Can anyone inform as to the correct settings in the SAP Logon pad? When I set the SNC Name value in the Network tab, I receive an error when launching the system:
GSS-API(maj): Miscellaneous FailureGSS-API(min): SSPI::IniSctx#1()==Specified target us unknown or unreachable ...
I followed video one, Kerberos-Based SSO to Application Server ABAP, and everything worked as expected up until this point.
have you installed the Secure Login Client (SLC) on the end user side?
Yes. I was having trouble determining the correct value for the SNC Name in the SAP Logon Pad. But, I did get the correct value and was able to get SSO working for that system just the other day!
Hi , I am getting the below error ,
"GSS-API(maj): No credentials were supplied Unable to establish the security context target="p:CN=SYSKerberosSAN@TEST.COM"
I have the below doubts
1)I have not performed the SPNEGO steps, Can I implement the parameters
2)The SAN systems FQDN is DOMAIN.COM for client requirement we have created the AD account TEST.COM (It is the client network systems)
Thanks in Advance.
Best Regards, Sunil
Your issue is not related to you ABAP configuration but to the fact, that the Secure Login Client did not get a ticket from the Service Principal Name (SPN) SAP/SYSKerberosSAN@TEST.COM Could you please check if you have configured such an SPN? Please open a command line on your Client Workstation and enter the following command: setspn -Q SAP/SYSKerberosSAN@TEST.COM . If you have configured another SPN for your Service account, please enter it in your SAP GUI entry for SNC Name configuration.
The SNC Kerberos configuration expects, that you create a keytab on the Server side with the Service Account User Principal and that you enter the SPN of this Service Account in the SAP GUI configuration (not the Service Account User Principal).
Thanks for response:)
I have updated the new cryptolib files please check below line ,( in the strust >environment> Display SSF version
SSFLIB Version 1.850.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.1 (+MT) #Copyright (c) SAP, 2011-2016#compiled for linux-gcc-4.3-x86-64#
I have updated the parameters and restarted the system also.
But while opening the SNCWIZARD t code am getting the SAPCRYPTOLIB too old
Please suggest, what I missed and wrong.
Thanks , Sunil
Hi Sunil,you have to implement SAP note 2304831 .KRUwe
Thanks for SAP note:) , I have crossed that error.
Now I am facing the new issue, after refresh in the SPNEGO t code , getting the below error.
No ABAP user found for the SNC user name p:CN=SUNIL.KANDIMAL@XXXX.COM. Check your SNC user mappings in transaction SU01.
I have checked in SU01 , the values are there.
Please suggest, how to cross this issue.
After implementing the 2304831 note I am not getting the error but , again it's going to configuration screen , those parameters changes already done. If I select continue button again I need to restart the systems or not required ?
Please note SSO is working for users but only am getting the error SAPCRYPTOLIB too old
Can you please suggest , can I implement this note before changing the parameters ?
Thanks, Sunil k
Thanks Martina but i would like to ask 2 questions i appropriate if any one has information:-
Can you please suggest the steps, while doing the DB Refreshes.What are the table we need to take backup.It is very hard to doing the steps again.
Thanks in advance.
Thanks for the video,it worked for fiori launchpad sso.
I am not able to use Kerberos SSO for my SAP SOLUTION MANAGER 7.1 and CommonCryptoLib 8.5.12 (Apr 12 2017).
I am not able to lanuch the t-code SNCWIZARD and SPNEGO T-code does not have the SPN(Service Principal Name Mapping) and User Mapping tabs!
I have used the connventional method to generate the PSE and Keytab file as per below note
1525059 - Analysis of Problems Accessing a PSE via Credentials.
Thanks SAP for this Note.
Is it possible to implement SSO for SAP GUI using Kerberos without Secure Login Server and only use secure login client?
I see that there are Authentication Methods without Secure Login Server in SSO Implementation Guide in below link but I can't find much information elsewhere.
Please check the first 2 videos of this page. It is about SAP SSO using Kerberos with SNC without Secure Login Server.
thanks for information.
Can you tell me these methods (Kerberos-Based SSO to Application Server ABAP ) is free? (do I need to buy something?)
Kerberos/SPNEGO-based single sign-on to Application Server ABAP requires a license for the SAP Single Sign-On product. For specific licensing information, please contact your SAP Account Executive.
Thanks for this very nice video, I managed to make it work for SAPgui access to an ABAP system.
However when trying to launch a BSP application or even accessing Webgui via a browser, SSO doesn't work. I understand that the intention of this is that it will also work on browser-based applications. Can please someone advise what I might be missing? I did follow the instructions in the first video.
Appreciate if someone could give any insights.
please have a look at SAP Note 1732610: SPNego ABAP: Troubleshooting Note.
If you still cannot solve the issue, please open a customer ticket.
Is this the same way to achieve SSO between MS AD, AS Java and AS ABAP where servers are in Suse Linux OS.
in our case user id at each system e.g ECC, BO, CRM, Portal are different for the same user. can we achieve SSO still, if so could you explain how?
you need to map the SNC user name (based on the Windows domain user name) to the SAP ABAP user name. If your users have different user names in various backend systems, you need a system-specific user mapping.
You will find further information in the SAP Single Sign-On implementation guide here:
I have a query with respect to Kerberos Token in SLC Client.
Thanks a lot and much appreicated for your valuable answers.
in the Secure Login Client it is not possible to influence the timeout for the Kerberos token. However, you can influence the single sign-on behavior by using the parameter SSOMODE. Find the details in the documentation here: