SAP SSO: "No Kerberos SSPI credentials available for requested name"

tomglx@googlemail.com tomglx at googlemail.com
Mon Jun 9 04:03:01 EDT 2008


Hello,

we have the following enviroment:

Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools
Package.
We've produced a keytab for each SAP Instance. The principal names
used were like SAPService<SID>/<fqdn of the machine>@<W2k3 Kerberos
realm>.
e.g. SAPServiceS01/cvk100.cvk.de at INTRA.CVK.DE. We've tried other
variations,
with no difference. The Keytab encryption mode was RC4-HMAC-NT, but
we've also
tried DES encryption. No difference.

SAP Netweaver 7.0 AS on Novell SLES10SP1 Linux

used Linux MIT Kerberos Versions are v1.4.3 and self-compiled v1.6.3
with
no seen difference with the problem. We're using the SAP BC SNC
Wrapper Library
v1.1 (SAP BC-SNC Adapter).

Here's an excerpt of our krb5.conf
[libdefaults]
 ticket_lifetime = 24000
 default_realm = INTRA.CVK.DE
 default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 INTRA.CVK.DE = {
  kdc = cvk020.intra.cvk.de:88
  admin_server = cvk020.intra.cvk.de:749
  default_domain = intra.cvk.de
 }

[domain_realm]
 .intra.cvk.de = INTRA.CVK.DE
 intra.cvk.de = INTRA.CVK.DE

Here's an excerpt from our SAP Profile:
snc/enable = 1
snc/identity/as = p:SAPServiceS01/cvk100.cvk.de at INTRA.CVK.DE
snc/gssapi_lib = /usr/local/lib/snckrb5.so

and the rest of the needed snc parameters.

SAP Client is v7.10 on Windows XP SP3 and SP2 Machines with newest
GSSKRB5.DLL
v1.0.8 from SAP. Also no difference in behaviour between SP2 and SP3.
So MS KB885887 could'nt be a factor, because SP3 already includes it.

We've installed the SAP SSO Kerberos solution using Calin Barbat's
fine
instruction posting on this list. In this posting he mentions, that
for him
Kerberos SSO also doesn't work all the time. With no specifics.

SSO works initially every time, but after a while the aforementioned
error
message shows.

We've found some postings from people that had similar problems,
but they haven't found a solution yet. It seems just like the needed
ticket
expires after a while and isn't renewed.

SAP Support says, that the guys at MIT have successfully implemented
such
a scenario and that we should ask them about that. Hopefully someone
from
that team reads this posting and has some advice on what is going
wrong.

Has anyone such a scenario in production?

Best regards,
Thomas



More information about the Kerberos mailing list