Validation with Kerberos 5, SAP Linux, SNC for SSO

Martak, Pavel pavel.martak at
Tue Nov 2 03:08:35 EST 2004

It looks like You don't have 
- proper keytab generated for SNC
- or valid SNC service principal is not in the keytab
- or You forget configure external application service identity or
  Saprouter identity (depend where You using SNC)
  in config tables ( I think its something like RZ MENU 10)   
- or all above

Pavel M

>-----Original Message-----
>From: kerberos-bounces at 
>[mailto:kerberos-bounces at] On Behalf Of JuanM
>Sent: Tuesday, November 02, 2004 3:45 AM
>To: kerberos at
>Subject: Validation with Kerberos 5, SAP Linux, SNC for SSO
>We want to install Single Sign on functionality for SAP, with 
>BC-SNC, Kerberos 5 and Active
>Directory, but when we configure SNC in SAP with kerberos we 
>have a validation error as soon as
>start SAP.
>We have installed SAP over Linux which has Kerberos 5, the 
>library that we are using is
>The domain controllers of the AD are Windows 2003.
>The configuration seems to be ok, we create the accounts in 
>the AD (Linux server account
>"hostname" and SAP Service account "SAPServiceXXX"), however 
>when SAP starts we FIND the following
>N  SncInit(): Initializing Secure Network Communication (SNC)
>N        Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
>N  SncInit():   	found snc/data_protection/max=3, using 
>3 (Privacy Level)
>N  SncInit():   	found snc/data_protection/min=3, using 
>3 (Privacy Level)
>N  SncInit():   	found snc/data_protection/use=3, using 
>3 (Privacy Level)
>N  SncInit(): 	found snc/gssapi_lib=/usr/kerberos/lib/
>N    File "/usr/kerberos/lib/" dynamically 
>loaded as GSS-API v2 library.
>N    The internal Adapter for the loaded GSS-API mechanism 
>identifies as:
>N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
>N  SncInit():   	found snc/identity/as=p:SAPServiceXXX at DOMAIN.COM
>N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1510]
>N        GSS-API(maj): Miscellaneous failure
>N        GSS-API(min): Permission denied
>N      Could't acquire ACCEPTING credentials for
>N      name="p: SAPServiceXXX at DOMAIN.COM"
>N  SncInit(): Fatal -- Accepting Credentials not available!
>N  <<- SncInit()==SNCERR_GSSAPI
>N           sec_avail = "false"
>I can't find any information for the error code.
>Could you please help me with this problem?
>Thanks in advance!
>¡Llevate a Yahoo! en tu Unifón! 
>Ahora podés usar Yahoo! Messenger en tu Unifón, en cualquier 
>momento y lugar. 
>Encontrá más información en: 
>Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list