Solved: SNC - How to setup without SSO

former_member276583 · ‎02-22-2017

I wanted to setup SNC in my test network. But at least, I got some errors. Maybe someone can help me. I already found hundreds of posts here, but nothing helped.

Pre-Information

As I have read here https://archive.sap.com/discussions/thread/3922733 I have to use a specific szenario with snc, active directory, kerberos to use snc without any extra license.

My Issues

If I set snc/enable = 1 i got this Error on SAP start: "Basis System: Initialization SNC failed, return code -000004"
On TA SNCWIZARD I got the Message "SAPCRYPTOLIB is to old". I already downloaded Version SAPCRYPTOLIBP_8509-20011729. I think it´s the newest?!
If I set snc/enable = 0 i can login. I want to use TA SPNEGO to set Kerberos UserPrincipals and got this one:
EDIT: I solved this one by downloading the Secure Login Client from https://launchpad.support.sap.com/#/softwarecenter/search/sapsetupslc06 and install it on my client where SAP Logon is installed

My szenario

I want to use SNC with a tool we build. In the szenario i have to use SNC Client Encryption without Single Sign On. I have a Win2K12 Domain Controller with Active Directory and a Win2K12 with SAP ERP EHP8 (hyperion.snc.local). Domain named snc.local.

On the Domain Controller I created a user KerberbosE68 and set the user Attribute userPrincipalName to KerberosE6@SNC.LOCAL (is it case senitive?!)

I go to ASDI Edit and set the follow values:

On SAP I set the following Parameters:

snc/enable = 1
snc/gssapi_lib = C:\usr\sap\E68\ASC01\sec\sapcrypto.dll
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
spnego/enable = 1
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1

As mentioned above, i try to use SPNEGO for Kerberos User Principal. I don´t know if it´s right way an i always got that message of missing SNCAX.dll. I entered this values and saved it. I got the Message "Keytab saved":

EDIT: In SU01 I choosed my user and entered p:CN=SAP/KerberosE68@SNC.LOCAL on SNC Tab.

I downloaded and installed Package 51042493 (SNC Client Encryption) on my client (where sap gui is installed)

I set the enviroment variable :

SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll

On SAP GUI I set:

So can anyone tell how to setup a SNC szenario with Client encryption and without SSO. I read so much tutorials, forum posts etc. It won´t work. I really thank you

Kind Regards

Pierre

Colt · ‎02-25-2017

Hi Pierre,

for 1: you may have various issues, best possible your SNC based PSE wasn’t created correctly or credentials are missing.
for 2: check https://launchpad.support.sap.com/#/notes/2304831/E
for 3 and 4: forget t-code SPNEGO. This is only required for browser based Single Sign-On to Web AS ABAP (ICM) and not required (or even allowed in terms of licensing) in your scenario. Credential validation requires a specific frontend control which comes together with the SLC. You neither need SLC nor SPNego for SNC client encryption. I know as of newer SAP_BASIS releases (731 SP15 and 740 SP08) you can use transaction SPNEGO to configure the SNC keytab also, but I recommend the old school way via CLI 😉

OK, let’s start from the very beginning. You want to encrypt your DIAG/RFC communication using SNC, you require SNC Client encryption. As of release 7.30 SAP GUI comes with the SNC Client Encryption embedded, so you normally just enable it in the installer.

On the backend E68 make sure your CommonCryptoLib (latest 8.5.9) is correctly installed, $SECUDIR is set to /usr/sap/<SID>/<Instance>/sec … more information you’ll find here https://launchpad.support.sap.com/#/notes/1848999/E

Don’t set the UserPrincipalName attribute for your KerberosE68 user, you don’t require it. A UPN can be implicitly or explicitly defined. An implicit UPN is of the form UserName@DNSDomainName. The implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. It is the default ID information which is always included in the Kerberos tickets of a user. An explicit UPN is of the form Name@Suffix, where both the name and suffix strings are explicitly defined by the administrator. Source: https://msdn.microsoft.com/de-de/library/windows/desktop/aa380525.aspx --> please remove the UPN.

Now to the ServicePrincipalName (SPN) attribute. Please remove the HTTP/…. SPN, you don’t need it for SNC. The other SPN SAP/KerberosE68 looks good. Make sure, there are no duplicate SPNs registered in AD. Check with setspn -X -F to avoid duplicate SPNs.

Now the profile parameters – use the following, and remove the spnego/enable or set to “0”):

snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/force_login_screen = 0

Note: you may not necessarily set the domain with the snc/identity/as parameter. Just p:CN=KerberosE68 would also do it. You can also make use of snc/only_encrypted_gui and snc/only_encrypted_rfc parameters. In that case, review SAP Note 1690662

Create the SAPSNCSKERB.pse incl. the Kerberos keytab via CLI:

1. Clean up your $SECUDIR and remove any old SAPSNCSKERB.pse or cred_v2.

Navigate to $DIR_EXECUTABLE if required and not in $PATH.

Execute sapgenpse and make sure $SECUDIR correctly points to the ../sec directory of your AS ABAP.

Execute:

sapgenpse keytab -p SAPSNCSKERB.pse -x <PSE password> -a KerberosE68@SNC.LOCAL

...when prompted enter and confirm the password for the Domain service account, this way you avoid typos.

Create credentials:

sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceE68 –N

Check credentials for user SAPServiceE68, must show valid credentials:

sapgenpse seclogin -l -O SAPServiceE68

..then restart your SAP system, now it should start and correctly initialize SNC (i hope so ;))

Your SAP GUI configurations seems to look ok, should work now...

Hope that helps, have fun!

Cheers,
Carsten

Colt · ‎02-25-2017

Hi Pierre,

for 1: you may have various issues, best possible your SNC based PSE wasn’t created correctly or credentials are missing.
for 2: check https://launchpad.support.sap.com/#/notes/2304831/E
for 3 and 4: forget t-code SPNEGO. This is only required for browser based Single Sign-On to Web AS ABAP (ICM) and not required (or even allowed in terms of licensing) in your scenario. Credential validation requires a specific frontend control which comes together with the SLC. You neither need SLC nor SPNego for SNC client encryption. I know as of newer SAP_BASIS releases (731 SP15 and 740 SP08) you can use transaction SPNEGO to configure the SNC keytab also, but I recommend the old school way via CLI 😉

OK, let’s start from the very beginning. You want to encrypt your DIAG/RFC communication using SNC, you require SNC Client encryption. As of release 7.30 SAP GUI comes with the SNC Client Encryption embedded, so you normally just enable it in the installer.

On the backend E68 make sure your CommonCryptoLib (latest 8.5.9) is correctly installed, $SECUDIR is set to /usr/sap/<SID>/<Instance>/sec … more information you’ll find here https://launchpad.support.sap.com/#/notes/1848999/E

Don’t set the UserPrincipalName attribute for your KerberosE68 user, you don’t require it. A UPN can be implicitly or explicitly defined. An implicit UPN is of the form UserName@DNSDomainName. The implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. It is the default ID information which is always included in the Kerberos tickets of a user. An explicit UPN is of the form Name@Suffix, where both the name and suffix strings are explicitly defined by the administrator. Source: https://msdn.microsoft.com/de-de/library/windows/desktop/aa380525.aspx --> please remove the UPN.

Now to the ServicePrincipalName (SPN) attribute. Please remove the HTTP/…. SPN, you don’t need it for SNC. The other SPN SAP/KerberosE68 looks good. Make sure, there are no duplicate SPNs registered in AD. Check with setspn -X -F to avoid duplicate SPNs.

Now the profile parameters – use the following, and remove the spnego/enable or set to “0”):

snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/force_login_screen = 0

Note: you may not necessarily set the domain with the snc/identity/as parameter. Just p:CN=KerberosE68 would also do it. You can also make use of snc/only_encrypted_gui and snc/only_encrypted_rfc parameters. In that case, review SAP Note 1690662

Create the SAPSNCSKERB.pse incl. the Kerberos keytab via CLI:

1. Clean up your $SECUDIR and remove any old SAPSNCSKERB.pse or cred_v2.

Navigate to $DIR_EXECUTABLE if required and not in $PATH.

Execute sapgenpse and make sure $SECUDIR correctly points to the ../sec directory of your AS ABAP.

Execute:

sapgenpse keytab -p SAPSNCSKERB.pse -x <PSE password> -a KerberosE68@SNC.LOCAL

...when prompted enter and confirm the password for the Domain service account, this way you avoid typos.

Create credentials:

sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceE68 –N

Check credentials for user SAPServiceE68, must show valid credentials:

sapgenpse seclogin -l -O SAPServiceE68

..then restart your SAP system, now it should start and correctly initialize SNC (i hope so ;))

Your SAP GUI configurations seems to look ok, should work now...

Hope that helps, have fun!

Cheers,
Carsten

former_member276583 · ‎02-27-2017

Hello Carsten,

I really really thank you. You helped me much, it finally works. After i know what to do, it looks so easy!

Kind Regards!

former_member276583 · ‎02-28-2017

Hello Carsten

maybe you can help me.

I had to restart the Client where SAP Logon is installed. After that restart I got the message:

This is screenshot from my logs

This is my process:

When I restart the client PC and open Secure Login Client I got this:

Then i right click on Kerberos Token -> Login and Login as KerberosE68. The result is:

Is that nessesary?

Well, then i open the SAP Logon Client and double click my SAP System. The Secure login CLient pops up and I have to choose a token. I choose the KerberosE68 Token.

Then I got the error Message.

I can´t find the right solution on the net.

Kind regards

Pierre

former_member276583 · ‎03-01-2017

Ok the issue was the SPN.

In Windows I was logged in with the user Administrator. The SPN "SAP/KerberosE68" was bind to User KerberosE68. I used the command setspn -A SAP/KerberosE68 Administrator. AFter that i can login again