AW: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
Cevat.Guersoy@avinci.de
Cevat.Guersoy at avinci.de
Tue Sep 7 08:09:53 EDT 2004
Hello Calin,
to be sure the configuration on the SAPGui and the SAP-Application-Server is correct please verify the following values:
1.) SAP-GUI: check the values of the "SAPLogon"-program.
Start the "SAPLogon"-program and select the desired server-entry
Click on Properties and then click on "more..."
You will get a new window, where you should check the entry "Max. available" for "Secure-Network-Properties"
You should also verify the SNC-Name of the SAP-Server you want to connect to.
2.) SAP-Application-Server: check the profile-parameters for the following fields:
snc/data_protection/min=1
snc/data_protection/max=3
snc/data_protection/use=9
3.) Kerberos-Configuration: check the available mechanisms for encryption, integrity and authorisation
I hope it helps.
Best regards
Cevat Gürsoy
-----Ursprüngliche Nachricht-----
Von: Calin Barbat [mailto:c.barbat at osram.de]
Gesendet: Dienstag, 7. September 2004 10:05
An: Norbert Klasen
Cc: kerberos at mit.edu; Gürsoy, Cevat
Betreff: Re: BC-SNC, MIT Kerberos V, SSO, GSS-API v2
Norbert Klasen wrote:
> Hello Calin,
> a colleague of mine has worked with BC-SNC (with X.509 certificates
> though). Here's what he said.
>
> Norbert
>
>Loading GSS-API shared library #1 "/usr/local/lib/libgssapi_krb5.so" ...
>
> Resolving SAP SNC-Adapter functions ...
> GSS-API v2 "sapsnc_init_adapter" ( opt. )
(missing)
> GSS-API v2 "sapsnc_export_cname_blob" ( opt. )
(missing)
> GSS-API v2 "sapsnc_import_cname_blob" ( opt. )
(missing)
> Resolving Misc Support functions ...
points to some files offered by SAP. Try to add the sncadapt-Files to your
project, compile them and add the header-files also. You can find the
required files at the following address:
http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx (SNC
Adapter 1.1)
This should solve the problem.
Mit freundlichen Gruessen / Best regards
Cevat Gürsoy
Senior Consultant
Avinci - The Know-How Company
Thank you very much for your help. In the mean time I already downloaded
the SNC-Adapter (Martin Rex recommended me to do so and pointed me to
the same download adress) and wrote a suitable build.Linux file to make
it compile. Now the SAP server loads both alternatives, either using the
internal SNC adapter with libgssapi_krb5.so as provided by MIT Kerberos
V release 1.2.8 or the external SNC adapter snckrb5.so provided by SAP
(it is basically a wrapper to libgssapi_krb5.so containing the three
additional functions starting with the prefix "sapsnc_").
Both adapters now pass gsstest-1.26. The remaining issue is that I still
get the following error output (in dev_w0) when trying to SNC connect to
the server:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3423]
N GSS-API(maj): A token was invalid
N GSS-API(min): Mechanism is incorrect
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 973]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 978]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1,
level 1) [thxxhead.c 8787]
Perhaps this is some configuration issue, perhaps it has to do with the
interoperability between the MIT and Win2k Kerberos implementations.
Any help or hint in the right direction would be greatly appreciated,
Calin Barbat
More information about the Kerberos
mailing list