Skip to Content
0

SNC/SSO doesn't work after a restart

Dec 18, 2017 at 04:19 PM

131

avatar image

Hi all

We've recently refreshed one of our systems and I can't get SSO/SNC to work again - well, at least not permanently.

It's a 7.31 system running a 722 (patch 101) kernel, so no SNCWIZARD or SPNEGO transactions. We set all the required parameters manually:

snc/extid_login_rfc = 1
snc/extid_login_diag = 1
snc/enable = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc = 1
snc/data_protection/min = 1
snc/data_protection/max = 3
snc/data_protection/use = 3
snc/permit_insecure_start = 1
snc/accept_insecure_rfc = 1
snc/gssapi_lib = $(SAPCRYPTOLIB)
snc/force_login_screen = 0
snc/accept_insecure_cpic = 1

Checked that $(SAPCRYPTOLIB) points to the right place (exe directory) and that libsapcrypto.o is present. Removed old entries showing with "sapgenpse seclogin -l" and added a keytab like so:

sapgenpse keytab -p /usr/sap/<SID>/DVEBMGS<SYSNO>/sec/SAPSNCS.pse -nopsegen -X <password> -a SAPService<SID>/v<sid>app01.domain@DOMAIN

This worked - got some warnings, but always get these:

!!! WARNING: Your kerberos PSE name does not end with 'KERB.pse'. !!!
WARNING: The ABAP server may not be able to use it.


Anyway - at this point - SSO works! We can log on via the login pad without entering a password, great.

Thing is, STRUST now shows a red/invalid entry under SNC SAPCryptolib. Had in my notes to restart the system and it would be ok after.

Nope - restarted it, and it breaks SSO - get the generic SNC error message when trying to log in:

A221021E: Server refused kerberos key exchange

Error in SNC

If we disable SNC in the login pad and login with a password, we can see STRUST now shows a green entry - and I can see SAPSNCS.pse has been updated when the system restarted. It's all very well it being green but no good if it breaks it!

Why does it replace this file on restart?

We've tried a few combinations now - 'replace' from STRUST, deleting it fully from STRUST, deleting at OS level etc etc - always results in the same - i.e. we can get it to work using the "sapgenpse keytab" command above (and not without) - but as soon as we restart the system - it breaks again!

Ok, short term solution is - don't restart the system! But how can we fix this long term? How do we make the "sapgenpse keytab" fix last permnanently / stop SAP updating the file (incorrectly) when it restarts?

Thanks!
Ross

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Ross Armstrong Dec 19, 2017 at 03:20 PM
0

Solved it. In our newer systems, it used SAPSNCS.pse which is fine but here STRUST was overwriting it. Instead we deleted the entries in STRUST, created a new PSE file from STRUST 'File' (not the SAPCryptolib section) callled SAPKERBSNCS.pse and ran the sapgenpse commands on it:

sapgenpse keytab -p /usr/sap/<SID>/DVEBMGS10/sec/SAPSNCSKERB.pse -nopsegen -x <pass> -X <pass> -a SAPService<SID>/v<sid>app01.domain@DOMAIN
sapgenpse seclogin -p SAPSNCSKERB.pse -x <pass> -O <sid>adm


Works! Left STRUST with no entry under SAPCryptolib - not needed.

Share
10 |10000 characters needed characters left characters exceeded