Hi comunity, i have problem to add and use a secondary (trusted) domain, for SSO with Kerberos. (conf. for the 1 domain is working fine)
See my attachment to see all the step that i try to do.
i follow also the Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.
Option 1& Option 2: Irrespective of the trust existence between the domains, when we have more than one Microsoft Domain to integrate into our Kerberos/SPNego implementation, it is necessary to create a Keytab for every one of these domains. Such configuration is required because the SAP AS ABAP server has to be configured to trust every one of these domains.
But how i can generate this keytab?
Same info: prinicipal domain (working fine SEAT.IT)
Secondary domain (ITALIAONLINE.LOCAL)
In RZ10 into profile istance there is this configuration:
snc/enable = 1
snc/data_protection/min = 1
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_rfc = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_insecure = 0
snc/r3int_rfc_qop = 3
snc/permit_insecure_start = 1
snc/identity/as = p:sr3qa1p1-SAP@SEAT.IT // my first domain that is working fine
snc/gssapi_lib = /opt/quest/lib/libvas-gssapi64.so
In sap i have set with su01 the user to logon with SNC: user is D9992
When i try to logon (into sap system S09) with a user that is into a second trusted domain, I receive:
To check the Kerberos ticket I have launch into machine the executable Kerbtray.exe and the info are:
I have read same forum (https://scn.sap.com/thread/955731) this is similar to my problem
Inside I thy to execute by SE38 same check report that I report below (I thing is all ok)
The question is :
Considering that the row snc/identity/as = p:sr3qa1p1-SAP@SEAT.IT is unique and I cannot have 2 row… (one for domain) but the secondary domain is trusted there are some addiction command that I must do?