Skip to Content
author's profile photo Former Member
Former Member

SSO with AD

Hi,

I am trying to implement Single Sign-On with Microsoft Kerberos SSP as per installation guide and changed the parameter as per guide

snc/enable = 1

snc/gssapi_lib =<DRIVE>:\%windir%\system32\<kerberos_file>.dll

snc/identity/as =p:SAPService<SAPSID>at the rate<UPPERCASE_DNS_DOMAIN_NAME>

The domain name of my system as mentioned in the Properties of My Computer is WSE.wsmain.local and when I am mentioning

snc/identity/as =p:SAPService at the rateWSE.wsmain.local the dispatcher is not coming up and I think the root cause is this snc paramter only. I even tried snc/identity/as =p:SAPService at the rateWSE.WSMAIN.LOCAL, p:SAPService at the rateWSE as well as same with three more cases with adm like snc/identity/as =p: admat the rateWSE.WSMAIN.LOCAL and so on but the dispatcher is not coming up.

I am also pasting the log for dev_w0 for your reference:

trc file: "dev_w0", trc level: 1, release: "700"

N SncInit(): Initializing Secure Network Communication (SNC)

N PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 16/64/64)

N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)

N SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)

N SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)

N SncInit(): found snc/gssapi_lib=C:\WINDOWS\system32\gx64krb5.dll

N File "C:\WINDOWS\system32\gx64krb5.dll" dynamically loaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI http://sncxxall.c 1432

N GSS-API(maj): No valid credentials provided (or available)

N GSS-API(min): SSPI u2u-problem: please add Service principal for own account

N Could't acquire ACCEPTING credentials for

N

N name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M *** ERROR => ErrISetSys: error info too large http://err.c 944

M Tue Jun 29 19:11:31 2010

M LOCATION SAP-Server wss-cha-w6r_W6R_14 on host wss-cha-w6r (wp 0)

M ERROR GSS-API(maj): No valid credentials provided (or available)

M GSS-API(min): SSPI u2u-problem: please add Service principal for own a

M name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M TIME Tue Jun 29 19:11:31 2010

M RELEASE 700

M COMPONENT SNC (Secure Network Communication)

M VERSION 5

M RC -4

M MODULE sncxxall.c

M LINE 1432

M DETAIL SncPAcquireCred

M SYSTEM CALL gss_acquire_cred

M ERRNO

M ERRNO TEXT

M DESCR MSG NO

M DESCR VARGS GSS-API(maj): No valid credentials provided (or available);;;;

M ;;;;GSS-API(min): SSPI u2u-problem: please add Service principal for own a;;;;

M ;;;;name="p:SAPServiceW6Rat the rateWSE.WSMAIN.LOCAL"

M DETAIL MSG N

M DETAIL VARGS

M COUNTER 1

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- ERROR: SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) http://thxxsnc.c 230

M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) http://thxxsnc.c 232

M in_ThErrHandle: 1

M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) http://thxxhead.c 10468

M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP

M *** ERROR => ThrSaveSPAFields: no valid thr_wpadm http://thxxrun1.c 724

M *** ERROR => ThCallHooks: event handler ThrSaveSPAFields for event BEFORE_DUMP failed http://thxxtool3.c 261

M Entering ThSetStatError

M ThIErrHandle: do not call ThrCoreInfo (no_core_info=0, in_dynp_env=0)

M Entering ThReadDetachMode

M call ThrShutDown (1)...

M ***LOG Q02=> wp_halt, WPStop (Workproc 0 4088) http://dpnttool.c 327

Please suggest.

Regards,

Mridul

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Posted on Jun 30, 2010 at 06:59 PM

    Hello,

    Please refer note 352295 Microsoft Windows Single Sign-On options, point

    Windows 2003 continued:

    If you want to use gsskrb5.dll with Windows 2003 Active Directory, you

    MUST use gsskrb5.dll v1.0.8 or newer on all your servers and frontends

    and you will have to add a Service Principal to the Domain Service

    Account of your SAP AppServer in order to re-enable the rfc-1964

    2-token Kerberos authentication which gsskrb5.dll needs to work. The

    Service Principal itself is not used, only the undocumented side-effect

    of re-enabling rfc-1964/rfc-4121 compliant authentication. Therefore

    the "hostname" part of the Service Principal name doesn't matter.

    (Win2K3sp2 seems to newly require that the Service Principal contains a

    slash character). You can use the Microsoft command line tool

    "SETSPN.EXE" to define the Service principal. If the Domain Service

    account of your SAP AppServer is "SAPServiceC11" in the NT4-style Domain

    "MYDOMAIN", you would type:

    SETSPN -A SAPServiceC11/dontcare MYDOMAIN\SAPServiceC11

    "SETSPN.EXE" is included on the Microsoft Windows installation CD in the

    Archive "\support\tools\support.cab"

    The Service Principal Name is required only when the Windows 2003 Domain

    is running at "Windows 2003" functional level, it is not necessary with

    a Windows 2000 Domain or a Windows 2003 Domain at "Windows 2000 mixed"

    functional level.

    regards,

    John Feely

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi,

      I am able to SSO login through my machine and some other machines where Windows XP SP2 is installed but its giving error in SP3 stating Unable to load the GSS-API DLL named gssapi32.dll.

      Please help.

      Regards,

      Mridul Gupta

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.