Skip to Content
0

Single sign on between ABAP and AD

Jun 24, 2017 at 10:38 AM

132

avatar image
Former Member

Hi Experts,

We have done the single sign on between ABAP and AD as per SAP suggested, But we are not able login without password, seems configuration not working.

Secure login client trace for reference, comments highly appreciated.

[MODULE ][THR_ID] [2017.06.24 13:08:37.248000][ERROR][saplogon.exe ][GSS ][ 1280] Have no certificate and got no kerberos ticket [2017.06.24 13:08:37.250000][ERROR][saplogon.exe ][GSS ][ 1280] Cli-40000000: --> Msg ClientHello create failed : errval=70000, minor_status=0 [2017.06.24 13:10:27.242000][ERROR][saplogon.exe ][GSS ][ 4960] Have no certificate and got no kerberos ticket [2017.06.24 13:10:27.242000][ERROR][saplogon.exe ][GSS ][ 4960] Cli-40000001: --> Msg ClientHello create failed : errval=70000, minor_status=0 [2017.06.24 13:24:50.093000][ERROR][saplogon.exe ][GSS ][ 5256] Have no certificate and got no kerberos ticket [2017.06.24 13:24:50.093000][ERROR][saplogon.exe ][GSS ][ 5256] Cli-40000002: --> Msg ClientHello create failed : errval=70000, minor_status=0

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Carsten Olt Jun 28, 2017 at 03:47 PM
0

Hi,

your SNC library on the client side (Secure Login Client) complains in conjunction with saplogon.exe he has no security token for SNC based authentication against the SAP backend. At least thats what your trace snippet is telling us. Besides the fact it is nearly impossible for one to answer your question because you are lacking many details, i would assume (with my glass sphere and some magic power) you are using Kerberos. And you have to setup a service account and UNIQUE SPN in AD for this service account. You have to enable SNC on the backend and create proper SNC kerberos key tab and credentials and your System must be up and running with SNC enabled. The SNC identity of your backend has the value p:CN=<anyname>, xxxx and <anyname> must match the value for the SPN you registered in AD e. g. SAP/<anymane>. And of course you need to enable SNC for the SAP GUI connection and specify the SNC Name of the server same as the snc/identity/as parameter. The issue seems to be on the client side and caused by the fact the Windows PC does not get a kerberos ticket from KDC. You may be able to troubleshoot client side kerberos issues together with your AD team and make use of CLI tool KLIST. Good luck!

Share
10 |10000 characters needed characters left characters exceeded