Working Kerberos application SAP/Unix server authenticating to Win2k AD?
c.barbat at osram.de
Mon Sep 6 05:12:43 EDT 2004
is somebody using the above scenario? I want to use MIT Kerberos to
implement SNC for a SAP server on Linux.
Then this server and the GUI clients should be able to authenticate
(using single sign-on) against a Win2k AD DC.
I'm mainly interested in the configuration details, like the used
principal names when authenticating to the win2k ad, in order to make
sure I understand the principle. Could you send me your SNC
configuration (especially the SAPgui, SAPlogon SNC part and
snc/identity/as in the *.PFL files)?
I slightly modified the sources of the GSS-API implementation of MIT
Kerberos 1.2.8 to make it return only the rfc1964 compliant mechanism
and now it passes a certification test program from SAP: gsstest-1.26.
In addition I made the SNC-Adapter (a GSS-API wrapper, with minor
additions; available by download from the SAP website) from SAP work on
Linux and pass the same test. BTW: The pre-rfc1964 mechanism also passes
(Note however: Tests can only show the presence of bugs but never their
When I use my snckrb5.so adapter together with SAP R/3 (on Linux), I get
the following error message, when trying to establish the security context:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3423]
N GSS-API(maj): A token was invalid
N GSS-API(min): Mechanism is incorrect
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 973]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 978]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1,
level 1) [thxxhead.c 8787]
Any help or hint in the right direction would be greatly appreciated,
More information about the Kerberos