Skip to Content

What is wrong with this SSO/SNC set up and why do I keep getting an error?

Aug 21, 2017 at 10:22 AM


avatar image


We are having some difficulty enabling SSO in one of our ABAP systems. We have followed exactly the same steps as we did for another identical system, which also has a CI and a separate application server, namely:

Checked profiles consistency Set snc/enable = 0 (due to some issues that can occur when this is set to 1 before other set up completed)
Set snc/identity/as = p:CN=SAPService / ci.hec. . . CO.UK
Set login/password_change_for_SSO = 2 (all in DEFAULT profile, made sure not set in CI or app server profiles)
Restarted system
Ran STRUST - opened up SNC SAPCyrptolib, entered change mode, right click and 'Replace' and confirmed we wanted to replace the PSE
Set a password and saved (NB: this shows an entry of CN=SAPService / ci.hec. . . CO.UK, this is regarless of whether it's on the CI ( ci) or the app server ( app) - this is the same on our working system too)
Ran SNCWIZARD - taken the defaults, noted the snc parameter changes to the DEFAULT profile look good, skip the screen where it wants to run SPNEGO or STRUST, complete
Checked profiles now have:
snc/enable = 1
snc/extid_login_diag = 1
snc=extid_login_rfc = 1
spnego/enable = 1
Restarted system
Ran SPNEGO (SNC status showing green), added two lines with all encryption alogorithms selected for:
SAPService / ci.hec. . . CO.UK SAPService / app.hec. . . CO.UK
Added SNC entry to use profile: p:CN= @ . CO.UK
Enabled SNC in SAP GUI

Get an error:

GSS-API(maj): Miscellaneous failure
GSS-API(min): A2210217: The verification of the Kerberos ticket failed target="p:CN=SAPService / ci.hec. . . CO.UK"
Time -
Component SNC
Release 730
Version 6
Module sncxxall.c
Line 3551
Method SncPEstablishContext
Return Code -4
System Call gss_init_sec_context
Counter 19

Looks ok from the Windows AD side as far as I can tell; ran the command:
ldifde -r serviceprincipalname=HTTP/ .hec. . -f u:\ptdout.txt

The file shows the essential lines correctly:

cn: SAPService<SID>
sn: Service<SID>
description: SAP ABAP Single Sign on <SID>
givenName: SAP distinguishedName: CN=SAPService<SID>,OU=Service Accounts,OU=HO,DC=<domain>,DC=co,DC=uk instanceType: 4
displayName: SAPService<SID>
name: SAPService<SID>
sAMAccountName: SAPService<SID>
userPrincipalName: SAPService @ .
servicePrincipalName: HTTP/ .hec. . servicePrincipalName: SAPService / app.hec. . servicePrincipalName: SAPService / ci.hec. . servicePrincipalName: SAPService / . . objectCategory: CN=Person,CN=Schema,CN=Configuration,DC= ,DC=co,DC=uk

So what's missing/wrong here?

At first I thought maybe we needed seperate snc/identity/as entries for each server, but looking at the other working system with a CI and an app server, it is set up like this too - with just one snc/identity/as entry for the CI. I believe it needs to be this way as in STRUST - even though you see two entries under SNC SAPCyrptolib (one for the CI and one for the app server), you can only enter one value anyway (i.e. the CI)?


10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Ross Armstrong Aug 21, 2017 at 10:30 AM

That's come out a little odd looking, as all the large than/greater than signs I put in to denote the SIDs, domains and hosts have gone blank!

So to clarify, entries are like so (symbols removed to avoid formatting now):

snc/identity/as = p:CN=SAPServiceSID/
STRUST entry: CN=SAPServiceSID/
SPNEGO entries:
SNC enrty in user profile: p:CN=WindowsADuser@DOMAIN.CO.UK

Hope that clears things up.

10 |10000 characters needed characters left characters exceeded
Ross Armstrong Aug 21, 2017 at 10:33 AM

And from the Windows AD output:

servicePrincipalName: HTTP/

servicePrincipalName: SAPServiceSID/

servicePrincipalName: SAPServiceSID/

servicePrincipalName: SAPServiceSID/

10 |10000 characters needed characters left characters exceeded
Ross Armstrong Oct 23, 2017 at 03:42 PM

Fixed this by asking the Windows team to recreate the AD SAPServiceSID user - even though it worked with an old system with the same SID, it was created several years ago and it seems something changed - recreating from scratch fixed the issue.

10 |10000 characters needed characters left characters exceeded