AW: BC-SNC, MIT Kerberos V, SSO, GSS-API v2 Cevat.Guersoy at
Tue Sep 7 08:09:53 EDT 2004

Hello Calin,

to be sure the configuration on the SAPGui and the SAP-Application-Server is correct please verify the following values:

1.) SAP-GUI: check the values of the "SAPLogon"-program.
	Start the "SAPLogon"-program and select the desired server-entry
	Click on Properties and then click on "more..."
	You will get a new window, where you should check the entry "Max. available" for "Secure-Network-Properties"
	You should also verify the SNC-Name of the SAP-Server you want to connect to.
2.) SAP-Application-Server: check the profile-parameters for the following fields:
3.) Kerberos-Configuration: check the available mechanisms for encryption, integrity and authorisation

I hope it helps.

Best regards
Cevat Gürsoy

-----Ursprüngliche Nachricht-----
Von: Calin Barbat [mailto:c.barbat at]
Gesendet: Dienstag, 7. September 2004 10:05
An: Norbert Klasen
Cc: kerberos at; Gürsoy, Cevat
Betreff: Re: BC-SNC, MIT Kerberos V, SSO, GSS-API v2

Norbert Klasen wrote:

> Hello Calin,
> a colleague of mine has worked with BC-SNC (with X.509 certificates
> though). Here's what he said.
> Norbert
 >Loading GSS-API shared library #1 "/usr/local/lib/" ...
 >  Resolving SAP SNC-Adapter functions ...
 >    GSS-API v2  "sapsnc_init_adapter"                  (  opt.   )
 >    GSS-API v2  "sapsnc_export_cname_blob"             (  opt.   )
 >    GSS-API v2  "sapsnc_import_cname_blob"             (  opt.   )
 >  Resolving Misc Support functions ...

points to some files offered by SAP. Try to add the sncadapt-Files to your
project, compile them and add the header-files also. You can find the
required files at the following address:  (SNC
Adapter 1.1)

This should solve the problem.

Mit freundlichen Gruessen / Best regards

Cevat Gürsoy
Senior Consultant
Avinci - The Know-How Company

Thank you very much for your help. In the mean time I already downloaded 
the SNC-Adapter (Martin Rex recommended me to do so and pointed me to 
the same download adress) and wrote a suitable build.Linux file to make 
it compile. Now the SAP server loads both alternatives, either using the 
internal SNC adapter with as provided by MIT Kerberos 
V release 1.2.8 or the external SNC adapter provided by SAP 
(it is basically a wrapper to containing the three 
additional functions starting with the prefix "sapsnc_").

Both adapters now pass gsstest-1.26. The remaining issue is that I still 
get the following error output (in dev_w0) when trying to SNC connect to 
the server:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3423]
N        GSS-API(maj): A token was invalid
N        GSS-API(min): Mechanism is incorrect
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    973]
M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978]
M  in_ThErrHandle: 1
M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1,
level 1) [thxxhead.c   8787]

Perhaps this is some configuration issue, perhaps it has to do with the 
interoperability between the MIT and Win2k Kerberos implementations.
Any help or hint in the right direction would be greatly appreciated,

Calin Barbat

More information about the Kerberos mailing list