Hi

We are having some difficulty enabling SSO in one of our ABAP systems. We have followed exactly the same steps as we did for another identical system, which also has a CI and a separate application server, namely:

Checked profiles consistency Set snc/enable = 0 (due to some issues that can occur when this is set to 1 before other set up completed)
Set snc/identity/as = p:CN=SAPService / ci.hec. . co.uk@ . CO.UK
Set login/password_change_for_SSO = 2 (all in DEFAULT profile, made sure not set in CI or app server profiles)
Restarted system
Ran STRUST - opened up SNC SAPCyrptolib, entered change mode, right click and 'Replace' and confirmed we wanted to replace the PSE
Set a password and saved (NB: this shows an entry of CN=SAPService / ci.hec. . co.uk@ . CO.UK, this is regarless of whether it's on the CI ( ci) or the app server ( app) - this is the same on our working system too)
Ran SNCWIZARD - taken the defaults, noted the snc parameter changes to the DEFAULT profile look good, skip the screen where it wants to run SPNEGO or STRUST, complete
Checked profiles now have:
snc/enable = 1
snc/extid_login_diag = 1
snc=extid_login_rfc = 1
spnego/enable = 1
Restarted system
Ran SPNEGO (SNC status showing green), added two lines with all encryption alogorithms selected for:
SAPService / ci.hec. . co.uk@ . CO.UK SAPService / app.hec. . co.uk@ . CO.UK
Added SNC entry to use profile: p:CN= @ . CO.UK
Enabled SNC in SAP GUI

Get an error:

GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210217: The verification of the Kerberos ticket failed target="p:CN=SAPService / ci.hec. . co.uk@ . CO.UK"
Time -
Component SNC
Release 730
Version 6
Module sncxxall.c
Line 3551
Method SncPEstablishContext
Return Code -4
System Call gss_init_sec_context
Counter 19

Looks ok from the Windows AD side as far as I can tell; ran the command:
ldifde -r serviceprincipalname=HTTP/ .hec. . co.uk: -f u:\ptdout.txt

The file shows the essential lines correctly:

cn: SAPService<SID>
sn: Service<SID>
description: SAP ABAP Single Sign on <SID>
givenName: SAP distinguishedName: CN=SAPService<SID>,OU=Service Accounts,OU=HO,DC=<domain>,DC=co,DC=uk instanceType: 4
displayName: SAPService<SID>
name: SAPService<SID>
sAMAccountName: SAPService<SID>
userPrincipalName: SAPService @ . co.uk
servicePrincipalName: HTTP/ .hec. . co.uk: servicePrincipalName: SAPService / app.hec. . co.uk servicePrincipalName: SAPService / ci.hec. . co.uk servicePrincipalName: SAPService / . . co.uk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC= ,DC=co,DC=uk

So what's missing/wrong here?

At first I thought maybe we needed seperate snc/identity/as entries for each server, but looking at the other working system with a CI and an app server, it is set up like this too - with just one snc/identity/as entry for the CI. I believe it needs to be this way as in STRUST - even though you see two entries under SNC SAPCyrptolib (one for the CI and one for the app server), you can only enter one value anyway (i.e. the CI)?

Thanks
Ross