SAP SSO: "No Kerberos SSPI credentials available for requested name"

Michael Ströder michael at stroeder.com
Mon Jun 9 13:20:47 EDT 2008


tomglx at googlemail.com wrote:
> On 9 Jun., 10:17, Michael Ströder <mich... at stroeder.com> wrote:
>> tom... at googlemail.com wrote:
>>> SAP Support says, that the guys at MIT have successfully implemented
>>> such a scenario
>> One of my customers also successfully installed that. I wasn't involved
>> in that though.
>>
>> With this particular error message I'd examine two things:
>> 1. DNS A and PTR RRs for all involved systems.
>> 2. Attribute servicePrincipalName for the server account.
> 
> We have A und PTR for all our systems. But the KDCs are in the DNS
> Domain
> intra.cvk.de and the SAP Servers are in cvk.de.

Check that all RRs are resolvable also from AD.

> What do you mean by Attribute servicePrincipalName? We've already had
> to set a servicePrincipalName per AD SAP ServiceAccount, because
> we've had to produce a keytab with ktpass for each one of them.

I mean exactly this. Double-check that it's really what it should be.

> Does your customer run his SAP Servers on Linux?

Yes, Linux (and AIX).

Ciao, Michael.



More information about the Kerberos mailing list