04-14-2017 11:10 AM
Hello colleagues,
I would like to ask you one question and hope you can help. Our SAP ABAP systems run MS Windows OS and we use gss api library gx64krd5.dll to achieve SSO based on Kerberos. On our SAP ABAP systems we have the following parameters set, as example: snc/enable: 1
snc/gssapi_lib: C:\Windows\system32\gx64krb5.dll
snc/identity/as:pSAPServiceSID@domain.com
SAPGUI access via SNC and SSO works perfectly for years. Now our task is to enable SNC over RFC connections between our SAP ABAP systems. Technically we have achieved this by updating RFC connections in SM59 to use SNC with type 3 data confidentiality and updating SNC0 to add the communication partner's SNC entry.
BUT, and here where my question comes, we need this SNC encryption over RFC connections to use only strong cryptographic algorithms like
AES (128/192/256 key size), 3DES (key size 168), RSA (key size 2048). I did not find any information anywhere how to manage encryption algorithms for gx64krb5.dll library. I only found information how to do the same for CommonCryptoLib (
SAP note 2338952 - CommonCryptoLib 8.5: Configuration Profile Parameters) but as far as I understand when we use gx64krb5.dll, then CommonCryptoLib is not in use for SNC (?). may be I am wrong... So, here are my questions:
1) Does anyone know how to manage / limit encryption algorithms used to encrypt SNC traffic while gx64krb5.dll is in use as snc/gssapi_lib?
2) Does anyone know if it is possible to use CommonCryptoLib to SNC encrypt RFC traffic, whereas gx64krb5.dll is in parallel used to provide SNC encryption for DIAG protocol of SAPGUI connections?
Thank you.
05-17-2017 6:21 PM
SAP Note 2115486 says this:
Windows 7 and Windows 2008
R2Windows 7 and Windows 2008 R2 create new challenges
for Kerberos interoperability, since they have single-DES enctypes disabled by
default because of algorithm strength concerns.
gsskrb5.dll does not know
nor care which Kerberos enctypes are used and can be used with all of them.
Which Kerberos enctypes are used is entirely a local matter of Microsoft Kerberos and they are negotiated between all three communication peers participating the Kerberos protocol exchanges: The Microsoft Kerberos SSP client, the Microsoft Kerberos Key Distribution Center (KDC) which is part of Microsoft's Active Directory, and the Microsoft Kerberos SSP server. I am not aware of a possibility to query or influence Kerberos enctype negotiation through Microsoft SSPI functions.
Therefore you will have to refer to documentation and support from Microsoft to obtain the information of enctypes available for negotiation, and Policy settings, OS versions, and user account attributes throughout Microsoft Windows that can affect the Kerberos enctype negotiation.