Single Sign-On with Kerberos

Hello,

Can anyone inform as to the correct settings in the SAP Logon pad? When I set the SNC Name value in the Network tab, I receive an error when launching the system:

GSS-API(maj): Miscellaneous Failure
GSS-API(min): SSPI::IniSctx#1()==Specified target us unknown or unreachable ...

I followed video one, Kerberos-Based SSO to Application Server ABAP, and everything worked as expected up until this point.

Thanks,
Shawn

Hi , 

I am getting the below error ,

"GSS-API(maj): No credentials were supplied Unable to establish the security context target="p:CN=SYSKerberosSAN@TEST.COM"

I have the below doubts

1)I have not performed the SPNEGO steps, Can I implement the parameters

2)The SAN systems FQDN is DOMAIN.COM for client requirement we have created the AD account TEST.COM (It is the client network systems)

Please suggest,

            Thanks in Advance.

Best Regards, 
Sunil  

Hi Sunil,

Your issue is not related to you ABAP configuration but to the fact, that the Secure Login Client did not get a ticket from the Service Principal Name (SPN) SAP/SYSKerberosSAN@TEST.COM Could you please check if you have configured such an SPN? Please open a command line on your Client Workstation and enter the following command: setspn -Q SAP/SYSKerberosSAN@TEST.COM . If you have configured another SPN for your Service account, please enter it in your SAP GUI entry for SNC Name configuration.

The SNC Kerberos configuration expects, that you create a keytab on the Server side with the Service Account User Principal and that you enter the SPN of this Service Account in the SAP GUI configuration (not the Service Account User Principal).

KR

Valerie

Hi Valerie, 

Thanks for response:)

I have updated the new cryptolib files please check below line ,( in the strust >environment> Display SSF version

SSFLIB Version 1.850.40 ; CommonCryptoLib (SAPCRYPTOLIB) Version 8.5.1 (+MT) #Copyright (c)  SAP, 2011-2016#compiled for linux-gcc-4.3-x86-64#

I have updated the parameters and restarted the system also.

But while opening the SNCWIZARD t code am getting the  SAPCRYPTOLIB too old

Please suggest, what I missed and wrong.

Thanks , 
Sunil  

Thanks Bauer:)

After implementing the 2304831 note I am not getting the error but , again it's going to configuration screen , those parameters changes already done. If I select continue button again I need to restart the systems or not required ? 

Please note SSO is working for users but only am getting the error SAPCRYPTOLIB too old

Can you please suggest , can I implement this note before changing the parameters ?

Thanks,
Sunil k  

 Thanks Martina but i would like to ask 2 questions i appropriate if any one has information:-

1. Every Time user must select Kerberos Token in SAP Secure Login Client and Select Use Profile for SAP Applications
   is there is any method to automate that step
   
2. For the SAP GUI is there any method to automate select Sap System Properties and SNC and Type SNC Name
   
   
   

Hi , 

Can you please suggest the steps, while doing the DB Refreshes.What are the table we need to take backup.
It is very hard to doing the steps again.

Thanks in advance.

Regards,
Sunil 

Thanks for the video,it worked for fiori launchpad sso.

Hi All,

I am not able to use Kerberos SSO for my SAP SOLUTION MANAGER 7.1 and CommonCryptoLib 8.5.12 (Apr 12 2017).

I am not able to lanuch the t-code SNCWIZARD and SPNEGO T-code does not have the SPN(Service Principal Name Mapping) and User Mapping tabs!

Kindly advise

Regards,

Omkar

Hi All,

I have used the connventional method to generate the PSE and Keytab file as per below note

1525059 - Analysis of Problems Accessing a PSE via Credentials.

Thanks SAP for this Note.

Regards,

Omkar Kattimani

Is it possible to implement SSO for SAP GUI using Kerberos without Secure Login Server and only use secure login client?

I see that there are Authentication Methods without Secure Login Server in SSO Implementation Guide in below link but I can't find much information elsewhere.

https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/ed9de17f21374673ac8118928eb77c72.html

Regards,

Abhi

Hi Martina,

thanks for information.

Can you tell me these methods (Kerberos-Based SSO to Application Server ABAP ) is free? (do I need to buy something?)

Hi, 

Thanks for this very nice video, I managed to make it work for SAPgui access to an ABAP system.

However when trying to launch a BSP application or even accessing Webgui via a browser, SSO doesn't work. I understand that the intention of this is that it will also work on browser-based applications. Can please someone advise what I might be missing? I did follow the instructions in the first video.

Appreciate if someone could give any insights.

Thank you!

Juvie

Hi,

Is this the same way to achieve SSO  between MS AD, AS Java and  AS ABAP  where servers are in Suse Linux OS.

in our case user id at each system e.g ECC, BO, CRM, Portal are different for the same user. can we achieve SSO still, if so could you explain how?

 Many Thanks

Hi All,

I have a query with respect to Kerberos Token in SLC Client.

1. Is it possible to set the time out for this token?
2. Can anybody login simply by picking my token(Kerberos) and my user ID into the SAP System?

Thanks a lot and much appreicated for your valuable answers.

Regards,

Omkar