Skip to Content
author's profile photo Former Member
0
Former Member
Oct 26, 2016 at 11:23 AM

SAPGui and Kerberos with Suse Linux

645 Views

Hi,

We areconfiguring the SSO between the Windows AD and the SAPGui using Kerberos in one of our AP servers. Our SAP system is a SAP ECC EhP7 with Netweaver 7.40 where the CI is running on HP-UX but one of the AP servers is running in Linux3.12.49-11-default x86_64.

We have installed the following libraries:

krb5

krb5-32bit

krb5-client

The keytabfrom from the CI has been copied to the / etc directory on the AP server .Using the SIDADM user we have generated the ticket /usr/bin/kinit -k -t/etc/krb5.keytab ht1adm@XHIJT.SEV.COM.

On RZ10, we have added the following SNC parameters:

### SNC parameters

snc/permit_insecure_start = 1

snc/data_protection/use = 3

snc/data_protection/max = 3

snc/data_protection/min = 1

snc/accept_insecure_r3int_rfc = 1

snc/accept_insecure_rfc = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/gssapi_lib = /usr/lib64/libgssapi_krb5.so.2

snc/enable = 1

snc/identity/as = p: ht1adm@XHIJT.SEV.COM

login/password_change_for_SSO = 0

The APserver can be started without problems but when we try to access to the system via SSO we have this error:

M ThSncCheckEnv: I'm SNC acceptor

M ThSncCheckEnv: initialized snc env

M ThSncCheckEnv: snc count of T16/U23: 1

M ThSncIn: process input data at7fe7ea30b008 with length 1812

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3563]

N GSS-API(maj): No credentials were supplied, or the credentials were unavailableor inaccessible

N Unable toestablish the security context

N <<-SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn:SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 1035]

M {root-id=00505684AB7D1EE6A2F91D63738B9A86}_{conn-id=00000000000000000000000000000000}_0

M *** ERROR => ThSncIn: SncProcessInput[thxxsnc.c 1040]

M {root-id=00505684AB7D1EE6A2F91D63738B9A86}_{conn-id=00000000000000000000000000000000}_0

M in_ThErrHandle: 1

M *** ERROR => ThSncIn:SncProcessInput (step 4, th_errno 44, action 1, level 1)[thxxhead.c 11560]

M {root-id=00505684AB7D1EE6A2F91D63738B9A86}_{conn-id=00000000000000000000000000000000}_0

Does anyone know what could be happening? We have already checked the SECUDIR and SECULIB and the server hostname it´s on the DNS.

SSO is working without problems in the CI that is running on HP-UX , problem is happening on the AP server which is running on SuSe Linux.

Thanks alot and best regards, Sapera