Skip to Content
0

SNC Configuration to support X.509 and kerberos for multiple non trusted Active directory domains

Apr 04, 2017 at 06:11 AM

381

avatar image
Former Member

Hello All,

We are trying to configure SNC for SAP system to support X.509 and Kerberos support for multiple non trusted domains.

Here is the scenario. SAP systems reside in A.C.X.com and all sub domains in C.X are trusted. We have another tree under X.com like B.D.X.com where B.D.X.Com is not trusted by A.C.X.com. We need Kerberos and X.509 support for SAP systems in this scenario for users and third party solutions(using RFC) connecting to SAP system securily.

We created two service accounts a.c.x.com/axyz and b.d.x.com/bxyz with same spn SAP/SL-ABAP-XYZ and provided created snc/identity/as = p:CN=SL-ABAP-XYZ and created key tab under pase SAPSNCSKERB.pse for both the service users a.c.x.com/axyz and b.d.x.com/bxyz. SAP is starting fine and SNC is not working with X.509 as well as Kerberos in both domains. It is giving an error message

A221021D Server refuses offered key exchange algorithms.

I configured snc name as p:CN=SL-ABAP-XYZ in gui also.

Can some assist me what went wrong with this.

Thanks,

Kiran.

10 |10000 characters needed characters left characters exceeded

Hi, please go into more detail

  • in which scenario did you get the error - SAP GUI or 3rd party solution?
  • Which software versions do you use on client side (SLC) and on server side (SLL, CCL) ?

My first guess would be that there is a compatibility mismatch between server and client. (This error is what I get when I try to use "Encryption only" with an SLC 3.0 connecting to a system which only has an old SLL.)

Regards, Lutz

0

And there are some support notes that can be found by searching with term "A221021D" which point into different directions. They will be valuable to check.

0
Former Member

Hi Lutz,

client side i am using SLC and server side ccl(common crypto library).I am getting this error on sapgui, did not try with RFC yet. During further investigation, found that sncwizard / spnego are not able to find spn names for the service users. this might be leading this error with Kerberos authentication. SNC is working with X.509 but not for Kerberos. Any idea?

Thanks,

Kiran.

0

Did you already check the notes? There are some hints on troubleshooting this message number

0
* Please Login or Register to Answer, Follow or Comment.

0 Answers