize           : 0
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Handshake hash algs : SHA256   SHA512 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Data MAC algs       : HMAC-SHA256  

HMAC-SHA1 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Encryption algs     : AES256   AES128  

RC4 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Handshake PRFs      : PHASH-SHA256  

PHASH-SHA512 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Data encoding       : DataHeaderV1  

NoDataHeader 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]             Key exch. algs      : cl-rsa   kerberos 
[2014.05.23 13:36:35.840][INFO ][disp+work.EXE       ][GSS         ][  3272]

---------------------------------------------------------------
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_import_name input buffer (35 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272]  CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] 

434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272]  ??????+$??%????-0+1)0'??U???

SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] 

0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272]  CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] 

434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_import_name input buffer (61 bytes)
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272]  ??????+$??%????-0+1)0'??U???

SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.840][TRACE][disp+work.EXE       ][GSS         ][  3272] 

0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'

successful
[2014.05.23 13:36:35.855][WARN ][disp+work.EXE       ][SDK loader  ][  3272] Failed to load sbuspse
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][SDK loader  ][  3272] Loading              SEC_PSE_1 unsuccessful
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][PSE         ][  3272] Trying to open credentials file C:\usr\sap\DEV

\DVEBMGS00\sec\cred_v2.
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][PSE         ][  3272] Refreshing PSE content
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][LOADER      ][  3272] Opened credentials file C:\usr\sap\DEV\DVEBMGS00\sec

\cred_v2
[2014.05.23 13:36:35.855][TRACE][disp+work.EXE       ][PSE         ][  3272] Try open PSE for GSS with given name

(CN=SLLServiceSAP@bowieresources.com)
[2014.05.23 13:36:35.855][INFO ][disp+work.EXE       ][Loader      ][  3272] USER=SAPServiceDEV
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272] Searching own certificate ...
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272]     Found 0 suitable certificates
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272] Adding token 'tokpse:c:\usr\sap\DEV\DVEBMGS00\sec

\SAPSNCSKERB.pse' without provided password to PSE successful
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][GSS         ][  3272] Searching credentials for desired name

'CN=SLLServiceSAP@bowieresources.com'
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272] Searching own certificate ...
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272]       SUBJECTNAME=CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][PSE         ][  3272]     Found 0 suitable certificates
[2014.05.23 13:36:35.886][TRACE][disp+work.EXE       ][GSS         ][  3272] Didn't found a certificate
[2014.05.23 13:36:35.933][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'

successful
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] Inquire creds (get cred info)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272]  ??????+$??%????-0+1)0'??U???

SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] 

0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272]  CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] 

434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_import_name input buffer (61 bytes)
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272]  ??????+$??%????-0+1)0'??U???

SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.949][TRACE][disp+work.EXE       ][GSS         ][  3272] 

0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE       ][LOADER      ][  3272] Loading config file 'C:\usr\sap\DEV\SLL\base.xml'

successful
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE       ][PSE         ][  3272] Trying to open credentials file C:\usr\sap\DEV

\DVEBMGS00\sec\cred_v2.
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE       ][PSE         ][  3272] Refreshing PSE content
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE       ][LOADER      ][  3272] Opened credentials file C:\usr\sap\DEV\DVEBMGS00\sec

\cred_v2
[2014.05.23 13:36:35.980][TRACE][disp+work.EXE       ][PSE         ][  3272] Try open PSE for GSS with given name

(CN=SLLServiceSAP@bowieresources.com)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272] Searching own certificate ...
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272]     Found 0 suitable certificates
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272] Adding token 'tokpse:c:\usr\sap\DEV\DVEBMGS00\sec

\SAPSNCSKERB.pse' without provided password to PSE successful
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] Searching credentials for desired name

'CN=SLLServiceSAP@bowieresources.com'
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272] Searching own certificate ...
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272]       SUBJECTNAME=CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][PSE         ][  3272]     Found 0 suitable certificates
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] Didn't found a certificate (may be kerberos is used)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] Inquire creds (get cred info)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_export_name output buffer (61 bytes)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272]  ??????+$??%????-0+1)0'??U???

SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] 

0401000806062B24030125010000002D302B3129302706035504031420534C4C5365727669636553415040626F7769657265736F75726365732E636F6D
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] gss_display_name output buffer (35 bytes)
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272]  CN=SLLServiceSAP@bowieresources.com
[2014.05.23 13:36:35.996][TRACE][disp+work.EXE       ][GSS         ][  3272] 

434E3D534C4C5365727669636553415040626F7769657265736F75726365732E636F6D

Show replies
Show replies
Former Member
‎05-23-2014 9:12 PM
0 Kudos

It looks like you are trying to use certifcates together with SNC for SSO but you are using the Kerberos format for the SNC name. If you really want to use certificates, the SCN name has to in format CN=SLLServiceSAP, OU=BOWIERESOURCES and there needs to be a matching server certificate in STRUST.

Sriram2009
Active Contributor
‎05-23-2014 9:32 PM
0 Kudos

Hi Diana

Could you refer the SAP Note 1501792

BR

SS

Former Member
‎05-23-2014 9:37 PM
0 Kudos

Hi Samuli,

We do not use certificates together with SNC for SSO . We just want to configure SAP NetWeaver Single Sign-On for SAP GUI for Windows with Kerberos integration.

http://scn.sap.com/community/netweaver-sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sig...

Thanks,

Diana

Former Member
‎05-23-2014 9:49 PM
0 Kudos

In that case you should use the correct format for SNC name, see SAP note 1696905 for details. I assume you watched the video tutorials and did all the required steps? If yes and it's still not working, I would just double check that you have in fact created the Kerberos keytab on the server and the service principal names in Active Directory.

Former Member
‎05-23-2014 11:36 PM
0 Kudos


Hi Samuli,

Yes, I did watch the videos and did the required steps. I checked the service principal names and my keytab is there.

I went through the steps again. Now when I try to log in, I receive this.

These were my commands:

C:\set SECUDIR=c:\usr\sap\DEV\DVEBMGS00\sec


sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSAP@BOWIERESOURCES.COM

sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDEV

sapgenpse seclogin -l

Former Member
‎05-23-2014 11:44 PM
0 Kudos

Sorry, my Network Tab was incorrect. Back to square one with the original error.

Former Member
‎05-27-2014 7:54 PM
0 Kudos

Can you share your version of SAP_BASIS including SP level and the version of your kernel, including patch level? For Kerberos to work in AS ABAP, you will have to meet the requirements listed in SAP note 1798979. In order to troubleshoot Kerberos in AS ABAP, see SAP note 1732610.

Former Member
‎05-27-2014 8:00 PM
0 Kudos

Hi Samuli,

SAP_BASIS = 731 SP8

Kernel = 720_EXT_REL; Patch Number 500

Thanks,

Diana

Former Member
‎05-27-2014 8:19 PM
0 Kudos

Hi Samuil,

We aren't using browser based SSO, we are using client based.

Thanks,

Diana

Former Member
‎05-27-2014 9:03 PM
0 Kudos

I just noticed that you are using Secure Login Library, it doesn't have Kerberos authentication for SAP GUI. You will have to upgrade to CommonCryptolib, see SAP note 1848999 for details. CommonCryptolib requires 7.20 kernel pl 513 or higher.

Former Member
‎05-27-2014 9:19 PM
0 Kudos

Hi Samuli,

I want to mention that I got this working on a different system that was SAP_BASIS 702, kernel 720 patch 401.

Is this correct?

c:\usr\sap\DEV\SLL>sapgenpse cryptinfo
Properties of Secure Login Crypto Kernel:

FIPS 140-2                = NO
API-VERSION               = 1
VERSION                   = 8.4.18
FILE-VERSION              = 8.4.18.0
CPU-FEATURES-SUPPORTED    = AES-NI
CPU-FEATURES-ACTIVE       = AES-NI
HASH-ALGORITHMS           = MD2,MD4,MD5,SHA1,SHA224,SHA256,SHA384,SHA512,RIPEMD1
28,RIPEMD160,CRC32
ENCRYPTION-ALGORITHMS     = RSA,ELGAMAL,AES128,AES192,AES256,DES,TDES2KEY,TDES3K
EY,IDEA,RC2,RC4,RC5_32
ENCRYPTION-MODES          = ECB,CBC,CFB*8,OFB*8,CTR,CTSECB,CTSCBC,GCM
PADDING-MODES             = PKCS1BT01,PKCS1BT02,PKCS1PSS,PKCS1OAEP,X.923,PEM,B1,
XML,SSL
KEYEDHASH-ALGORITHMS      = HMAC
SIG-ALGORITHMS            = RSA,DSA
KEYEXCHANGE-ALGORITHMS    = DH
RANDOM-ALGORITHMS         = CTR_DRBG

Former Member
‎05-27-2014 9:28 PM
0 Kudos

Yes, that is the CommonCryptolib (8.4.18), where as the other system has Secure Login Library (8.4.1.32).

Former Member
‎05-27-2014 9:42 PM
0 Kudos

Making progress! I changed to the CommonCryptolib. My trace files went from:

Found 0 suitable certificates

Adding token 'tokpse:C:\usr\sap\DEV\DVEBMGS00\sec

to:

Found 1 suitable certificates

Found a certificate

Inquire creds (get cred info)

But I still get:

Should I just do my SSO config over again since I have to correct CRYPTO now?

Thanks so much.

Diana

Former Member
‎05-27-2014 9:48 PM
0 Kudos

I don't think there is need to do the config over again. Try different cases for the SNC name or use the method described in SAP note 1819808, notice the kernel requirement for the instance profile parameter.

Former Member
‎05-27-2014 9:53 PM
0 Kudos

The instance profile parameter might be relevant for the user SNC name only, I'm not sure. Anyway, make sure the SNC name in SAP Logon matches the one in the Kerberos keytab and in the instance profile and that it is found in the Active Directory. I believe it is case sensitive.

Former Member
‎05-27-2014 10:05 PM
0 Kudos

SAPLogon-> Network:

Profile
Parameter:

Active
Directory:

Former Member
‎05-27-2014 10:19 PM
0 Kudos

And the Kerberos keytab on the server?

Former Member
‎05-27-2014 10:44 PM
0 Kudos


I'm not sure what you mean by 'Kerberos keytab on the server'.  This?

Former Member
‎05-27-2014 10:52 PM
0 Kudos

Yes, use sapgenpse seclogin -l to display existing entries.

Former Member
‎05-27-2014 10:57 PM
0 Kudos

C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l
running seclogin with USER="devadm"

0:
         c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
      NOT readable for devadm


NO readable SSO-Credentials available (total 1)

But if I do this:

C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l -O SAPServiceDEV
running seclogin with USER="devadm"
listing credentials for user "BR\SAPServiceDEV" ...

0:
         c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
      Options:  MSCryptProtect


1 readable SSO-Credentials available

Former Member
‎05-27-2014 11:09 PM
0 Kudos

I ran STRUST and regenerated my SNC SAPCryptolib  PSE. Now I receive this:

C:\usr\sap\DEV\DVEBMGS00\sec>sapgenpse seclogin -l
running seclogin with USER="devadm"

0:
         c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse
      NOT readable for devadm

1: CN=SLLServiceSAP
         C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse
      NOT readable for devadm


NO readable SSO-Credentials available (total 2)

Former Member
‎05-27-2014 11:11 PM
0 Kudos

That looks just weird, the keytab doesn't have a User Principal Name. See the 2nd Kerberos SSO video tutorial at the 6 minute mark for an example how it should look like.

Former Member
‎05-27-2014 11:15 PM
0 Kudos

The Kerberos SNC PSE (SAPSNCSKERB.pse) still looks wrong, it is missing the User Principal Name. Maybe you should follow the instructions in the video tutorial to properly create it.

Former Member
‎05-27-2014 11:18 PM
0 Kudos

SLLServiceSAP is my principal name:

1: CN=SLLServiceSAP

         C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse

Former Member
‎05-27-2014 11:42 PM
0 Kudos

SAPSNCS.pse is the PSE for certificate based SSO. The Kerberos based SSO PSE is SAPSNCSKERB.pse and according to the output it doesn't have a User Principal Name.

Former Member
‎05-28-2014 12:02 AM
0 Kudos

Can you tell me what 'LPS:OFF' means?

Former Member
‎05-28-2014 1:05 AM
0 Kudos

I don't know, I haven't seen it before. Regardless, the User Principal Name is still missing in SAPSNCSKERB.pse. Try to recreate the Kerberos keytab. Notice that you should always use the same value for SECUDIR, the PSEs get stored and retrieved from there.

Edit: LPS seems to be some kind of encryption, I don't think it's related.

Former Member
‎05-28-2014 7:53 AM
0 Kudos

Hello,

I think you mixed up some things:

  1. The Service User in the AD (in your case SLLServiceSAP@bowieresources.com) must be added.
  2. The Service User contains the Service Principal Name (SPN) something like SAP/SAPServiceDEV. It must be configured in the AD Attribute Editor (search for servicePrincipalName attribute).
  3. This Service User will be used to create a keytab entry with the Service users password via sapgenpse keytab command.
  4. This SPN builds the SNC Nane, which you configure in SAP GUI (here in the example p:CN=SAPServiceDEV). The @bowieresources.com can be omitted, it will be added by default by the client.


Hope this clearify this a litle bit.

BTW: the LPS:OFF indication by the seclogin command has nothing to do with the kerberos SNC configuration and can be ignored.

best regards

Alexander Gimbel

Former Member
‎05-28-2014 12:38 PM
0 Kudos

Hi Diana,

I had the same problem and I resolved with this SAP note 1878155 - A2210231 kerberos ticket no yet valid.

There may bi a time synchronization problem between Active Directory and the Server, Verifies NTP service (Network Time Protocol).

KR

Alejandro Dumont



Former Member
‎05-28-2014 4:05 PM
0 Kudos

Alexander,

It is my understanding that the AD Principal user can be anything you want to use. I choose SLLServiceSAP. I create the keytab, than add the actual SAP service ID....in my case SAPServiceDEV . My commands:

sapgenpse keytab -p SAPSNCSKERB.pse -a SLLServiceSAP@bowieresources.com

sapgenpse seclogin -p SAPSNCSKERB.pse -O SAPServiceDEV

Former Member
‎05-28-2014 5:10 PM
0 Kudos

That should be fine assuming you have also added the Service Principal Name SAP/SLLServiceSAP to SLLServiceSAP@bowieresources.com and HTTP/hostname if you plan to use SPNEGO. Your commands look fine, can you maybe share the output of those commands? There must be something wrong since sapgenpse seclogin -l doesn't display the User Principal Name SLLServiceSAP@bowieresources.com.

Former Member
‎06-03-2014 4:32 AM
0 Kudos

Hi Samuli,

This still has not been resolved. I've opened a message with SAP and they have not figured it out yet either. Per your request, here is the output of my commands. Also, we are not using SPNEGO.

C:\usr\sap\DEV\SLL>set
SECUDIR=c:\usr\sap\DEV\DVEBMGS00\sec

C:\usr\sap\DEV\SLL>sapgenpse keytab -p SAPSNCSKERB.pse -a
SLLServiceSAP@bowieres

  • ources.com

#############################################################################

License Disclaimer SAP NetWeaver Single Sign-On

You are about to configure trust for single sign-on or SNC
Client Encryption.

Please note that for single sign-on you require a license
for

SAP NetWeaver Single Sign-On.

As exception, the usage of SNC Client Encryption only
without SSO is free

as described in SAP Note 1643878.

#############################################################################

Please enter PIN: **********

Please reenter PIN: **********

Please enter keyTab password: *********

Please reenter keyTab password: *********

keytab: Created new keyTab entry.

keytab: KeyTab content stored:

KeyTab:

  Realm       :bowieresources.com

  Component   :SLLServiceSAP

  Name type  

  Time stamp  :1401749390

  Version     :1

  Key type    :3

  Key length  :8

KeyTab:

  Realm       :bowieresources.com

  Component   :SLLServiceSAP

  Name type  

  Time stamp  :1401749390

  Version     :1

  Key type    :17

  Key length  :16

KeyTab:

  Realm       :bowieresources.com

  Component   :SLLServiceSAP

  Name type  

  Time stamp  :1401749390

  Version     :1

  Key type    :18

  Key length  :32

KeyTab:

  Realm       :bowieresources.com

  Component   :SLLServiceSAP

  Name type  

  Time stamp  :1401749390

  Version     :1

  Key type    :23

  Key length  :16

C:\usr\sap\DEV\SLL>sapgenpse seclogin -p SAPSNCSKERB.pse
-O SAPServiceDEV

#############################################################################

License Disclaimer SAP NetWeaver Single Sign-On

You are about to configure trust for single sign-on or SNC
Client Encryption.

Please note that for single sign-on you require a license
for

SAP NetWeaver Single Sign-On.

As exception, the usage of SNC Client Encryption only
without SSO is free

as described in SAP Note 1643878.

#############################################################################

running seclogin with
USER="devadm"

creating credentials
for user "BR\SAPServiceDEV" ...

Please enter PIN: **********

Adjusting credentials
and PSE ACLs to include "BR\SAPServiceDEV"...

 
c:\usr\sap\DEV\DVEBMGS00\sec\cred_v2
... ok.

 
C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse
...

 
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse  ... ok.

Added SSO-credentials
for PSE "c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse"

 
"CN=SLLServiceSAP@bowieresources.com"

C:\usr\sap\DEV\SLL>sapgenpse seclogin -l

#############################################################################

License Disclaimer SAP NetWeaver Single Sign-On

You are about to configure trust for single sign-on or SNC
Client Encryption.

Please note that for single sign-on you require a license
for

SAP NetWeaver Single Sign-On.

As exception, the usage of SNC Client Encryption only
without SSO is free

as described in SAP Note 1643878.

#############################################################################

running seclogin with
USER="devadm"

0:
CN=SLLServiceSAP@bowieresources.com

       
C:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCS.pse

      NOT readable for
devadm

1: CN=SLLServiceSAP@bowieresources.com

       
c:\usr\sap\DEV\DVEBMGS00\sec\SAPSNCSKERB.pse

      NOT readable for
devadm

NO readable
SSO-Credentials available (total 2)

Former Member
‎06-03-2014 6:11 AM
0 Kudos

Now the User Principal Name is shown which is good. Since you got it working on another system, I would suggest you change the kernel to the latest 7.21 kernel which is pl 300 and retry. You can always return to the previous kernel if it doesn't help. Going forward please include logs/traces as attachments, not embedded in the body of the message since they are subject to all kind of formatting.

Former Member
‎06-10-2014 9:12 PM
0 Kudos

Hi All,

I got my SSO working at my customer site. It turns out, the issue was,
the network group were giving me a ‘domain’ name to use(bowieresources.com),
that wasn’t a domain at all. It was a UPN name. Once I got that figured out and
reconfigured everything (in the same domain) it worked. My customer actually had multiple domains, and I was afraid that would be an issue. But since the trust was setup properly between domains, all I had to do was enter the proper Kerberos ticket (from secure login client install) name in the SNC Tab in SU01 and everything worked fine.

Thanks all!

Former Member
‎04-01-2015 5:19 AM
0 Kudos

This message was moderated.

Former Member
‎07-08-2015 5:45 AM
0 Kudos

Hi Diana

So at the end, it does not matter if you dont get the display of the CN of the SAPSNCSKERB.pse when you hit the command sapgenpse seclogin -l ?

Regards

Former Member
‎07-15-2015 12:48 PM
0 Kudos

Hi Diana,

I have the same problema with multiple domains, I think!

BR and bowieresources are UPN? is the domain that to needed different?

best regards,

Yorleni

Ask a Question