Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNC without SSO - Multiple domains(Untrusted)

Former Member
0 Kudos

Hi Friends,


I have configured SNC without SSO by following

i am not using SSO here , using SAP Username and password to login to the SAP system.

SPN for the primary domain is "p:SAP/KerberosSC2@DOMAIN1"

Now we have secondary domain DOMAIN2 and followed

tried with Option 2 by creating another Service account and added SPN (same as primary domain SPN) in secondary domain (DOMAIN2)and generated keytab file.a

SPN for the secondary domain is "p: SAP/KerberosSC2@DOMAIN2"

In RZ10 parameter snc/identity/as defined as "p:SAP/KerberosSC2@DOMAIN1"

since snc/identity/as parameter is unique how can i set SNC name for the seconday domain?

with the configuration above we are facing below error when we are using secondary domain SNC name.

"GSS-API(min) : A2210223: server does not trust the certificate path target = "p:CN=SAP/KerberosSC2@DOMAIN2"    

Please help me find the solution.

Thanks,

Krishna

1 ACCEPTED SOLUTION

Private_Member_69416
Active Participant
0 Kudos

Hi

The guide you use is ok.

But you should read Notes too.

Service principal name must be the same in domains without trust.

Regards

Przemek

12 REPLIES 12

LutzR
Active Contributor
0 Kudos

Hi Krishna, unfortunately dependencies between snc/identity/as, SPN and CN/DN/Subject are far from intuitive and some guides are misleading because they simplify one way or the other.

To clarify I tell you the naming conventions we have been using for a few years now to combine SNC based on both X.509 and Kerberos, using multiple domains, sometimes activating SSO sometimes not (some kind of full blown (or maximum blown ) SNC configuration):


We build the snc/identity/as like this: p:CN=SAPSNC-<SID>-<Installation Number>. This is just a naming convention to make sure the ID is unique in a large system landscape and all admins (SAP, CA, AD) know what they are dealing with.

So lets use this example: SID = ABC and Installation Number = 12345678

So

snc/identity/as = p:CN=SAPSNC-ABC-12345678

In STRUST when creating the SNC PSE for X.509 this leads to the following Subject (=DN) for the certificate:

Subject= CN=SAPSNC-ABC-12345678

When creating AD service user accounts they will get the following SPN:

SPN= SAP/SAPSNC-ABC-12345678

This convention has been applied to a really huge system landscape with great success.

I have given up to understand other naming conventions. So please don't ask me to comment on yours . But perhaps you understand what I mean and you draw your own conclusions.


Please be aware that a lot of guides are also outdated when it comes to Secure Login Library. Typically there is no need for Secure Login Library anymore because functionality is included in CommonCryptolib 8.4.30 and newer which is installed with most current kernels.

Regards,

Lutz

Former Member
0 Kudos

Hi Lutz,

Thanks for the prompt response. My issue is with how to configure SNC in Untrusted domain using Kerberos protocol.Could you please let me know the procedure or any step by step guide that would be helpfull.

Thanks,

Krishna

LutzR
Active Contributor
0 Kudos

Hi Krishna,

  • just create another AD service account in the second domain
  • Set the SPN attribute to the identical value as in first domain
  • Create a keytab on the SAP server for the second account the way you did it for the first domain

Keep in mind: The SPN will always be the same even if you acces the SAP system from 10 AD domains because it is derived from the snc/identity/as parameter.

Or in other words: The SPN is not AD specific but only system specific.

There are some implicit rules on how snc/identity/as parameter translates into SPN (e.g. in my naming conventions above the CN= is stripped automatically). This makes possible transformations a little intransparent. You will find some explanations in this note:  http://service.sap.com/sap/support/notes/1696905

Regards,

Lutz

Former Member
0 Kudos

Thanks Lutz for the steps you provided. i have configured all the steps mentioned but still getting below error while trying access SAP system from DOMAIN2.

Thanks.

Krishna

Private_Member_69416
Active Participant
0 Kudos

Hi

The guide you use is ok.

But you should read Notes too.

Service principal name must be the same in domains without trust.

Regards

Przemek

0 Kudos

Hi Przemek,

we are using same service principle name like below for two domains.

SNC name as

1) SAP/KerberosSC2@ABC.COM (primary domain)

2) SAP/KerberosSC2@XYZ.COM (secondary domain)

in SAP application server which is in Primary domain snc/identity/as defined as p:CN=SAP/KerberosSC2@ABC.COM

my question is how we can set snc/identity/as parameter for secondary domain? is it required to configure or not?

how SNC works with the user in secondary domain if snc/identity/as points to the service principle name in primary domain?

Thanks,

Krishna

0 Kudos

snc/identity/as = p:CN=SAP/KerberosSC2

0 Kudos

Hi Przemek,

As you mentioned I have maintained snc/identity/as=p:CN=SAP/KerberosSC2

with first domain it is working fine but with Domain2 it is failing.

from the DOMAIN2 i tried to connect with the sap system with SNC name as p:CN=SAP/KerberosSC2 but it is failing with error " No credentials were supplied to target "p:CN=SAP/KerberosSC2"

i have already generated keytab for the seconday domain (snc crtkeytab -s SAP/KerberosSC2@DOMAIN2.COM)

I have attached screenshot.

Krishna

Thanks,

Krishna

0 Kudos

Do you have account with this principal name in second domain?

0 Kudos

Yes, it was created like below:

1)Primary domain:

account Name:           svc-SAPSNC

SPN:             SAP/KerberosSC2

2)Secondary domain:

account Name: SAPSNC

SPN: SAP/KerberosSC2

account name should also match in both domains ? or only SPN matters?

Thanks,

Krishna

0 Kudos

looks like this error is displayed when you have wrong SNC Name in SAPGui config or SPN don't exist in domain.

0 Kudos

Hi Przemyslaw,

It worked. I have reconfigured all the steps in SAP application server with snc/identity/as = p:CN=SAP/KerberosSC2 parameter and created the same service account with the SPN in both the domains.

Thanks for your help..

Regards,

Krishna