Quantcast
Channel: SCN : All Content - SAP Single Sign-On
Viewing all articles
Browse latest Browse all 865

SSO2.0 SP4 Kerberos token - different domain setup issue

$
0
0


Hello,

 

We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.

 

On the server, keytab has been created

    Version  Time stamp                 KeyType   Kerberos name

          1  Wed Nov 26 17:14:47 2014   DES       SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES128    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   AES256    SL-ABAP-ED1@abc.xyz.domainA.com
          1  Wed Nov 26 17:14:47 2014   RC4       SL-ABAP-ED1@abc.xyz.domainA.com

 

 

T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...

0 (LPS:OFF):
         (LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse


1 readable SSO-Credentials available

 

 

In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1

In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.

 

Every time we get the same error message

 

"GSS-API(mai): No credentials were supplied. Unable to establish the

security context target= "p:CN=SL-ABAP-ED1" Error in SNC

 

In the Secure login client trace files, we see the following errors

 

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error

[2014.11.26 20:16:07.376000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error

[2014.11.26 20:16:07.377000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm  3 returned error

[2014.11.26 20:16:07.378000][WARN ][sbus.exe            ][Kerberos    ][  4732]     0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.

[2014.11.26 20:16:07.379000][WARN ][sbus.exe            ][Kerberos    ][  4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)

[2014.11.26 20:16:07.379000][TRACE][sbus.exe            ][sbus.dll    ][  4732] } 80004005

 

 

In another trace file, we have following messages

 

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] { PSEProxy::getOwnCertificate

[2014.11.26 20:16:07.379000][TRACE][saplogon.exe        ][sbusps.dll  ][  4164] }        0

[2014.11.26 20:16:07.379000][INFO ][saplogon.exe        ][GSS         ][  4164] Cli-40000000: No own key found

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Have no certificate and got no kerberos ticket

[2014.11.26 20:16:07.379000][ERROR][saplogon.exe        ][GSS         ][  4164] Cli-40000000: --> Msg ClientHello         create  failed : errval=70000, minor_status=0

 

 

Can someone provide any information as to what is missing?

 

 

 

Thanks & regards,

Sid


Viewing all articles
Browse latest Browse all 865

Trending Articles