01-23-2008 8:31 AM
Hello all,
I have setup an SSO scenario for my SAPGui environment with Windows Integrated Authentication
against my Solaris based SAP Systems.
This is my szenario:
- SAP Servers are installed on Solaris 10
- Domain Controller is a Windows 2003 with the forest in native 2003 mode
- Clients are Windows XP SP2
- SAPGui is version 7.10
- SAP Service User in AD: m00t1h
- SNC Identity (as in profile parameter snc/identity/as): p/krb5:m00t1h@IVV-VERBUND.DE
- SNC Library (as in profile partameter snc/gssapi_lib): /usr/local/kerberos/lib/64/libgssapi_krb5.so
Now my problem:
Whenever I try to connect to the SAP System with SSO from the SAPGui, I receive the following error:
GSS-API (maj): No valid credentials provided
GSS-API (min): No Kerberos SSPI credentials available for requested name
name="p:2031217@IVV-VERBUND.DE"
Where 2031217 is my SAP and my Windows Domain Username.
These are the steps I took to setup the SSO scenario:
- installed the MIT library 1.6.7 on the Solaris servers.
- created technical users for my SAP Systems in active directory.
- exported the kerberos key on the windows server
- imported the key in my keytable on the solaris side
- tested ability to authenticate a domain user from solaris command line to the windows AD - SUCCESS
kinit V k m00t1h
Authenticated to Kerberos v5
- configured a cronjob to renew the kerberos ticket
(* 0,3,6,9,12,15,18,21 * * * /usr/bin/kinit -k m00t1h)
- set the profile parameters in my SAP Systems according to given environemnt
- installed the SAP GSSAPI Keberos Wrapper library on the WIndows Clients
- set the SNC identity of the SAP Server (p/krb5:m00t1h@IVV-VERBUND.DE) in the SAPLOGON.ini
- created the SNC mapping for my user in SU01 (p:2031217@IVV-VERBUND.DE)
- activated SNC in the SAP System
- restarted the SAP System - SUCCESS. SAP system comes up and obtains a valid kerberos ticket (lifetime 10h)
- Try to authenticate via SAPGui - BANG
I have found a similar question in this thread
but nobody answered it so far - so I thought to try my luck.
I'm in desperate need for help here, as I could not find valid information on this error in
Google or SAP help.
Kind regards (points promised),
Christian
Edited by: Christian Guenther on Jan 23, 2008 9:35 AM
01-23-2008 11:58 AM
Christian,
I agree with Tim on the risks of using unsupported software, specifically on SAP servers, but his proposed solution is only one of many.
Your requirement can be addressed by many vendors with a SAP-certified solution (you can look in the [SAP Software Solution partner catalog|http://sspcatalog.sap.com/catalog/index.jsp]).
Specifically, there is a solution from my company ([SECUDE|http://www.secude.com]) how to use SAPCRYPTOLIB (which is delivered and officially supported by SAP on Solaris) for a Kerberos-based SSO, so that you don't have to use 3rd-party software on your SAP server.
Peter
Edited by: Peter Adams on Jan 23, 2008 1:02 PM
Edited by: Peter Adams on Jan 24, 2008 2:10 PM
01-23-2008 9:11 AM
Christian,
As I mentioned in the other message, you are clearly using Kerberos libraries on UNIX which is not supported by SAP, so this is likely why you have not had much of a response. I suggest you try to imagine what would happen if you had this working, and your users were using the solution to logon to SAP in your production environment, then you had an issue which stopped users from logging on - who would you contact to get support ?
So, in this scenario you are very much on your own, and is why many companies "learn about" or "experiment" with Kerberos using open source libraries and then they realise the difficulties and contact a vendor such as CyberSafe, and purchase the TrustBroker products for SAP SNC/Kerberos.
Thanks,
Tim
01-23-2008 11:58 AM
Christian,
I agree with Tim on the risks of using unsupported software, specifically on SAP servers, but his proposed solution is only one of many.
Your requirement can be addressed by many vendors with a SAP-certified solution (you can look in the [SAP Software Solution partner catalog|http://sspcatalog.sap.com/catalog/index.jsp]).
Specifically, there is a solution from my company ([SECUDE|http://www.secude.com]) how to use SAPCRYPTOLIB (which is delivered and officially supported by SAP on Solaris) for a Kerberos-based SSO, so that you don't have to use 3rd-party software on your SAP server.
Peter
Edited by: Peter Adams on Jan 23, 2008 1:02 PM
Edited by: Peter Adams on Jan 24, 2008 2:10 PM
01-23-2008 12:25 PM
Peter,
As you know, SDN should not be used to discuss which vendors product is better, so using words like "not the best one from my perspective" should be avoided. Instead, you might want to think about using words such as "product <x> might meet your needs better because <y>"
It is obvious that since you work for Secude you will think your product is the best, but this customer has a specific set of needs and has clearly decided to use Kerberos libraries to meet their needs, and so mentioning your product, which DOES NOT use Kerberos for session security and authentication, but uses x.509 certificates instead is not very helpful to the customer in my opinion.
You also mentioned "SAPCRYPTOLIB for a Kerberos-based SSO" - this is NOT TRUE, since SAPCRYPTOLIB does not use Kerberos - it uses x.509 certificates for authentication. I need to correct you on this so that others reading this thread in future do not get wrong idea about this library.
Once again, lets NOT use SDN for vendor product comparisons. Instead, lets use SDN to help the customer by answering their questions and providing useful information related to their stated requirements.
Thanks again,
Tim
01-23-2008 1:28 PM
Tim,
I think you reply here is hypocritical.
You are completely omitting options to address the customer's requirement - isn't that even more biased?
I want to make sure that Christian knows his options - therefore I listed the SAP Software Solution Partner Catalog.
Unfortunately, we both haven't been able to help with the specific problem Christian has about the MIT Kerberos library. And we both suggest options how to address the requirements stated in the scenario. Christian's scenario is to leverage Kerberos on the Windows clients to authenticate the user and implement a secure SSO to an SAP server on Solaris. Our solution is able to do that, based on SAPCRYPTOLIB. So, I stick with my statement that we can do "Kerberos-based SSO with SAPCRYPTOLIB."
Peter
01-23-2008 1:53 PM
Peter,
If you want to discuss this further, lets make contact via email outside of SDN. As I mentioned in my last post, SDN is not appropriate for these vendor product related discussions.
To be 100% clear, the SAPCRYPTOLIB library does not implement Kerberos-SSO. If it did, then it would include Kerberos protocol support, and it doesn't - it only includes support for the x.509 gss-api mechanism only, not Kerberos gss-api mechanism. Any customer who wants Kerberos for SNC-based SAP SSO needs to use a library that implements that protocol, NOT SAPCRYPTOLIB.
Thanks,
Tim
01-23-2008 1:59 PM
> Peter,
>
> As you know, SDN should not be used to discuss which vendors product is better, so using words like "not the best one from my perspective" should be avoided. Instead, you might want to think about using words such as "product <x> might meet your needs better because <y>"
That's absolutely correct:
Please resist from advertising your products - and never judge on (other vendors) products (although this is now legal, even in Germany, since a few years).
I myself have to remain neutral (due to [SAP's Code of Business Conduct|http://www.sap.com/about/governance/statutes/codeofconduct.epx]). And I'd appreciate if you'd do the same.
01-23-2008 3:57 PM
Hi all,
thanks for all your replies and the interesting disussion. As was already mentioned, in my specific case the decision was made to go and give Kerberos with the free available MIT Kerberos implementation on Solaris a try and that is what I'm doing right know.
I am sure there are a lot of good products out there to accomplish a single sign on solution between SAP Servers on Unix and Windows Active Directory. If we come to the point, after this pilot, that it is not working at all, or not working reliable, we will need to investigate in the options mentioned in this thread and others available.
But until then, I have good news: The error was solved by login in and out of the windows workstation!!! Bit strange, but who knows.
I will close this thread (after giving points for your efforts) and will need to open a new one, as I now have an even more bizarre error. This one seems to be related to kerberos protocol violations within Microsoft's Windows 2003 Server - sigh.
Again thanks to all of you,
Christian
01-23-2008 5:46 PM
> ... decision was made to go and give Kerberos with the free available MIT Kerberos implementation on Solaris a try and that is what I'm doing right know.
Good luck!
> ... I now have an even more bizarre error ...
Well, hopefully this is not going to continue.
Otherwise: you can always decide to steer towards one of the "safe harbors" that have been advertised ...
01-23-2008 8:12 PM
Dear Tim and Peter,
This is not my field of expertize to remove comparative-advertizing statements on, so I would appreciate it if you could self-moderate your posts (preferably before hitting the "post message" button - as indicated by Wolfgang).
Thanks,
Julius
01-23-2008 3:59 PM
The problem did not occur anymore after the user logged out and back in in his Windows workstation. The scenario however, is still not up and running, but now a new eror occurs, that has nothing to do with this thread.
02-25-2008 4:02 PM
Hello all,
I found the solution to my problems and now have a working SSO with Windows Integrated Authentication.
The tools I used are:
MIT Kerberos Library,
SNC
MS Active Directory Server 2003
SAP System 4.7 and ECC 6 on Solaris 10
<removed_by_moderator>
Greetings,
Christian
Edited by: Julius Bussche on Feb 25, 2008 4:06 PM
Sorry, these are the rules. Besides, your real email address is visible in your SDN profile...
02-26-2008 10:44 AM
Hello Christian,
In addition to the option of linking a URL to your document, I have discovered that from the moderator's tools I can add attachments to individual posts - which can then be displayed / downloaded / printed by anyone who wants to when reading the post.
If you are interested, you can send the document to me and I will attach it for you.
Regards,
Julius