Skip to Content

SSO issue: No Kerberos SSPI credentials available for requested name

Hello all,

I have setup an SSO scenario for my SAPGui environment with Windows Integrated Authentication

against my Solaris based SAP Systems.

This is my szenario:

- SAP Servers are installed on Solaris 10

- Domain Controller is a Windows 2003 with the forest in native 2003 mode

- Clients are Windows XP SP2

- SAPGui is version 7.10

- SAP Service User in AD: m00t1h

- SNC Identity (as in profile parameter snc/identity/as): p/krb5:m00t1h@IVV-VERBUND.DE

- SNC Library (as in profile partameter snc/gssapi_lib): /usr/local/kerberos/lib/64/libgssapi_krb5.so

Now my problem:

Whenever I try to connect to the SAP System with SSO from the SAPGui, I receive the following error:

GSS-API (maj): No valid credentials provided

GSS-API (min): No Kerberos SSPI credentials available for requested name

name="p:2031217@IVV-VERBUND.DE"

Where 2031217 is my SAP and my Windows Domain Username.

These are the steps I took to setup the SSO scenario:

- installed the MIT library 1.6.7 on the Solaris servers.

- created technical users for my SAP Systems in active directory.

- exported the kerberos key on the windows server

- imported the key in my keytable on the solaris side

- tested ability to authenticate a domain user from solaris command line to the windows AD - SUCCESS

kinit –V –k m00t1h

Authenticated to Kerberos v5

- configured a cronjob to renew the kerberos ticket

(* 0,3,6,9,12,15,18,21 * * * /usr/bin/kinit -k m00t1h)

- set the profile parameters in my SAP Systems according to given environemnt

- installed the SAP GSSAPI Keberos Wrapper library on the WIndows Clients

- set the SNC identity of the SAP Server (p/krb5:m00t1h@IVV-VERBUND.DE) in the SAPLOGON.ini

- created the SNC mapping for my user in SU01 (p:2031217@IVV-VERBUND.DE)

- activated SNC in the SAP System

- restarted the SAP System - SUCCESS. SAP system comes up and obtains a valid kerberos ticket (lifetime 10h)

- Try to authenticate via SAPGui - BANG

I have found a similar question in this thread

sso-with-kerberos-no-valid-credentials-provided

but nobody answered it so far - so I thought to try my luck.

I'm in desperate need for help here, as I could not find valid information on this error in

Google or SAP help.

Kind regards (points promised),

Christian

Edited by: Christian Guenther on Jan 23, 2008 9:35 AM

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 23, 2008 at 11:58 AM

    Christian,

    I agree with Tim on the risks of using unsupported software, specifically on SAP servers, but his proposed solution is only one of many.

    Your requirement can be addressed by many vendors with a SAP-certified solution (you can look in the [SAP Software Solution partner catalog|http://sspcatalog.sap.com/catalog/index.jsp]).

    Specifically, there is a solution from my company ([SECUDE|http://www.secude.com]) how to use SAPCRYPTOLIB (which is delivered and officially supported by SAP on Solaris) for a Kerberos-based SSO, so that you don't have to use 3rd-party software on your SAP server.

    Peter

    Edited by: Peter Adams on Jan 23, 2008 1:02 PM

    Edited by: Peter Adams on Jan 24, 2008 2:10 PM

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Wolfgang Janzen

      Dear Tim and Peter,

      This is not my field of expertize to remove comparative-advertizing statements on, so I would appreciate it if you could self-moderate your posts (preferably before hitting the "post message" button - as indicated by Wolfgang).

      Thanks,

      Julius

  • Jan 23, 2008 at 09:11 AM

    Christian,

    As I mentioned in the other message, you are clearly using Kerberos libraries on UNIX which is not supported by SAP, so this is likely why you have not had much of a response. I suggest you try to imagine what would happen if you had this working, and your users were using the solution to logon to SAP in your production environment, then you had an issue which stopped users from logging on - who would you contact to get support ?

    So, in this scenario you are very much on your own, and is why many companies "learn about" or "experiment" with Kerberos using open source libraries and then they realise the difficulties and contact a vendor such as CyberSafe, and purchase the TrustBroker products for SAP SNC/Kerberos.

    Thanks,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 23, 2008 at 03:59 PM

    The problem did not occur anymore after the user logged out and back in in his Windows workstation. The scenario however, is still not up and running, but now a new eror occurs, that has nothing to do with this thread.

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 25, 2008 at 04:02 PM

    Hello all,

    I found the solution to my problems and now have a working SSO with Windows Integrated Authentication.

    The tools I used are:

    MIT Kerberos Library,

    SNC

    MS Active Directory Server 2003

    SAP System 4.7 and ECC 6 on Solaris 10

    <removed_by_moderator>

    Greetings,

    Christian

    Edited by: Julius Bussche on Feb 25, 2008 4:06 PM

    Sorry, these are the rules. Besides, your real email address is visible in your SDN profile...

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Christian,

      In addition to the option of linking a URL to your document, I have discovered that from the moderator's tools I can add attachments to individual posts - which can then be displayed / downloaded / printed by anyone who wants to when reading the post.

      If you are interested, you can send the document to me and I will attach it for you.

      Regards,

      Julius