10-04-2016 2:58 PM
Hi experts,
I am configuring SSO with Kerberos, in a AS/400.
It seems all workf ine, the SAP system is started without problem, but, when I try lo login with a user activating the SSO in SAPGui, appear a popup with the error:
"Error en Security Network Layer (SNC)"
and, If I checked the trace for the wp, appear;
N Tue Oct 4 15:54:03 2016
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3563]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): Key version number for principal in key table is incorrect
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]
M {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 1040]
M {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 11560]
M {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0
M DpVmcGetVmByTmAdm: no VM found for T22/M0/I0 (locked VMs ignored)
How can solved? During the startup all is ok:
SncInit(): Initializing Secure Network Communication (SNC)
IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 8/64/64)
UserId="deb00" (121), envvar USER="DEB00"
SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)
File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
SncInit(): found: snc/identity/as=p:krbsvr400/sap.domain.com.es@DOMAIN.COM.ES
SncInit(): Accepting Cred: "krb5" (0x0002) ok, lifetime=Indefinite
SncInit(): Initiating Cred: "krb5" (0x0002) ok, lifetime=Expired
SNC (Secure Network Communication) enabled
Thanks in advance,
Regards,
10-06-2016 9:01 AM
Hi Victor,
the password of your service user krbsvr400 seems to have been changed in the Key Distribution Center (Active Directory?) since you have generated the keytab file. Since the encryption key is derived from the password, the information encrypted by the KDC for the service provider (SAP) can no longer be decrypted by the service provider.
The bottom line is: each password change of the service user in KDC requires that you regenerate the keytab file and redistribute it to the service provider (SAP system). Personally, I think that service user passwords should be initialized in a secure way and afterwards be changed rarely or not at all, to avoid issues like these. A secure, open source password generator that is available for most Linux/Unix flavours and also Windows with Cygwin is pwgen.
Best regards,
Lambert