Skip to Content

Kerberos token create error

error.jpgHello All,

we are trying to configure SSO with Kerberos/spnego, we had referred various documents and sap notes for this. everything seems fine as per documents and sap notes,

when we are trying to login from SAP GUI we are getting error GSS-API(min): A2200210:Peer certificate verification failed (scren attached for reference)

when we were checking service principle names under transaction spnego, we found red indicator for token check for service principle name HTTP/\sapsso

when we checked it saying kerberos token create error: Failed to create SPNegoToken error in detail as below:

Message no. SPN023

Prerequisites You have installed and licensed SAP Single Sign-On 2.0 or higher. It comes with a front-end control that enables you to validate users from the Active Directory database of the Microsoft Windows domain controller. See SAP Note 1943266. Diagnosis This message comes from the front-end control. The front-end control simulates a logon by trying to request a Kerberos token and by verifying it in the SAP system. The request for creating a Kerberos token fails. The origin of the error may be the front-end control or Active Directory. Procedure If you get this error message, contact your Active Directory administrator. Make sure that the Active Directory administrator configures this user correctly in Active Directory.

error.jpg (28.3 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 16, 2018 at 05:01 AM

    Hi ?

    At first, please use proper names and salutations here, we are talking to persons, thank you.

    In very short, first of all I guess you have installed the Secure Login Client (SLC) with Kerberos option enabled, right? I found two possible reasons from your description:

    1. Message from the Secure Login Client indicates you have still selected a Profile with a certificate (maybe S-User) etc. Please try to select and enable the Kerberos Profile in the Secure Login Client (a yellow star indicates the active profile)
    2. For SPNEGO the format you have used to create the SPN is incorrect. Please run setspn -l <username> and publish the output of the SPN value here. Seems it is HTTP/\sapsso in such case remove the part "\sapsso" after the DNS name, it is not required.
    3. You need to have the SLC installed which brings the required frontend components to communicate with the AD and check the key tabs for correctness.

    Good luck!

    Cheers, Carsten

    Add comment
    10|10000 characters needed characters exceeded