AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO

Barbat, Calin c.barbat at
Tue Nov 2 11:00:11 EST 2004

Hi Juan,

Well, now it seems you didn't do a kinit for the server identity...
see section 2.3 step 3 below.

I sent you my notes on SSO. If you get further than I, let me know.
I'm interested in any advance on this topic.


Notes for the configuration of single sign-on (SSO) from Windows clients to a
SAP server on UNIX using SNC with the MIT Kerberos V
Date: 2004.11.02

It is recommended that you do a search and replace on this file, using the
correct values for your setup. Below you find an example, to illustrate what
they could look like:

<domain_controller> =
<sap_service_password> = topsecret
<host> = sapsrv
<ou> = lab
<> =
<sid> = c00
<SID> = C00

I. Configuration of the Windows 2000/2003 Server Active Directory DC

1. Create service user account SAPService<SID> on the <domain_controller> of
   the AD <> with password <sap_service_password>.

2. Export the keytab for this account:

	ktpass.exe -princ SAPService<SID>/<>@<MY.ORG>
                   -mapuser SAPService<SID> 
                   -pass <sap_service_password>
                   -out SAPService<SID>.keytab

3. Transfer the generated SAPService<SID>.keytab securely to the Unix host,
   in the home directory of <sid>adm.

4. PROBLEM: Authentication by SSO doesn't work always.

   TODO: There are some issues with AD and Unix clients to be resolved, e.g.
   PAC field and UDP fragmentation, they still need resolution/description.
   Any help or hint appreciated.

II. Configuration of the Unix/Oracle/SAP WAS <host>.<ou>.<>

I will assume that you already installed UNIX, Oracle and SAP on the machine
<host>.<ou>.<> and I will only describe the Kerberos and the SNC Adapter

2.1 Configuration of Kerberos

1. Download krb5-1.3.4.tgz from

   (Read the security advisories for the known vulnerabilities. Newer releases
   than 1.3.4 may also work.)

2. Untar and compile it as a shared library:

	tar xvzf krb5-1.3.4.tgz
	cd krb5-1.3.4/src
	./configure --enable-shared

   then do as root:

	make install

3. Edit /etc/krb5.conf:

	        default_realm = <MY.ORG>
	        <MY.ORG> = {
	                kdc = <domain_controller>:88
	                admin_server = <domain_controller>:749
	                default_domain = <>
	        <ou>.<> = <MY.ORG>
	        .<ou>.<> = <MY.ORG>
	        <> = <MY.ORG>
	        .<> = <MY.ORG>

2.2 Configuration of the external SAP SNC Adapter

1. Download from

2. Unzip it:


3. Modify the provided sncadapt/Makefile:

	XNAME = snckrb5

4. Modify the provided sncadapt/build.<your_UNIX_OS_name>:

	VENLIB="-L/usr/local/lib -lgssapi_krb5"

5. Compile it:

	cd sncadapt

6. Copy the resulting file to /usr/local/lib:

	cp /usr/local/lib 

7. You may need to comment out the function "sapgss_inquire_mechs_for_name"
   in snckrb5.c because of compilation problems. Then repeat steps 5.-6.

2.3 Configuration of the SAP Server as <sid>adm

1. You will need to have an Oracle user OPS$<sid>adm.

2. Set LD_LIBRARY_PATH to contain /usr/local/lib. Preferably in some place
   like .profile that automatically gets executed everytime upon login.

3. Get a ticket before starting the server (one line):

	/usr/local/bin/kinit -k 
	-t SAPService<SID>.keytab SAPService<SID>/<>@<MY.ORG>

   Could also be added to .profile to get executed automatically after login.

4. Edit the crontab, in order to automate the process of getting fresh kerberos
   tickets for the server:

   	crontab -e

   Then type the following (one long line):

	0 0,6,12,18 * * * /usr/local/bin/kinit -k 
	-t SAPService<SID>.keytab SAPService<SID>/<>@<MY.ORG>

   This will get fresh tickets every six hours.

5. Logon to the SAP server as usual, using the SAP GUI.

6. Use transaction RZ10 (Edit Profiles), then edit the "Instance profile".
   For "Edit Profile" click on "Extended Maintenance" then click the button
   Set the following values:

	snc/enable = 1
	snc/identity/as = p:SAPService<SID>/<>@<MY.ORG>
	snc/gssapi_lib = /usr/local/lib/


7. Edit now the "Default profile".
   Set the following values:

	snc/extid_login_diag = 1
	snc/extid_login_rfc = 1
	snc/accept_insecure_cpic = 1
	snc/accept_insecure_gui = 1
	snc/accept_insecure_r3int_rfc = 1
	snc/accept_insecure_rfc = 1
	snc/permit_insecure_start = 1
	snc/data_protection/min = 1
	snc/data_protection/max = 3
	snc/data_protection/use = 3

   While testing and debugging it is recommended that you use
	snc/*_insecure_*    1


8. Use transaction SU01 to assign SNC identities to a SAP user. After choosing
   the SAP user, you will see that the SNC tab has been activated. Click on it
   and for the Windows <user> in the AD domain <> type into the
   "SNC Name" the principal p:<user>@<MY.ORG>

9. Re-/Start the server to activate SSO:

	stopsap r3 && startsap r3

2.4 Configuration of a Windows client to use SSO with the Unix SAP Server

1. If you want to use the command line (cmd.exe) to start the SAP GUI (for
   testing, debugging, etc.) do:

	set SNC_LIB=<your_path_to_gss_wrapper_lib>\gsskrb5.dll

   then (in one line):

	sapgui.exe /H/<host>.<ou>.<>/S/3200

2. Copy gsskrb5.dll to %systemroot%\SYSTEM32\sncgss32.dll, as this is the
   default location where SAP Logon and SAP GUI will look for it:

	copy gsskrb5.dll %systemroot%\SYSTEM32\sncgss32.dll

   Alternatively, you can also set the global environment variable: 


3. Choose from SAP Logon the entry for the machine running the Unix 
   SAP Server. Click on "Properties", then "More..." and activate the
   "Secure-Network-Communication" checkbox.

4. In the "SNC-Name" field, type "p:SAPService<SID>/<>@<MY.ORG>".

5. Finally, choose the "Max. available" radio-button.

More information about the Kerberos mailing list