Skip to Content
0

SNC - How to setup without SSO

Feb 22, 2017 at 11:17 AM

683

avatar image

I wanted to setup SNC in my test network. But at least, I got some errors. Maybe someone can help me. I already found hundreds of posts here, but nothing helped.

Pre-Information

As I have read here https://archive.sap.com/discussions/thread/3922733 I have to use a specific szenario with snc, active directory, kerberos to use snc without any extra license.

My Issues

  1. If I set snc/enable = 1 i got this Error on SAP start: "Basis System: Initialization SNC failed, return code -000004"
  2. On TA SNCWIZARD I got the Message "SAPCRYPTOLIB is to old". I already downloaded Version SAPCRYPTOLIBP_8509-20011729. I think it´s the newest?!
  3. If I set snc/enable = 0 i can login. I want to use TA SPNEGO to set Kerberos UserPrincipals and got this one:
  4. EDIT: I solved this one by downloading the Secure Login Client from https://launchpad.support.sap.com/#/softwarecenter/search/sapsetupslc06 and install it on my client where SAP Logon is installed

My szenario

I want to use SNC with a tool we build. In the szenario i have to use SNC Client Encryption without Single Sign On. I have a Win2K12 Domain Controller with Active Directory and a Win2K12 with SAP ERP EHP8 (hyperion.snc.local). Domain named snc.local.

On the Domain Controller I created a user KerberbosE68 and set the user Attribute userPrincipalName to KerberosE6@SNC.LOCAL (is it case senitive?!)

I go to ASDI Edit and set the follow values:

On SAP I set the following Parameters:

  • snc/enable = 1
  • snc/gssapi_lib = C:\usr\sap\E68\ASC01\sec\sapcrypto.dll
  • snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
  • spnego/enable = 1
  • snc/data_protection/use = 3
  • snc/data_protection/min = 2
  • snc/data_protection/max = 3
  • snc/accept_insecure_rfc = 1
  • snc/accept_insecure_gui = 1
  • snc/accept_insecure_cpic = 1
  • snc/accept_insecure_r3int_rfc = 1

As mentioned above, i try to use SPNEGO for Kerberos User Principal. I don´t know if it´s right way an i always got that message of missing SNCAX.dll. I entered this values and saved it. I got the Message "Keytab saved":

EDIT: In SU01 I choosed my user and entered p:CN=SAP/KerberosE68@SNC.LOCAL on SNC Tab.

I downloaded and installed Package 51042493 (SNC Client Encryption) on my client (where sap gui is installed)

I set the enviroment variable :

SNC_LIB = C:\Program Files (x86)\SAP\FrontEnd\SAPgui\Encryption\secgss.dll

On SAP GUI I set:

So can anyone tell how to setup a SNC szenario with Client encryption and without SSO. I read so much tutorials, forum posts etc. It won´t work. I really thank you

Kind Regards

Pierre

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Carsten Olt Feb 25, 2017 at 04:30 PM
1

Hi Pierre,

  • for 1: you may have various issues, best possible your SNC based PSE wasn’t created correctly or credentials are missing.
  • for 2: check https://launchpad.support.sap.com/#/notes/2304831/E
  • for 3 and 4: forget t-code SPNEGO. This is only required for browser based Single Sign-On to Web AS ABAP (ICM) and not required (or even allowed in terms of licensing) in your scenario. Credential validation requires a specific frontend control which comes together with the SLC. You neither need SLC nor SPNego for SNC client encryption. I know as of newer SAP_BASIS releases (731 SP15 and 740 SP08) you can use transaction SPNEGO to configure the SNC keytab also, but I recommend the old school way via CLI ;)

OK, let’s start from the very beginning. You want to encrypt your DIAG/RFC communication using SNC, you require SNC Client encryption. As of release 7.30 SAP GUI comes with the SNC Client Encryption embedded, so you normally just enable it in the installer.

On the backend E68 make sure your CommonCryptoLib (latest 8.5.9) is correctly installed, $SECUDIR is set to /usr/sap/<SID>/<Instance>/sec more information you’ll find here https://launchpad.support.sap.com/#/notes/1848999/E

Don’t set the UserPrincipalName attribute for your KerberosE68 user, you don’t require it. A UPN can be implicitly or explicitly defined. An implicit UPN is of the form UserName@DNSDomainName. The implicit UPN is always associated with the user's account, even if an explicit UPN is not defined. It is the default ID information which is always included in the Kerberos tickets of a user. An explicit UPN is of the form Name@Suffix, where both the name and suffix strings are explicitly defined by the administrator. Source: https://msdn.microsoft.com/de-de/library/windows/desktop/aa380525.aspx --> please remove the UPN.

Now to the ServicePrincipalName (SPN) attribute. Please remove the HTTP/…. SPN, you don’t need it for SNC. The other SPN SAP/KerberosE68 looks good. Make sure, there are no duplicate SPNs registered in AD. Check with setspn -X -F to avoid duplicate SPNs.

Now the profile parameters – use the following, and remove the spnego/enable or set to “0”):

snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:CN=KerberosE68@SNC.LOCAL
snc/data_protection/use = 3
snc/data_protection/min = 2
snc/data_protection/max = 3
snc/accept_insecure_rfc = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_r3int_rfc = 1
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/permit_insecure_start = 1
snc/force_login_screen = 0

Note: you may not necessarily set the domain with the snc/identity/as parameter. Just p:CN=KerberosE68 would also do it. You can also make use of snc/only_encrypted_gui and snc/only_encrypted_rfc parameters. In that case, review SAP Note 1690662

Create the SAPSNCSKERB.pse incl. the Kerberos keytab via CLI:

1. Clean up your $SECUDIR and remove any old SAPSNCSKERB.pse or cred_v2.

Navigate to $DIR_EXECUTABLE if required and not in $PATH.

Execute sapgenpse and make sure $SECUDIR correctly points to the ../sec directory of your AS ABAP.

Execute:

sapgenpse keytab -p SAPSNCSKERB.pse -x <PSE password> -a KerberosE68@SNC.LOCAL

...when prompted enter and confirm the password for the Domain service account, this way you avoid typos.

Create credentials:

sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceE68 –N

Check credentials for user SAPServiceE68, must show valid credentials:

sapgenpse seclogin -l -O SAPServiceE68

..then restart your SAP system, now it should start and correctly initialize SNC (i hope so ;))

Your SAP GUI configurations seems to look ok, should work now...

Hope that helps, have fun!

Cheers,
Carsten

Share
10 |10000 characters needed characters left characters exceeded
Pierre Fey Feb 27, 2017 at 03:21 PM
0

Hello Carsten,

I really really thank you. You helped me much, it finally works. After i know what to do, it looks so easy!

Kind Regards!

Share
10 |10000 characters needed characters left characters exceeded
Pierre Fey Feb 28, 2017 at 11:51 AM
0

Hello Carsten

maybe you can help me.

I had to restart the Client where SAP Logon is installed. After that restart I got the message:

This is screenshot from my logs

This is my process:

When I restart the client PC and open Secure Login Client I got this:

Then i right click on Kerberos Token -> Login and Login as KerberosE68. The result is:

Is that nessesary?

Well, then i open the SAP Logon Client and double click my SAP System. The Secure login CLient pops up and I have to choose a token. I choose the KerberosE68 Token.

Then I got the error Message.

I can´t find the right solution on the net.

Kind regards

Pierre


Share
10 |10000 characters needed characters left characters exceeded
Pierre Fey Mar 01, 2017 at 10:28 AM
0

Ok the issue was the SPN.

In Windows I was logged in with the user Administrator. The SPN "SAP/KerberosE68" was bind to User KerberosE68. I used the command setspn -A SAP/KerberosE68 Administrator. AFter that i can login again

Share
10 |10000 characters needed characters left characters exceeded