Hello,
We are trying to setup SAPGUI SSO using SAP Netweaver SSO2.0 sp4 based on Kerberos tokens. Our SAP system is hosted in a cloud and we have created a service user SL-ABAP-ED1 in the domain "abc.xyz.domainA.com". The spn has also been registered and can be viewed as SAP/SL-ABAP-ED1. Our users are trying to login into SAPGUI installed on a Win 2012R2 terminal server. We have installed Secure login client 2.0 SP4 on the terminal server. For the end user, we can see the Kerberos token in the secure login client profiles as firstname.lastname@domainB.org. There is no domain trust between domain.com and domainB.org as we have been told that when using SSO2, trust is not required between different domains.
On the server, keytab has been created
Version Time stamp KeyType Kerberos name
1 Wed Nov 26 17:14:47 2014 DES SL-ABAP-ED1@abc.xyz.domainA.com
1 Wed Nov 26 17:14:47 2014 AES128 SL-ABAP-ED1@abc.xyz.domainA.com
1 Wed Nov 26 17:14:47 2014 AES256 SL-ABAP-ED1@abc.xyz.domainA.com
1 Wed Nov 26 17:14:47 2014 RC4 SL-ABAP-ED1@abc.xyz.domainA.com
T:\usr\sap\ED1\DVEBMGS00\SLL>sapgenpse seclogin -l -O domainA\SAPServiceED1
running seclogin with USER="ed1adm"
listing credentials for user "domain\SAPServiceED1" ...
0 (LPS:OFF):
(LPS:OFF): T:\usr\sap\ED1\DVEBMGS00\Sec\SAPSNCSKERB.pse
1 readable SSO-Credentials available
In the profiles, we have the parameter snc/identity/as = p:CN=SL-ABAP-ED1
In the SAPGUI, we have enabled SNC option and SNC name is p:CN=SL-ABAP-ED1@abc.xyz.domainA.com. Here, we have tried all different combinations - p:CN=SL-ABAP-ED1, p:CN=SAP/SL-ABAP-ED1; p:CN=SAP/SL-ABAP-ED1@abc.xyz.domainA.com. None of them work.
Every time we get the same error message
"GSS-API(mai): No credentials were supplied. Unable to establish the
security context target= "p:CN=SL-ABAP-ED1" Error in SNC
In the Secure login client trace files, we see the following errors
[2014.11.26 20:16:07.376000][WARN ][sbus.exe ][Kerberos ][ 4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 18 returned error
[2014.11.26 20:16:07.376000][WARN ][sbus.exe ][Kerberos ][ 4732] 0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.
[2014.11.26 20:16:07.377000][WARN ][sbus.exe ][Kerberos ][ 4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 17 returned error
[2014.11.26 20:16:07.377000][WARN ][sbus.exe ][Kerberos ][ 4732] 0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.
[2014.11.26 20:16:07.378000][WARN ][sbus.exe ][Kerberos ][ 4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 23 returned error
[2014.11.26 20:16:07.378000][WARN ][sbus.exe ][Kerberos ][ 4732] 0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.
[2014.11.26 20:16:07.378000][WARN ][sbus.exe ][Kerberos ][ 4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' with algorithm 3 returned error
[2014.11.26 20:16:07.378000][WARN ][sbus.exe ][Kerberos ][ 4732] 0/C000018B The security database on the server does not have a computer account for this workstation trust relationship.
[2014.11.26 20:16:07.379000][WARN ][sbus.exe ][Kerberos ][ 4732] Getting kerberos ticket for 'SL-ABAP-ED1@abc.xyz.domainA.com' failed (user name is Firstname.Lastname@domainB.org)
[2014.11.26 20:16:07.379000][TRACE][sbus.exe ][sbus.dll ][ 4732] } 80004005
In another trace file, we have following messages
[2014.11.26 20:16:07.379000][TRACE][saplogon.exe ][sbusps.dll ][ 4164] { PSEProxy::getOwnCertificate
[2014.11.26 20:16:07.379000][TRACE][saplogon.exe ][sbusps.dll ][ 4164] } 0
[2014.11.26 20:16:07.379000][TRACE][saplogon.exe ][sbusps.dll ][ 4164] { PSEProxy::getOwnCertificate
[2014.11.26 20:16:07.379000][TRACE][saplogon.exe ][sbusps.dll ][ 4164] } 0
[2014.11.26 20:16:07.379000][INFO ][saplogon.exe ][GSS ][ 4164] Cli-40000000: No own key found
[2014.11.26 20:16:07.379000][ERROR][saplogon.exe ][GSS ][ 4164] Have no certificate and got no kerberos ticket
[2014.11.26 20:16:07.379000][ERROR][saplogon.exe ][GSS ][ 4164] Cli-40000000: --> Msg ClientHello create failed : errval=70000, minor_status=0
Can someone provide any information as to what is missing?
Thanks & regards,
Sid