Validation with Kerberos 5, SAP Linux, SNC for SSO

[JuanM]

We want to install Single Sign on functionality for SAP, with BC-SNC, Kerberos 5 and Active
Directory, but when we configure SNC in SAP with kerberos we have a validation error as soon as
start SAP.
Notice:
We have installed SAP over Linux which has Kerberos 5, the library that we are using is
libgssapi_krb5.so.
The domain controllers of the AD are Windows 2003.

The configuration seems to be ok, we create the accounts in the AD (Linux server account
“hostname” and SAP Service account “SAPServiceXXX”), however when SAP starts we FIND the following
error:

N SncInit(): Initializing Secure Network Communication (SNC)
N Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/kerberos/lib/libgssapi_krb5.so
N File "/usr/kerberos/lib/libgssapi_krb5.so" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:SAPSer...@DOMAIN.COM
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1510]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): Permission denied
N Could't acquire ACCEPTING credentials for
N
N name="p: SAPSer...@DOMAIN.COM"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"

I can’t find any information for the error code.
Could you please help me with this problem?

Thanks in advance!

___________________________________
¡Llevate a Yahoo! en tu Unifón!
Ahora podés usar Yahoo! Messenger en tu Unifón, en cualquier momento y lugar.
Encontrá más información en: http://ar.mobile.yahoo.com/sms.html

________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

[Juan Manuel Sestelo]

Calin / Pavel,
thanks a lot for your answers!

The SAP user XXXadm didn't have permission for the keytab file. We have already changed the
permissions, and tried it again.
I believe we made some progress in this because the error changed.
The new log is the following:

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1510]
N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No credentials cache found
N Could't acquire INITIATING credentials for

N
N name="p:SAPSer...@DOMAIN.COM"

N SncInit(): Fatal -- Initiating Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 223]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 225]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 8534]

Thanks!

JuanM.

--- "Barbat, Calin" <> escribió:
> Did you ensure that the user which starts the SAP server has read permission to the keytab?
>
>
> -----Ursprüngliche Nachricht-----
> Von: JuanM []
> Gesendet: Dienstag, 2. November 2004 03:45
> An: kerb...@mit.edu
> Betreff: Validation with Kerberos 5, SAP Linux, SNC for SSO

=====
Saludos.
JuanM.

[Barbat, Calin]

Hi Juan,

Well, now it seems you didn't do a kinit for the server identity...
see section 2.3 step 3 below.

I sent you my notes on SSO. If you get further than I, let me know.
I'm interested in any advance on this topic.

Calin.

Notes for the configuration of single sign-on (SSO) from Windows clients to a
SAP server on UNIX using SNC with the MIT Kerberos V libgssapi_krb5.so
*****************************************************************************
Date: 2004.11.02

It is recommended that you do a search and replace on this file, using the
correct values for your setup. Below you find an example, to illustrate what
they could look like:

<domain_controller> = dc01.example.com
<sap_service_password> = topsecret
<host> = sapsrv
<ou> = lab
<my.org> = example.com
<MY.ORG> = EXAMPLE.COM
<sid> = c00
<SID> = C00

I. Configuration of the Windows 2000/2003 Server Active Directory DC
====================================================================

1. Create service user account SAPService<SID> on the <domain_controller> of
the AD <my.org> with password <sap_service_password>.

2. Export the keytab for this account:

ktpass.exe -princ SAPService<SID>/<my.org>@<MY.ORG>
-mapuser SAPService<SID>
-pass <sap_service_password>
-out SAPService<SID>.keytab

3. Transfer the generated SAPService<SID>.keytab securely to the Unix host,
in the home directory of <sid>adm.

4. PROBLEM: Authentication by SSO doesn't work always.

TODO: There are some issues with AD and Unix clients to be resolved, e.g.
PAC field and UDP fragmentation, they still need resolution/description.
Any help or hint appreciated.

II. Configuration of the Unix/Oracle/SAP WAS <host>.<ou>.<my.org>
===============================================================

I will assume that you already installed UNIX, Oracle and SAP on the machine
<host>.<ou>.<my.org> and I will only describe the Kerberos and the SNC Adapter
part.

2.1 Configuration of Kerberos
-----------------------------

1. Download krb5-1.3.4.tgz from

http://web.mit.edu/kerberos/www/

(Read the security advisories for the known vulnerabilities. Newer releases
than 1.3.4 may also work.)

2. Untar and compile it as a shared library:

tar xvzf krb5-1.3.4.tgz
cd krb5-1.3.4/src
./configure --enable-shared
make

then do as root:

make install

3. Edit /etc/krb5.conf:

[libdefaults]
default_realm = <MY.ORG>
[realms]
<MY.ORG> = {
kdc = <domain_controller>:88
admin_server = <domain_controller>:749
default_domain = <my.org>
}
[domain_realm]
<ou>.<my.org> = <MY.ORG>
.<ou>.<my.org> = <MY.ORG>
<my.org> = <MY.ORG>
.<my.org> = <MY.ORG>

2.2 Configuration of the external SAP SNC Adapter
-------------------------------------------------

1. Download bc_snc_adapter_101.zip from

http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx

2. Unzip it:

unzip bc_snc_adapter_101.zip

3. Modify the provided sncadapt/Makefile:

XNAME = snckrb5

4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:

VENLIB="-L/usr/local/lib -lgssapi_krb5"

5. Compile it:

cd sncadapt
make

6. Copy the resulting file snckrb5.so to /usr/local/lib:

cp snckrb5.so /usr/local/lib

7. You may need to comment out the function "sapgss_inquire_mechs_for_name"
in snckrb5.c because of compilation problems. Then repeat steps 5.-6.

2.3 Configuration of the SAP Server as <sid>adm
-----------------------------------------------

1. You will need to have an Oracle user OPS$<sid>adm.

2. Set LD_LIBRARY_PATH to contain /usr/local/lib. Preferably in some place
like .profile that automatically gets executed everytime upon login.

3. Get a ticket before starting the server (one line):

/usr/local/bin/kinit -k
-t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>

Could also be added to .profile to get executed automatically after login.

4. Edit the crontab, in order to automate the process of getting fresh kerberos
tickets for the server:

crontab -e

Then type the following (one long line):

0 0,6,12,18 * * * /usr/local/bin/kinit -k
-t SAPService<SID>.keytab SAPService<SID>/<my.org>@<MY.ORG>

This will get fresh tickets every six hours.

5. Logon to the SAP server as usual, using the SAP GUI.

6. Use transaction RZ10 (Edit Profiles), then edit the "Instance profile".
For "Edit Profile" click on "Extended Maintenance" then click the button
"Change".
Set the following values:

snc/enable = 1
snc/identity/as = p:SAPService<SID>/<my.org>@<MY.ORG>
snc/gssapi_lib = /usr/local/lib/snckrb5.so

Save.

7. Edit now the "Default profile".
Set the following values:

snc/extid_login_diag = 1
snc/extid_login_rfc = 1
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_r3int_rfc = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/data_protection/min = 1
snc/data_protection/max = 3
snc/data_protection/use = 3

While testing and debugging it is recommended that you use

snc/*_insecure_* 1

Save.

8. Use transaction SU01 to assign SNC identities to a SAP user. After choosing
the SAP user, you will see that the SNC tab has been activated. Click on it
and for the Windows <user> in the AD domain <my.org> type into the
"SNC Name" the principal p:<user>@<MY.ORG>
Save.

9. Re-/Start the server to activate SSO:

stopsap r3 && startsap r3

2.4 Configuration of a Windows client to use SSO with the Unix SAP Server
-------------------------------------------------------------------------

1. If you want to use the command line (cmd.exe) to start the SAP GUI (for
testing, debugging, etc.) do:

set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll

then (in one line):

sapgui.exe /H/<host>.<ou>.<my.org>/S/3200
/snc="p:SAPService<SID>/<my.org>@<MY.ORG>"

2. Copy gsskrb5.dll to %systemroot%\SYSTEM32\sncgss32.dll, as this is the
default location where SAP Logon and SAP GUI will look for it:

copy gsskrb5.dll %systemroot%\SYSTEM32\sncgss32.dll

Alternatively, you can also set the global environment variable:

SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll

3. Choose from SAP Logon the entry for the machine running the Unix
SAP Server. Click on "Properties", then "More..." and activate the
"Secure-Network-Communication" checkbox.

4. In the "SNC-Name" field, type "p:SAPService<SID>/<my.org>@<MY.ORG>".

5. Finally, choose the "Max. available" radio-button.

[Barbat, Calin]

I forgot that for Linux there was no sncadapt/build.Linux provided,
so I had to write one myself:

#!/bin/sh
OBJ=".o"
CC="cc"
CFLAGS="-g -DXDEBUG=1"
RM="rm -f"
EXE=""
LD="$CC"
LDFLAGS="-ldl -lnsl -lpthread -lc"
LDTARGET='-o $@'
XD=""
LDLIBS="-ldl"
SHEXT=".so"
SHFLAGS="-fPIC"
LINK_SHARED='$(CC) -shared -Wl,-export-dynamic -Wl,-soname,$@'
LINK_SHARED_END=""
VENLIB="-lgssapi_krb5"
if [ "$VENLIB" = "" ] ; then
echo "***"
echo "*** Please edit $0 and define VENLIB to link your"
echo "*** GSS-API v2 shared library"
echo "***"
exit 1
fi
export OBJ CC CFLAGS RM EXE LDLIBS LD LDTARGET LDFLAGS XD
export SHEXT SHFLAGS LINK_SHARED LINK_SHARED_END VENLIB
"$@"

Saludos,
Calin.

-----Ursprüngliche Nachricht-----
Von: Juan Manuel Sestelo [mailto:elto...@yahoo.com.ar]
Gesendet: Dienstag, 2. November 2004 16:11
An: kerb...@mit.edu
Betreff: Re: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO

Thanks!

JuanM.

=====
Saludos.
JuanM.

________________________________________________

[Martak, Pavel]

It looks like You don't have
- proper keytab generated for SNC
- or valid SNC service principal is not in the keytab
- or You forget configure external application service identity or
Saprouter identity (depend where You using SNC)
in config tables ( I think its something like RZ MENU 10)
- or all above

Pavel M

[Barbat, Calin]

Juan,

the SAP external adapter isn't really necessary, but - without it, the protocol used is an older one. So, it's highly recommended you use it. I had a mail discussion with Martin Rex (Designer & Developer of the whole SNC stuff at SAP) and he recommends it's use.

Calin.

-----Ursprüngliche Nachricht-----
Von: Juan Manuel Sestelo [mailto:elto...@yahoo.com.ar]

Gesendet: Dienstag, 2. November 2004 20:43
An: Barbat, Calin
Betreff: Re: AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO

Calin, I just saved the notes and I'm going to configure the components again.

What is the role of the SNC adapter? is it really necesary in the SAP SSO Implementation?

Thanks again.

--- "Barbat, Calin" <c.ba...@osram.de> escribió:

=====
Saludos.
JuanM.