Hello,

I'm trying to enable SSO to an AS ABAP server via Constrained Kerberos Delegation. I've gotten it working using gsskrb5 as my SNC Library, but I'm not able to get it working using CommonCryptoLib / Secure Login Client.

Here's an overview of my scenario.

1. The user logs in to a web service and attempts to access their AS ABAP service through our UI.

2. The web service sends the authentication request to a "middleware" .NET application that has been configured to present delegated credentials to the AS ABAP server. The application presents the credentials and retrieves the data requested by the web service user. Then it sends the data back to the web service where it is present to the user.

Looking in the Security Audit Logs, the error I'm getting is "No matching SAP account found for SNC name". I don't actually pass the SNC name of the caller along to the server, so I'm not sure what information is being used for SNC name. Does anyone know if there's a way to scrape this info from somewhere? I'd like to know the SNC name being presented.

Any other thoughts on things I can check to verify this scenario would be appreciated. I've mapped an AS ABAP user to a web service user in the same way I did for gsskrb5, expect the SNC Name property is now p:CN=<name> instead of p:<name>.

Thanks!