Skip to Content
author's profile photo Pierre Fey
1
Pierre Fey
Feb 22, 2017 at 11:17 AM

SNC - How to setup without SSO

4914 Views Last edit Feb 22, 2017 at 03:26 PM 4 rev

I wanted to setup SNC in my test network. But at least, I got some errors. Maybe someone can help me. I already found hundreds of posts here, but nothing helped.

Pre-Information

As I have read here https://archive.sap.com/discussions/thread/3922733 I have to use a specific szenario with snc, active directory, kerberos to use snc without any extra license.

My Issues

  1. If I set snc/enable = 1 i got this Error on SAP start: "Basis System: Initialization SNC failed, return code -000004"
  2. On TA SNCWIZARD I got the Message "SAPCRYPTOLIB is to old". I already downloaded Version SAPCRYPTOLIBP_8509-20011729. I think it´s the newest?!
  3. If I set snc/enable = 0 i can login. I want to use TA SPNEGO to set Kerberos UserPrincipals and got this one:
  4. EDIT: I solved this one by downloading the Secure Login Client from https://launchpad.support.sap.com/#/softwarecenter/search/sapsetupslc06 and install it on my client where SAP Logon is installed

My szenario

I want to use SNC with a tool we build. In the szenario i have to use SNC Client Encryption without Single Sign On. I have a Win2K12 Domain Controller with Active Directory and a Win2K12 with SAP ERP EHP8 (hyperion.snc.local). Domain named snc.local.

On the Domain Controller I created a user KerberbosE68 and set the user Attribute userPrincipalName to KerberosE6@SNC.LOCAL (is it case senitive?!)

I go to ASDI Edit and set the follow values:

On SAP I set the following Parameters:

  • snc/enable = 1
  • snc/gssapi_lib = C:\usr\sap\E68\ASC01\sec\sapcrypto.dll
  • snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
  • spnego/enable = 1
  • snc/data_protection/use = 3
  • snc/data_protection/min = 2
  • snc/data_protection/max = 3
  • snc/accept_insecure_rfc = 1
  • snc/accept_insecure_gui = 1
  • snc/accept_insecure_cpic = 1
  • snc/accept_insecure_r3int_rfc = 1

As mentioned above, i try to use SPNEGO for Kerberos User Principal. I don´t know if it´s right way an i always got that message of missing SNCAX.dll. I entered this values and saved it. I got the Message "Keytab saved":

EDIT: In SU01 I choosed my user and entered p:CN=SAP/KerberosE68@SNC.LOCAL on SNC Tab.

I downloaded and installed Package 51042493 (SNC Client Encryption) on my client (where sap gui is installed)

I set the enviroment variable :

SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll

On SAP GUI I set:

So can anyone tell how to setup a SNC szenario with Client encryption and without SSO. I read so much tutorials, forum posts etc. It won´t work. I really thank you

Kind Regards

Pierre

Attachments
2017-02-22-11-23-34-19216826-remotedesktopverbindu.png (14.3 kB)
2017-02-22-11-36-45-19216826-remotedesktopverbindu.png (37.3 kB)
2017-02-22-11-44-20-eigenschaften-fur-systemeintra.png (11.6 kB)
2017-02-22-11-44-20-eigenschaften-fur-systemeintra.png (11.6 kB)
2017-02-22-11-50-58-spnego-konfiguration-andern.png (31.6 kB)
2017-02-22-11-55-27-spnego-konfiguration-andern.png (29.7 kB)