Skip to Content
0
Former Member
Dec 03, 2007 at 06:30 AM

SSO2 problem - ticket already expired

793 Views

Dear Gurus,

we have a little problem here with SSO between EP 7.0 to ABAP 620/640.

We observed that if the clock/time between the EP server and ABAP server differ by more than 2 minutes, the SSO will not work.

The problem is that our EP and ABAP reside on 2 different network segments, and they are connected to different time server in our company.

Unfortunately, the 2 "time servers" are not in synch and differ by more than 2 minutes.

Below is the result of setting trace_level=2 in the ABAP system.

======================================================

M Fri Nov 30 18:33:28 2007

M ThIUsrDel: th_rollback_usrdelentry = 1

N Fri Nov 30 18:33:30 2007

N conv_lang_iso2sap : no conversion necessary

N dy_set_sso_ticket: SSO logon data stored

N syssigni: SSO logon data retrieved

N dy_signi_ext: SSO TICKET logon (client 210)

N mySAPUnwrapCookie: was called.

N HmskiFindTicketInCache: Trying to find logon ticket in ticket cache.

N HmskiFindTicketInCache: Try to find ticket with cache key: 210:CE3DBCF6535C060C1AC3B47C970BB69E .

N HmskiFindTicketInCache: Couldn't find ticket in ticket cache.

N I don't need to ask RunningCompatibly to know: I'm >= 46C.

N mySAP: Got the following SSF Params:

N DN =CN=GRD

N EncrAlg=DES-CBC

N Format =PKCS7

N Toolkit =SAPSECULIB

N HashAlg =SHA1

N Profile =E:\usr\sap\ANA\DVEBMGS00\sec\SAPSYS.pse

N PAB =E:\usr\sap\ANA\DVEBMGS00\sec\SAPSYS.pse

N Got the codepage 1100.

N Got ticket (head) AjExMDAgAA9wb3J0YWw6Q0xBSUZPTkeIAAdkZWZh. Length = 472.

N MskiValidateTicket returns 0.

N Got content client = 000.

N Got content sysid = EPC .

N Got date 200711301030 from ticket.

N Cur time = 200711301033.

N Computing validity in hours.

N Computing validity in minutes.

N CurTime_t = 1196505180, CreTime_t = 1196505000

N validity: 120, difference: 180.000.

N *** ERROR => HMskiCheckValidity failed. [ssoxxkrn.c 856]

N dy_signi_ext: ticket expired

D *** ERROR => unknown dec format [diagoutp.c 1634]

========================================================

Can anyone give me an idea on how to set the validity to a larger value?

FYI, I don't think it has anything to do with login/ticket_lifetime in the portal as it is set as per default 8 hours.

Many thanks in advance.