Skip to Content
avatar image
Former Member

SNC Configuration to support X.509 and kerberos for multiple non trusted Active directory domains

Hello All,

We are trying to configure SNC for SAP system to support X.509 and Kerberos support for multiple non trusted domains.

Here is the scenario. SAP systems reside in A.C.X.com and all sub domains in C.X are trusted. We have another tree under X.com like B.D.X.com where B.D.X.Com is not trusted by A.C.X.com. We need Kerberos and X.509 support for SAP systems in this scenario for users and third party solutions(using RFC) connecting to SAP system securily.

We created two service accounts a.c.x.com/axyz and b.d.x.com/bxyz with same spn SAP/SL-ABAP-XYZ and provided created snc/identity/as = p:CN=SL-ABAP-XYZ and created key tab under pase SAPSNCSKERB.pse for both the service users a.c.x.com/axyz and b.d.x.com/bxyz. SAP is starting fine and SNC is not working with X.509 as well as Kerberos in both domains. It is giving an error message

A221021D Server refuses offered key exchange algorithms.

I configured snc name as p:CN=SL-ABAP-XYZ in gui also.

Can some assist me what went wrong with this.

Thanks,

Kiran.

Add comment
10|10000 characters needed characters exceeded

  • And there are some support notes that can be found by searching with term "A221021D" which point into different directions. They will be valuable to check.

  • Former Member

    Hi Lutz,

    client side i am using SLC and server side ccl(common crypto library).I am getting this error on sapgui, did not try with RFC yet. During further investigation, found that sncwizard / spnego are not able to find spn names for the service users. this might be leading this error with Kerberos authentication. SNC is working with X.509 but not for Kerberos. Any idea?

    Thanks,

    Kiran.

  • Did you already check the notes? There are some hints on troubleshooting this message number

  • Follow
  • Get RSS Feed

0 Answers