Skip to Content
author's profile photo Former Member
Former Member

SNC without SSO - Multiple domains(Untrusted)

Hi Friends,


I have configured SNC without SSO by following Configuring SAP SNC without Single Sign-On on UNIX/Solaris/Linux

i am not using SSO here , using SAP Username and password to login to the SAP system.

SPN for the primary domain is "p:SAP/KerberosSC2@DOMAIN1"

Now we have secondary domain DOMAIN2 and followed Kerberos/SPNEGO for SAP AS ABAP in a Multi Domain Environment.

tried with Option 2 by creating another Service account and added SPN (same as primary domain SPN) in secondary domain (DOMAIN2)and generated keytab file.a

SPN for the secondary domain is "p: SAP/KerberosSC2@DOMAIN2"

In RZ10 parameter snc/identity/as defined as "p:SAP/KerberosSC2@DOMAIN1"

since snc/identity/as parameter is unique how can i set SNC name for the seconday domain?

with the configuration above we are facing below error when we are using secondary domain SNC name.

"GSS-API(min) : A2210223: server does not trust the certificate path target = "p:CN=SAP/KerberosSC2@DOMAIN2"

Please help me find the solution.

Thanks,

Krishna

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jul 07, 2016 at 06:30 AM

    Hi

    The guide you use is ok.

    But you should read Notes too.

    Service principal name must be the same in domains without trust.

    Regards

    Przemek

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Przemyslaw,

      It worked. I have reconfigured all the steps in SAP application server with snc/identity/as = p:CN=SAP/KerberosSC2 parameter and created the same service account with the SPN in both the domains.

      Thanks for your help..

      Regards,

      Krishna

  • Posted on Jul 06, 2016 at 03:03 PM

    Hi Krishna, unfortunately dependencies between snc/identity/as, SPN and CN/DN/Subject are far from intuitive and some guides are misleading because they simplify one way or the other.

    To clarify I tell you the naming conventions we have been using for a few years now to combine SNC based on both X.509 and Kerberos, using multiple domains, sometimes activating SSO sometimes not (some kind of full blown (or maximum blown 😉) SNC configuration):


    We build the snc/identity/as like this: p:CN=SAPSNC-<SID>-<Installation Number>. This is just a naming convention to make sure the ID is unique in a large system landscape and all admins (SAP, CA, AD) know what they are dealing with.

    So lets use this example: SID = ABC and Installation Number = 12345678

    So

    snc/identity/as = p:CN=SAPSNC-ABC-12345678

    In STRUST when creating the SNC PSE for X.509 this leads to the following Subject (=DN) for the certificate:

    Subject= CN=SAPSNC-ABC-12345678

    When creating AD service user accounts they will get the following SPN:

    SPN= SAP/SAPSNC-ABC-12345678

    This convention has been applied to a really huge system landscape with great success.

    I have given up to understand other naming conventions. So please don't ask me to comment on yours 🤣. But perhaps you understand what I mean and you draw your own conclusions.


    Please be aware that a lot of guides are also outdated when it comes to Secure Login Library. Typically there is no need for Secure Login Library anymore because functionality is included in CommonCryptolib 8.4.30 and newer which is installed with most current kernels.

    Regards,

    Lutz

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.