Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SNC Error: Key version number for principal in key table is incorrect

Former Member
0 Kudos

Hi experts,

I am configuring SSO with Kerberos, in a AS/400.

It seems all workf ine, the SAP system is started without problem, but, when I try lo login with a user activating the SSO in SAPGui, appear a popup with the error:

"Error en Security Network Layer (SNC)"

and, If I checked the trace for the wp, appear;

N Tue Oct  4 15:54:03 2016

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3563]

N        GSS-API(maj): Miscellaneous failure

N        GSS-API(min): Key version number for principal in key table is incorrect

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1035]

M  {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1040]

M  {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11560]

M  {root-id=57F3154F6D5F2DEBE1008003C0A800DA}_{conn-id=00000000000000000000000000000000}_0

M  DpVmcGetVmByTmAdm: no VM found for T22/M0/I0 (locked VMs ignored)

How can solved? During the startup all is ok:

SncInit(): Initializing Secure Network Communication (SNC)

      IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 8/64/64)

      UserId="deb00" (121), envvar USER="DEB00"

SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)

SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)

SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)

SncInit(): found  snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)

  File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.

  The internal Adapter for the loaded GSS-API mechanism identifies as:

  Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

SncInit():   found:    snc/identity/as=p:krbsvr400/sap.domain.com.es@DOMAIN.COM.ES

SncInit(): Accepting  Cred:    "krb5"    (0x0002) ok, lifetime=Indefinite

SncInit(): Initiating Cred:    "krb5"    (0x0002) ok, lifetime=Expired

SNC (Secure Network Communication) enabled

Thanks in advance,

Regards,

1 REPLY 1

lambert-giese
Active Participant
0 Kudos

Hi Victor,

the password of your service user krbsvr400 seems to have been changed in the Key Distribution Center (Active Directory?) since you have generated the keytab file. Since the encryption key is derived from the password, the information encrypted by the KDC for the service provider (SAP) can no longer be decrypted by the service provider.

See apache 2.2 - Apache2 + mod_auth_kerb: Key version number for principal in key table is incorrect - S...

The bottom line is: each password change of the service user in KDC requires that you regenerate the keytab file and redistribute it to the service provider (SAP system). Personally, I think that service user passwords should be initialized in a secure way and afterwards be changed rarely or not at all, to avoid issues like these. A secure, open source password generator that is available for most Linux/Unix flavours and also Windows with Cygwin is pwgen.

Best regards,

Lambert