Solved: SAP instance doesn't come up after setting up SNC

Former Member · ‎05-16-2012

Dear all,

we're in the process of implementing SSO for SAP Application servers on our IBM AIX infrastructure.

We performed all the steps related to the intitial configuration as:

- installing the Kerberos client from the AIX Expansion DVD,

- configuring the Kerberos client making it point to our Windows Domain and Windows Domain Controller

- generating - via Windows AD tools - the keytab file

- importing the aforementioned keytab file into the proper AIX folder

- requesting the kerberos ticket through the "kinit -k (...)" command

- setting up the proper SAP profile parameters in order to enable the SAP instance to use SNC

Everything seemed to work fine on the Kerberos side; however, when we try to start up the instance, the procedure fails with the following error:

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No credentials cache found

What we don't get, is where the SAP system ( or the O.S. library ) try to look for the credential cache file; we - in fact - created the file in multiple copies aiming to try to solve the issue, saving them into:

- the SAP user home,

- the "/tmp" folder,

- the "/var/krb5/security/creds" folder ( where, by the way, it should reside by default),

- the DIR_HOME folder

None of the above folders, however, seemed to be the correct one, as the system - with the SNC parameters - still doesn't come up.

Could you please help us out?

If you need any infos or clarifications, feel free to ask.

We uploaded the dev_traces, in case you may want to take a look.

Best Regards,

Luciano Dei Rossi

tim_alsop · ‎05-16-2012

tim_alsop · ‎05-16-2012

Former Member · ‎05-16-2012

Tim,

first of all thanks for your quick answer.

During the setup, we read tons of notes, posts, blogs, etc, about it, since we encountered the issue..

The strange thing, is that we were following an official document from IBM which states that the configuration is possible.

Anyway, following you reply and also the SAP's reply ( which, basically, says they do not support kerberos on Unix platforms ) we decided to go with the SAP NetWeaver Single Sign-On 1.0 package.

It worked at least for the server-side part; the instance is up&running and everything seems fine..

We'll continue in the next days with the client configuration and we'll see how it goes.

Regards,

Luciano

tim_alsop · ‎05-16-2012

Former Member · ‎05-18-2012

Dear Tim,

thanks for the answer.

As I wrote before, the SAP instance is now up&running with the Secure Client Library, provided by SAP itself.

As per your knowledge, is it necessary to install the Secure Login Client on the frontend workstations to let the whole SNC process to work?

Because we're getting some errors once we try to launch the connection from the SAPLogon:

*** ERROR => SncPEstablishContext() failed for target='p:CN=USERNAME@DOMAIN.LOCAL' [sncxxall.c 3379]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3345]

GSS-API(maj): Miscellaneous Failure

GSS-API(min): SSPI::IniSctx#1()==Specified target is unknown or unreachable

Unable to establish the security context

target="p:CN=USERNAME@DOMAIN.LOCAL"

<<- SncProcessOutput()==SNCERR_GSSAPI

*** ERROR => TmIWrite: SncProcessOutput (SNCERR_GSSAPI) [dpxxtm.c 1782]

*** ERROR => TmIConnect: TmIWrite [dpxxtm.c 948]

TM_LAYER TmConnect <<

Thanks in advance.

I opened another thread for this problem, that you may want to look at: http://scn.sap.com/thread/3178284

Regards,

Luciano

Kaempfer · ‎05-18-2012

Dear Luciano,

so if you still have the problem with Secure Login Library or Seucre Login Client (SAP NW SSO) I am sure our support will help you!

Component: BC-IAM-SL at the SAP support portal.

Have a nice weekend

Regards

Matthias

Former Member · ‎05-18-2012

Dear Matthias,

thanks for your reply.

I already - in fact - opened a customer message ( at first as BC-SEC-SNC, then it got changed by the support ), and I'm waiting for an answer from the SAP Support.

Before getting to open it, however, I opened a thread in SCN ( the other one I'm referring above ) to understand if there were basis for it.

I'll wait for the SAP Support and - in the meanwhile - we'll see if some members have a solution for me..

Thanks for your interest anyway.

Regards,

Luciano

Kaempfer · ‎05-18-2012

I am sure the support will find the problem. It think I saw this error message already one time. Perhaps it is an issues with the configuration of the ServicePrincipalName. If you have some time before the Service will answer you, check this configuration.

http://help.sap.com/nwsso10 -> Secure Login Library documentation

--> 3.2 SNC Kerberos Configuration

So you use the Kerberos integration - not the certificate version right

--> Did you configured the service name in AD correctly?

--> Please check also the SNC parameter - especially snc/identity/as

this line looks strange: 'p:CN=USERNAME@DOMAIN.LOCAL'

Regards

Matthias

Former Member · ‎08-13-2012

Hi Luciano,

Was your problem fixed? was the problem with service Principle name?

Even iam stuck with simillar issue. any help or pointer is highly appreciated.

-Shyam

Former Member · ‎09-11-2013

Hi,

We had a very similar issue (see below the sapgui trace) with NW SSO 2.0.

@Luciano, did you solve it ?

*** ERROR => SncPEstablishContext() failed for target='p:CN=XXXXX@yyyyyy.com' [sncxxall.c 3379]

*** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3345]

GSS-API(maj): No credentials were supplied

Unable to establish the security context

target="p:CN=XXXXX@yyyyyy.com"

<<- SncProcessOutput()==SNCERR_GSSAPI

*** ERROR => TmIWrite: SncProcessOutput (SNCERR_GSSAPI) [dpxxtm.c 1782]

*** ERROR => TmIConnect: TmIWrite [dpxxtm.c 948

Former Member · ‎09-06-2012

Hello Luciano Dei Rossi

How did you fixed the error

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): No credentials were supplied

N Could't acquire ACCEPTING credentials for

N

N name="p:CN=SAP/KerberosSS6@XXXX.COM"

-Sid