02-22-2017 11:17 AM
I wanted to setup SNC in my test network. But at least, I got some errors. Maybe someone can help me. I already found hundreds of posts here, but nothing helped.
Pre-Information
As I have read here https://archive.sap.com/discussions/thread/3922733 I have to use a specific szenario with snc, active directory, kerberos to use snc without any extra license.
My Issues
My szenario
I want to use SNC with a tool we build. In the szenario i have to use SNC Client Encryption without Single Sign On. I have a Win2K12 Domain Controller with Active Directory and a Win2K12 with SAP ERP EHP8 (hyperion.snc.local). Domain named snc.local.
On the Domain Controller I created a user KerberbosE68 and set the user Attribute userPrincipalName to KerberosE6@SNC.LOCAL (is it case senitive?!)
I go to ASDI Edit and set the follow values:
On SAP I set the following Parameters:
As mentioned above, i try to use SPNEGO for Kerberos User Principal. I don´t know if it´s right way an i always got that message of missing SNCAX.dll. I entered this values and saved it. I got the Message "Keytab saved":
EDIT: In SU01 I choosed my user and entered p:CN=SAP/KerberosE68@SNC.LOCAL on SNC Tab.
I downloaded and installed Package 51042493 (SNC Client Encryption) on my client (where sap gui is installed)
I set the enviroment variable :
SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll
On SAP GUI I set:
So can anyone tell how to setup a SNC szenario with Client encryption and without SSO. I read so much tutorials, forum posts etc. It won´t work. I really thank you
Kind Regards
Pierre
02-25-2017 4:30 PM
Hi Pierre,
OK, let’s start from the very beginning. You want to encrypt your DIAG/RFC communication using SNC, you require SNC Client encryption. As of release 7.30 SAP GUI comes with the SNC Client Encryption embedded, so you normally just enable it in the installer.
On the backend E68 make sure your CommonCryptoLib (latest 8.5.9) is correctly installed, $SECUDIR is set to /usr/sap/<SID>/<Instance>/sec … more information you’ll find here https://launchpad.support.sap.com/#/notes/1848999/E
Don’t set the UserPrincipalName attribute for your KerberosE68 user, you don’t require it. A UPN can be implicitly or explicitly defined. An implicit UPN is of the form UserName@DNSDomainName. The implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. It is the default ID information which is always included in the Kerberos tickets of a user. An explicit UPN is of the form Name@Suffix, where both the name and suffix strings are explicitly defined by the administrator. Source: https://msdn.microsoft.com/de-de/library/windows/desktop/aa380525.aspx --> please remove the UPN.
Now to the ServicePrincipalName (SPN) attribute. Please remove the HTTP/…. SPN, you don’t need it for SNC. The other SPN SAP/KerberosE68 looks good. Make sure, there are no duplicate SPNs registered in AD. Check with setspn -X -F to avoid duplicate SPNs.
Now the profile parameters – use the following, and remove the spnego/enable or set to “0”):
snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/force_login_screen = 0
Note: you may not necessarily set the domain with the snc/identity/as parameter. Just p:CN=KerberosE68 would also do it. You can also make use of snc/only_encrypted_gui and snc/only_encrypted_rfc parameters. In that case, review SAP Note 1690662
Create the SAPSNCSKERB.pse incl. the Kerberos keytab via CLI:
1. Clean up your $SECUDIR and remove any old SAPSNCSKERB.pse or cred_v2.
Navigate to $DIR_EXECUTABLE if required and not in $PATH.
Execute sapgenpse and make sure $SECUDIR correctly points to the ../sec directory of your AS ABAP.
Execute:
sapgenpse keytab -p SAPSNCSKERB.pse -x <PSE password> -a KerberosE68@SNC.LOCAL
...when prompted enter and confirm the password for the Domain service account, this way you avoid typos.
Create credentials:
sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceE68 –N
Check credentials for user SAPServiceE68, must show valid credentials:
sapgenpse seclogin -l -O SAPServiceE68
..then restart your SAP system, now it should start and correctly initialize SNC (i hope so ;))
Your SAP GUI configurations seems to look ok, should work now...
Hope that helps, have fun!
Cheers,
Carsten
02-25-2017 4:30 PM
Hi Pierre,
OK, let’s start from the very beginning. You want to encrypt your DIAG/RFC communication using SNC, you require SNC Client encryption. As of release 7.30 SAP GUI comes with the SNC Client Encryption embedded, so you normally just enable it in the installer.
On the backend E68 make sure your CommonCryptoLib (latest 8.5.9) is correctly installed, $SECUDIR is set to /usr/sap/<SID>/<Instance>/sec … more information you’ll find here https://launchpad.support.sap.com/#/notes/1848999/E
Don’t set the UserPrincipalName attribute for your KerberosE68 user, you don’t require it. A UPN can be implicitly or explicitly defined. An implicit UPN is of the form UserName@DNSDomainName. The implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. It is the default ID information which is always included in the Kerberos tickets of a user. An explicit UPN is of the form Name@Suffix, where both the name and suffix strings are explicitly defined by the administrator. Source: https://msdn.microsoft.com/de-de/library/windows/desktop/aa380525.aspx --> please remove the UPN.
Now to the ServicePrincipalName (SPN) attribute. Please remove the HTTP/…. SPN, you don’t need it for SNC. The other SPN SAP/KerberosE68 looks good. Make sure, there are no duplicate SPNs registered in AD. Check with setspn -X -F to avoid duplicate SPNs.
Now the profile parameters – use the following, and remove the spnego/enable or set to “0”):
snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/force_login_screen = 0
Note: you may not necessarily set the domain with the snc/identity/as parameter. Just p:CN=KerberosE68 would also do it. You can also make use of snc/only_encrypted_gui and snc/only_encrypted_rfc parameters. In that case, review SAP Note 1690662
Create the SAPSNCSKERB.pse incl. the Kerberos keytab via CLI:
1. Clean up your $SECUDIR and remove any old SAPSNCSKERB.pse or cred_v2.
Navigate to $DIR_EXECUTABLE if required and not in $PATH.
Execute sapgenpse and make sure $SECUDIR correctly points to the ../sec directory of your AS ABAP.
Execute:
sapgenpse keytab -p SAPSNCSKERB.pse -x <PSE password> -a KerberosE68@SNC.LOCAL
...when prompted enter and confirm the password for the Domain service account, this way you avoid typos.
Create credentials:
sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceE68 –N
Check credentials for user SAPServiceE68, must show valid credentials:
sapgenpse seclogin -l -O SAPServiceE68
..then restart your SAP system, now it should start and correctly initialize SNC (i hope so ;))
Your SAP GUI configurations seems to look ok, should work now...
Hope that helps, have fun!
Cheers,
Carsten
02-27-2017 3:21 PM
Hello Carsten,
I really really thank you. You helped me much, it finally works. After i know what to do, it looks so easy!
Kind Regards!
02-28-2017 11:51 AM
Hello Carsten
maybe you can help me.
I had to restart the Client where SAP Logon is installed. After that restart I got the message:
This is screenshot from my logs
This is my process:
When I restart the client PC and open Secure Login Client I got this:
Then i right click on Kerberos Token -> Login and Login as KerberosE68. The result is:
Is that nessesary?
Well, then i open the SAP Logon Client and double click my SAP System. The Secure login CLient pops up and I have to choose a token. I choose the KerberosE68 Token.
Then I got the error Message.
I can´t find the right solution on the net.
Kind regards
Pierre
03-01-2017 10:28 AM
Ok the issue was the SPN.
In Windows I was logged in with the user Administrator. The SPN "SAP/KerberosE68" was bind to User KerberosE68. I used the command setspn -A SAP/KerberosE68 Administrator. AFter that i can login again