Skip to Content

SNC with SSO does not allow to login

Hi everyone,

we try to configure Single Sign-On for the users with SAP GUI for Windows.

The ABAP application server has been configured, and I think the config is OK, since in the log file I see:

N  SncInit(): Initializing Secure Network Communication (SNC)

N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)

N        UserId="sidadm" (1002), envvar USER="sidadm"

N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)

N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)

N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so

N    File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.

N    The SNC-Adapter identifies as:

N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N  SncInit():   found snc/identity/as=p/krb5:SAPServiceSID/sapsid.intranet.ufz.de@INTRANET.UFZ.DE

N  SncInit(): Accepting  Credentials available, lifetime=Indefinite

N  SncInit(): Initiating Credentials available, lifetime=07h 37m 16s

So, I think there is no error on the server side. But whenever a user tries to log in, he/she gets an error in SAP GUI:

---snip---

GSS-API(maj): Miscellaneous Failure

GSS-API(min): SSPI u2u-problem: please add Service principal for targe

target="p:myuser@INTRANET.UFZ.DE"

Error in SNC

---pins---

What's wrong here? Do I have to execute the "setspn" command for each user? And how would this look like? On the command line, the output of "setspn -l myuser" is empty, "setspn -l myuser@INTRANET.UFZ.DE" results in an error.

The entry in the Network tab in the SAP GUI reads either "p/krb5:myuser@INTRANET.UFZ.DE" or "p:myuser@INTRANET.UFZ.DE" or simply "P:myuser", the error remains always the same.


Can someone please help me?


Werner

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Mar 16, 2015 at 02:50 PM

    setspn is executed once for SAPService<SID>. To me snc/identity/as looks incorrect, that is probably the source of your problems.

    Add comment
    10|10000 characters needed characters exceeded

    • Werner Flamme wrote:

      In what way looks snc/identity/as incorrect?

      The correct format of SPN is SAP/XXX@DOMAIN, there are several possible values for XXX including host name but the one you have used isn't correct. Reading your other replies, you are on the right track meaning you can't use SSO with the SNC Client Encryption library since it is free and provided only for SNC encryption purposes. The only library allowing client SSO that SAP provides, especially in a heterogeneous SAP environment, is the one in SAP Single Sign-On which is a separately licensed product.

  • avatar image
    Former Member
    Mar 16, 2015 at 08:27 PM

    Hello Werner,

    Can you provide us with five things please.

    Q1) As user <sid>adm, please run "snv" and post the output.

    A)

    Q2) Please tell us the values set for:

    snc/gssapi_lib

    snc/identity/as

    A)

    Q3) The Windows AD Account that has been setup along with the SPN

    A)

    Q4) Did you generate the Kerberos Keytab (PSE) on the Backend ?

    A)

    Q5) What version of SAP SSO are you using  (SSO1 or SSO2) ?

    A)

    For me I'm of the same opinion as @Samuli Kaski


    Kindest Regards,

    Amerjit

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Amerjit,

      I am not allowed to use SECURELOGINLIB.SAR because we do not have a license for "SAP NetWeaver Single Sign-On". If this were the case, I'd rather open a service call with SAP instead of starting a discussion here šŸ˜‰ - even if this discussion might be a lot more helpful than the support call, not to speak of the months of retention time until the first supporter picks the call šŸ˜ˆ.

      You are right that the document I used was written by Matthias Schlarb.

      When I look at the docu you mentioned, I see that I need "SNC Client Encryption/Libraries". When I try to download these, I read on the page before I reach the download links "Note: The SNC Client Encryption package must not be used in Single Sign-On scenarios. If Single Sign-On or other value added scenarios (e.g. SSF at the client) are required customers need to acquire the SAP NetWeaver Single Sign-On product".

      So I think I really should not use those šŸ˜”

      Looking at my dev_w0 content, I think that I reached the end of point 4) of that docu successfully by following the steps Mr Schlarb wrote.

      Regards,

      Werner

  • avatar image
    Former Member
    Mar 17, 2015 at 03:49 AM

    Hi Werner,

    Correct value for the parameter snc/identity/as should be like "p:<DOMAIN_NAME>\SAPService<SID>"

    Also you can follow below steps to check if SNC and SSO are configure correctly or not.

    ā€¢ is SSO working?

    To check: execute function module (SE37) create_rfc_reentrance_ticket and confirm that a long alpha-numerical string is returned without any exception.
    Example of ticket:Ā  AjExMDABAAxTSEFIREVFICAgICACAAMwMDADAAhROTkgICAgIAQADD...... (Length 255 char)

    ā€¢ is SNC active?

    To check: execute function module (SE37) SNC_GET_MY_INFO and confirm it is active.

    Let us know if you observe any issue in checks?

    Regards,

    Prithviraj.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi,

      I don't see the point. The AD admin created an account named ad_sapuft and used the command "setspn -A SAPServiceUFT/sapuft.intranet.ufz.de INTRANET\ad_sapuft". The key was exported and imported into the keytab on the SAP host. For the SAP system user uftadm, kinit works and is executed via cron job every 4 hours.

      I read the thread you mentioned, and especially the last reply, many times before I posted here, but I do not see the point where it would help me šŸ˜”

      Using Active Directory Explorer (by sysinternals.com), I see that the user with sAMAccountName "ad_sapuft" got the userPricipalName "SAPServiceUFT/sapuft.intranet.ufz.de@INTRANET.UFZ.DE". I do not know what should be changed, since that is exactly the value I use for snc/identity/as in the system's profile.

      Regards,

      Werner

  • Mar 17, 2015 at 12:05 PM

    Hi Werner:

      Maybe can be crazy what i going to ask, but sometimes we forgot the small details, if everything it´s setup, do you install in the SAP Gui PC the SAPOSS.MSI software?

    if there is everything correct in you server side, in the Gui you only need the software and in the configuration:

       p:SAPService/<SAP full domain host>@<your domain in CAPS>

    i hope that you can solve your  problem quickly.

    Best Regards;

    Ricardo Nolasco

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Werner Flamme

      Hi Werner,

      Totally forgot to reply to you.

      I'll repeat I understand your end goal is SSO with SNC and that your constraint is licensing. The licensing only comes into play for the SSO part and NOT the SNC part.

      Now where you are right now is that you have this 0x80090342 error that is taking years away from your life šŸ˜”

      1. You've installed the SNC libs from the SAPGUI 740 media.

      2. You're still running with native libraries on the SUSE side.

      If you really would indulge me and install the SAP package on the server side and configure as per the various posts/blogs.

      All I'm interested in at this stage is to get a known working combination working. Once that's done it should help in the process of elimination of your current problem with your current config.

      Willing to join in ?

      Amerjit

  • avatar image
    Former Member
    Apr 01, 2015 at 09:34 AM

    Very long thread but just checking, have you assigned the SNC name to the user?

    As in the following blog

    http://scn.sap.com/community/sso/blog/2012/08/17/how-to-configure-sap-netweaver-single-sign-on-for-sap-gui-for-windows-with-kerberos-integration


    SCN.png (34.0 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Hi Ralf,

      I am sorry I was not able to solve it. I still have problems with the encryption between my Linux SAP hosts and the Windows Domain Controllers.

      Unfortunately, we had several severe problems in the meantime, so I was not able to investigate here further. I remeber a multi-hour phone call to the Domain admin, but it left no usable results.

      But I still have to try the last proposal from Amerit Chahal, just no time. The SAP basis admin team for our 12 systems consists only of me ...

      Regards,

      Werner

  • Jul 09, 2015 at 11:03 AM

    Hi,

    I believe below steps would be necessary for you.

    1) Set SNC Parameters

    snc/enable = 1

    snc/gssapi_lib = <Drive>\Windows\SysWOW64\gx64krb5.dll

    snc/identity/as = p:SAPService @ DOMAIN.COM

    snc/accept_insecure_cpic = 1

    snc/accept_insecure_rfc = 1

    snc/permit_insecure_start = 1

    snc/accept_insecure_gui = 1

    2) Perform setspn for User SAPService<SID>

        

    Setspn -A http/FQDN HOSTNAME SAPService<SID>

    3) Activate  SNC at SAPGUI

        

    4) Handover to Security Team for their steps (Activate SNC at User level)

    Hope above information helps.

    Thanks,

    Mofizur


    9.JPG (19.4 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Mofizur,

      thank you for point 4), YMMD šŸ˜Š. Unfortunately, there is no security team to hand the problems over, I have to work it out all alone. That's why I asked here.

      Steps 1-3 I did weeks ago, as you can see in the previous posts.

      Regards,

      Werner