on 09-24-2009 7:02 AM
Good Morning,
I have implemented an SSO solution with Microsoft Active Directory 2003, SNC and kerberos5, with our SAP Systems (4.7 ext. set 2, Linux SLES 10 SP2).
It Works fine, but we have an error in some clients that I want to investigate.
Note that those clients never close the Windows session (reboot or shutdown of the PC) but they block-out their computers (CTRL-ALT-CANC).
Some days, when those users try to connect to SAP, they receive the following
error:
SNCERR_GSSAPI
An operation failed at the GSS-API level
Sec_avail=u201Dfalseu201D
Error in SNC
Detailed information states that it is in the SNC Component the return code was -4 and the counter 2. The method was SncInit in the sncxx.c.
The problem ends if the user close it windows session and start it again.
For technical reasons, a lot of my users can reboot the PC every day, so I have to figure out the reason of the problem and try to find a workaround.
Do you know this error?
Thanks in advance,
Federico Biavati
If it is only happening with some users then my guess is their time sync is incorrect with your Windows AD server.
ALL clients and servers must be time synced, if there is a difference of more than 2 minutes(from the server time) the ticket is marked as invalid. Check those users who are having problems, ensure they have setup NTP using 'net time' and are syncing to your Windows AD system. Also make sure your SAP system is synced to your Windows AD server.
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just for your information, this is what the Support replied me:
> 28.09.2009 - 02:10:56 PST - Reply by SAP
> u2026
>
> please note, that the behaviour you describe originates from the
> Windows SSPI, which is not under control of SAP - neither in terms
> of configuration, nor in terms of support, corrections or patches.
> If your problems persist, you'll possibly need to contact Microsoft's
> support organization.
>
> Note 352295 refers to the related Microsoft Knowledge Base article
> KB885887. Please assure, that the related patches are implemented in
> your systems.
>
> Please also keep in mind, that SAP generally does NOT support the use
> of Kerberos on platforms different from Microsoft Windows (notes 150380
> and 352295).
>
>
> Kind regards
> u2026
Iu2019ll give a look to that KB article, even if it seems to be a XP SP2 patch, and we are using XP SP3.
Regards,
Federico Biavati
I suspect that the kerberos ticket has expired and was not renewed. Rather than rebooting, can you have your users use ctrl-alt-del to lock their workstation, and then have them enter their domain credentials again? This usually solves the problem for us.
BTW, we've seen the exact same behavior when the application servers are running on Windows as when they were running on Linux, so I don't think it is a unix kerberos vs Windows interoperability problem.
Personally, I think that since Novell (SUSE) and Microsoft have become fast friends for the purposes of supporting interoperability, and since SAP has certified running on both platforms, SAP support needs to drop the "we don't support unix kerberos and active directory interoperability" stance. It's not like SAP supports every Linux distro and version under the sun, they only support SUSE and Redhat and only specific versions with known kerberos library versions.
Just my 2 cents.
Brian
Just a thought
Is it possible that there is an Authentication timeout from the AD for the ticket it has issued ??
Pravin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.