04-04-2017 7:11 AM
Hello All,
We are trying to configure SNC for SAP system to support X.509 and Kerberos support for multiple non trusted domains.
Here is the scenario. SAP systems reside in A.C.X.com and all sub domains in C.X are trusted. We have another tree under X.com like B.D.X.com where B.D.X.Com is not trusted by A.C.X.com. We need Kerberos and X.509 support for SAP systems in this scenario for users and third party solutions(using RFC) connecting to SAP system securily.
We created two service accounts a.c.x.com/axyz and b.d.x.com/bxyz with same spn SAP/SL-ABAP-XYZ and provided created snc/identity/as = p:CN=SL-ABAP-XYZ and created key tab under pase SAPSNCSKERB.pse for both the service users a.c.x.com/axyz and b.d.x.com/bxyz. SAP is starting fine and SNC is not working with X.509 as well as Kerberos in both domains. It is giving an error message
A221021D Server refuses offered key exchange algorithms.
I configured snc name as p:CN=SL-ABAP-XYZ in gui also.
Can some assist me what went wrong with this.
Thanks,
Kiran.
04-05-2017 9:57 AM
Hi, please go into more detail
My first guess would be that there is a compatibility mismatch between server and client. (This error is what I get when I try to use "Encryption only" with an SLC 3.0 connecting to a system which only has an old SLL.)
Regards, Lutz
04-05-2017 10:11 AM
And there are some support notes that can be found by searching with term "A221021D" which point into different directions. They will be valuable to check.
04-05-2017 11:40 AM
Hi Lutz,
client side i am using SLC and server side ccl(common crypto library).I am getting this error on sapgui, did not try with RFC yet. During further investigation, found that sncwizard / spnego are not able to find spn names for the service users. this might be leading this error with Kerberos authentication. SNC is working with X.509 but not for Kerberos. Any idea?
Thanks,
Kiran.
04-05-2017 2:44 PM
Did you already check the notes? There are some hints on troubleshooting this message number