Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SNC Configuration to support X.509 and kerberos for multiple non trusted Active directory domains

kiran_vejendla2
Explorer

‎04-04-2017 7:11 AM

0 Kudos

Hello All,

We are trying to configure SNC for SAP system to support X.509 and Kerberos support for multiple non trusted domains.

Here is the scenario. SAP systems reside in A.C.X.com and all sub domains in C.X are trusted. We have another tree under X.com like B.D.X.com where B.D.X.Com is not trusted by A.C.X.com. We need Kerberos and X.509 support for SAP systems in this scenario for users and third party solutions(using RFC) connecting to SAP system securily.

We created two service accounts a.c.x.com/axyz and b.d.x.com/bxyz with same spn SAP/SL-ABAP-XYZ and provided created snc/identity/as = p:CN=SL-ABAP-XYZ and created key tab under pase SAPSNCSKERB.pse for both the service users a.c.x.com/axyz and b.d.x.com/bxyz. SAP is starting fine and SNC is not working with X.509 as well as Kerberos in both domains. It is giving an error message

A221021D Server refuses offered key exchange algorithms.

I configured snc name as p:CN=SL-ABAP-XYZ in gui also.

Can some assist me what went wrong with this.

Thanks,

Kiran.

4 REPLIES 4

LutzR
Active Contributor

‎04-05-2017 9:57 AM

0 Kudos

Hi, please go into more detail

  • in which scenario did you get the error - SAP GUI or 3rd party solution?
  • Which software versions do you use on client side (SLC) and on server side (SLL, CCL) ?

My first guess would be that there is a compatibility mismatch between server and client. (This error is what I get when I try to use "Encryption only" with an SLC 3.0 connecting to a system which only has an old SLL.)

Regards, Lutz

LutzR
Active Contributor

‎04-05-2017 10:11 AM

0 Kudos

And there are some support notes that can be found by searching with term "A221021D" which point into different directions. They will be valuable to check.

kiran_vejendla2
Explorer

‎04-05-2017 11:40 AM

0 Kudos

Hi Lutz,

client side i am using SLC and server side ccl(common crypto library).I am getting this error on sapgui, did not try with RFC yet. During further investigation, found that sncwizard / spnego are not able to find spn names for the service users. this might be leading this error with Kerberos authentication. SNC is working with X.509 but not for Kerberos. Any idea?

Thanks,

Kiran.

LutzR
Active Contributor

‎04-05-2017 2:44 PM

0 Kudos

Did you already check the notes? There are some hints on troubleshooting this message number