Working Kerberos application SAP/Unix server authenticating to Win2k AD?

Calin Barbat c.barbat at
Mon Sep 6 05:12:43 EDT 2004


is somebody using the above scenario? I want to use MIT Kerberos to 
implement SNC for a SAP server on Linux.
Then this server and the GUI clients should be able to authenticate 
(using single sign-on) against a Win2k AD DC.

I'm mainly interested in the configuration details, like the used 
principal names when authenticating to the win2k ad, in order to make 
sure I understand the principle. Could you send me your SNC 
configuration (especially the SAPgui, SAPlogon SNC part and 
snc/identity/as in the *.PFL files)?

I slightly modified the sources of the GSS-API implementation of MIT 
Kerberos 1.2.8 to make it return only the rfc1964 compliant mechanism 
and now it passes a certification test program from SAP: gsstest-1.26. 
In addition I made the SNC-Adapter (a GSS-API wrapper, with minor 
additions; available by download from the SAP website) from SAP work on 
Linux and pass the same test. BTW: The pre-rfc1964 mechanism also passes 
the test.
(Note however: Tests can only show the presence of bugs but never their 

When I use my adapter together with SAP R/3 (on Linux), I get 
the following error  message, when trying to establish the security context:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3423]
N        GSS-API(maj): A token was invalid
N        GSS-API(min): Mechanism is incorrect
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    973]
M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978]
M  in_ThErrHandle: 1
M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, 
level 1) [thxxhead.c   8787]

Any help or hint in the right direction would be greatly appreciated,

Calin Barbat

More information about the Kerberos mailing list