$(function () { pageContext.i18n.modTalk = 'moderation talk'; pageContext.i18n.replyToComment = 'Reply'; pageContext.i18n.modTalkEmpty = 'moderation talk is empty'; pageContext.url.getModTalk = "/comments/%25ID%25/listModTalk.json"; pageContext.url.possibleCommentRecipients = "/comments/%ID%/possibleRecipients.json"; pageContext.url.commentEdit = '/comments/%25ID%25/edit.html'; pageContext.url.commentView = '/comments/%ID%/view.html'; pageContext.i18n.commentVisibility = { 'full': 'Viewable by all users', 'op': 'Viewable by the original poster', 'mod': 'Viewable by moderators', 'opAndMod': 'Viewable by moderators and the original poster', 'other': 'Advanced visibility', 'dialogTitle': 'Comment visibility', 'selectGroups': 'Visible to groups', 'selectOther': 'Other recipients', 'selectOriginalPoster': 'Original poster', 'selectModerators': 'Moderators', 'selectAssignees': 'Asked to answer users' }; pageContext.i18n.commentMenuLabels = { 'comment-edit': 'comments.menu.edit', 'comment-delete': 'comments.menu.delete', 'comment-convert': 'comments.menu.convert' };pageContext.i18n.answer= { bestAnswer: 'Best Answer', controlBar : { accept: 'Accept', unaccept: 'Unaccept', acceptCommand: 'Accept this answer as correct', cancelAcceptedCommand: 'Remove this answers accepted status' } }; window.croles = { u: false, op: false, m: false, og: false, as: false, ag: false, dc: false, doc: false, eo: false, ea: false }; tools.init({ q: { e: false, ew: false, eo: false, r: false, ro: false, d: false, dow: false, fv: false, c: false, co: false, p: false, tm: false , ms: false, mos: false }, n: { f: false, vf: false, vfo: false, vr: false, vro: false, c: false, co: false, vu: false, vd: false, w: false, wo: false, l: false }, c: { e: false, eo: false, d: false, dow: false, ta: false, tao: false, l: false }, a: { e: false, ew: false, eo: false, d: false, dow: false, a: false, aoq: false, ao: false, tc: false, tco: false, p: false, tm: false }, pc: croles }, { tc: true, nsc: true }); commandUtils.initializeLabels(); }); Skip to Content

How to enable SNC in SAP Netweaver AS ABAP?

Oct 24, 2016 at 10:38 AM


avatar image
Former Member

How to enable SNC in SAP Netweaver AS ABAP? We are facing issue, after setting "snc/enable = 1" for instance profile. However, post setting this value, we are not able to start Netweaver server, as it is showing SNC Intialization error.

Please help in addressing the issue.

10 |10000 characters needed characters left characters exceeded
Former Member

I am able to enable SNC, however, while integration SAP Netweaver with IBM Identity Manager, I am getting below error in IBM TDI Logs:

2016-10-25 22:35:16,896 ERROR [log4j.logger.com.ibm.di.admin] - CTGDIK220E Communication error with SAP R/3. The message is: 'Initialization of repository destination SAP_001_sapuser1_192.168.87.155_00_EN_null failed: CPIC-CALL: CMRCV on convId: 62243160


ERROR GSS-API(maj): Miscellaneous failure GSS-API(min): A2210210:Verification of own certificate by server faile target="p:CN=SNC, OU=DTAG, O=DTAG, C=IN"

TIME Tue Oct 25 22:35:16 2016


COMPONENT SNC (Secure Network Communication)


RC -4

MODULE sncxxall_mt.c

LINE 3604

DETAIL SncPEstablishContext

SYSTEM CALL gss_init_sec_context


Please help...

* Please Login or Register to Answer, Follow or Comment.

2 Answers

Matt Fraser
Oct 25, 2016 at 04:08 PM

Hi Tinu,

There's quite a bit more required than just enabling this profile parameter. The reason your system won't start afterwards is that you have to have a working Kerberos keytab setup first, and for that you also need some configuration in a Kerberos Domain Controller (KDC). For most of us working in Microsoft Active Directory domains, the AD domain controllers are the KDC.

The steps are outlined quite clearly in the PDF guide attached to Note 2185235: https://launchpad.support.sap.com/#/notes/0002185235.

Yuksel Akcinar also wrote a blog about this at https://blogs.sap.com/2016/01/28/is-your-sap-gui-connection-encrypted-can-someone-eavesdrop-your-data/.

Here are my notes from setting this up in my environment:

  • Create or modify a service account in AD (it's ok to use your SAP system's service account, e.g. "SAPServiceSID", although some might argue you should keep this separate). The account needs to support Kerberos AES 128/256 bit encryption, and you need to set an SPN (Service Principal Name) = "SAP/SAPServiceSID". Double check, using ADSI Edit, that the SamAccountName and the UPN exactly match the SPN, case-sensitive (except for the "SAP/" prefix). Any mismatches in case will cause a failure.
  • Create an environment variable on your server: SECUDIR = "E:\usr\sap\SID\DVEBMGS00\sec" (substitute correct drive and path for your server).
  • In a DOS prompt (for a Windows server), create your keytab: "sapgenpse keytab -p SAPSNCSKERB.pse -x -X -a SAPServiceSID@DOMAIN.COM" (obviously substitute your Active Directory domain here; also, it's important to capitalize the domain just like I did in the example).
  • In the same DOS prompt: "sapgenpse seclogin -p SAPSNCSKERB.pse -x <PSE password> -O SAPServiceSID"
  • Setup the profile parameters as defined in the guide, including "snc/enable = 1". An important one to get right, case-sensitive is "snc/identity_as = p:CN=SAPServiceSID@DOMAIN.COM"
  • Restart the instance. If it still doesn't start, you'll find clues in the work process traces. Almost certainly it's a problem with the keytab, however, and the problems usually stem from incorrect passwords or case mismatches.
  • If you've got the server correctly restarting, the next step is to configure the clients:
  • Install SNC Client Encryption on the SAPGUI clients (distribute with a SAPGUI Installation Server).
  • In saplogon, configure the connection entry:
  • Activate Secure Network Communication
  • Use maximum security settings available
  • Check "SNC logon with user/password (no Single Sign-On)" (because SSO requires a different product with additional licensing)
  • Connect! If you're able to connect and see the lock icon in the lower right corner of SAPGUI, then it's all working.


10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Oct 26, 2016 at 05:48 AM

Hi Matt,

Thanks for reply. However, I am doing this integration with IBM Identity Manager. I am able to enable SNC. However, communication is resulting in error at ISIM end.

It is updated in the post.

Please help, if you have any idea about this.

Thank you


10 |10000 characters needed characters left characters exceeded