Skip to Content

SNC Configuration to support X.509 and kerberos for multiple non trusted Active directory domains

Hello All,

We are trying to configure SNC for SAP system to support X.509 and Kerberos support for multiple non trusted domains.

Here is the scenario. SAP systems reside in A.C.X.com and all sub domains in C.X are trusted. We have another tree under X.com like B.D.X.com where B.D.X.Com is not trusted by A.C.X.com. We need Kerberos and X.509 support for SAP systems in this scenario for users and third party solutions(using RFC) connecting to SAP system securily.

We created two service accounts a.c.x.com/axyz and b.d.x.com/bxyz with same spn SAP/SL-ABAP-XYZ and provided created snc/identity/as = p:CN=SL-ABAP-XYZ and created key tab under pase SAPSNCSKERB.pse for both the service users a.c.x.com/axyz and b.d.x.com/bxyz. SAP is starting fine and SNC is not working with X.509 as well as Kerberos in both domains. It is giving an error message

A221021D Server refuses offered key exchange algorithms.

I configured snc name as p:CN=SL-ABAP-XYZ in gui also.

Can some assist me what went wrong with this.

Thanks,

Kiran.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

0 Answers

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.