Skip to Content
avatar image
Former Member

problem when configuring sso to linux-systems with an W2k8-DC

Hello community,

we are planing to update our Windows domain controllers to Windows 2008 and i am responsible to test the SSO to our SAP-Systems.

For the systems running on a windows server, it was no problem. But the ones running under linux are causing some trouble and i cannot find a solution in SDN/SAPNet, with google or anywhere else. And so i'm starting a new thread for this.

Here is my test scenario:

name of domain: company.internal

name of W2k8-dc: dc2008

name of sap-server: sap15

sap-system-id: PUD

Here are the steps i have performed so far, mostly following a whitepaper from realtech which is linked to in other threads concerning sso/active directory/linux.

- create the user pudadm in the AD on dc2008 (cannot change password, password never expires)

- create a SPN with

setspn -A SAP_PUD/ COMPANY\pudadm

"COMPANY\pudadm" is the user logon name for pre-windows 2000 systems

- create a keytab with

ktpass -princ SAP_PUD/ @ COMPANY.INTERNAL -mapuser COMPANY\pudadm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass <password for pudadm> -out sap.keytab

Output looks ok, and i copy this file to /tmp on sap15 the linux-server.

As root on sap15 i copy the key from sap.keytab to /etc/krb5.keytab by using ktutil (rkt / wkt). With ktutil i can see that there is no problem for this step, the key is properly copied to /etc/krb5.keytab. When i list the key with ktutil, the vno value is the same as the one in the output when creating the keytab file on dc2008.

Still being root, i try to get a ticket granting ticket and enter


and get the error "Key table entry not found while getting initial credentials". Which means, as far as i know, that either the host or the user is not listed in the keytab file.

I tried some other combinations with company.internal, COMPANY.INTERNAL or just COMPANY and so on, but had no luck.

Any help would be appreciated.

Thanks and reagrds,



- the blanks before and afther the @ are just here, beause of forum rules

- /etc/krb5.conf is configured

- i know about sap note 1292886 and the microsoft patch is already applied to the dc2008

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    Nov 04, 2009 at 03:57 PM


    When you checked your keytab using ktutil, you mentioned that you checked the key version number (vno) but you didn't mention that you checked the principal name of the key. The principal name of the key in the keytab is what you need to enter when you use kinit -k



    Add comment
    10|10000 characters needed characters exceeded

    • Ulf,

      I can guarantee that using Windows 2000 domain controllers is not going to change anything. The problem you are having is locat to the linux host, since this error means that kinit cannot find the principal entry in the keytab - it hasn't even got as far as sending the as-req to the KDC (e.g. Active Directory).

      Regarding prices and commercial products - If you are intersted, I can give you a very competitive price quote.

      - Please remember that the cost is more than license costs when comparing open source Kerberos with commercially supported implementations. You also need to consider people cost and support. Look at how long it is taking you to make this work and the cost of your time ? If you are having difficulty with this now and then later your company deploys this solution, what happens if nobody can logon because of a broken Kerberos library ? Who do you get help from ?



  • avatar image
    Former Member
    Dec 10, 2009 at 10:14 AM

    i have worked on this every now and then in the past weeks and finally it looks as if it is working.

    As i have changed and tested many things, i can't remember everything but i want to give some clues where to look in case of problems before closing this answer.

    1. Pay very much attention on the ktpass-tool and how you call it. I fogot to set the -crypto parameter and it looks this was one reason for problems. I found the hint to check the encryption type in the keytab and in the ticket when i had the 'integrity check failure' and after creating a new keytab with explicitly 2-crypto DES-CBC-CRC" in the command it worked.

    2. Check your server time. This is obvious and normally all servers should get their time from one NTP-erver

    3. Check your syntax when entering commands. One time i entered "kinit ... SAPService/company.intern/COMPANY.INTERN" and thought the error would be in the krb5.conf. After editing i used the cursor keys to get the comand again and of course it did not work.

    4. With SLES SP3 it seems to be easier. I still have the problem, that on the SLES SP2 systems kinit will not get the ticket automatically. I have to call 'kinit SAPService/company.intern (at) COMPANY.INTERN' and get a prompt for the password. On SLES SP3 i call 'kinit -k -t <keytab> SAPService/company.intern (at) COMPANY.INTERN' and get the new ticket. I don't know if the SP3 does the trick, we will update our systems soon, but for the moment we can live with that.

    Conclusion: I don't now how many hours i spent on this. I would not say it is wasted time, because i learned a lot about kerberos and SSO. If you want a stable solution out of the box and have some money to spend, i'd recommend a 3rd-party-tool though. But if you have time and no pressure, try it with MIT-kerberos.



    Add comment
    10|10000 characters needed characters exceeded