f



SAP SSO: "No Kerberos SSPI credentials available for requested name"

Hello,

we have the following enviroment:

Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools
Package.
We've produced a keytab for each SAP Instance. The principal names
used were like SAPService<SID>/<fqdn of the machine>@<W2k3 Kerberos
realm>.
e.g. SAPServiceS01/cvk100.cvk.de@INTRA.CVK.DE. We've tried other
variations,
with no difference. The Keytab encryption mode was RC4-HMAC-NT, but
we've also
tried DES encryption. No difference.

SAP Netweaver 7.0 AS on Novell SLES10SP1 Linux

used Linux MIT Kerberos Versions are v1.4.3 and self-compiled v1.6.3
with
no seen difference with the problem. We're using the SAP BC SNC
Wrapper Library
v1.1 (SAP BC-SNC Adapter).

Here's an excerpt of our krb5.conf
[libdefaults]
 ticket_lifetime = 24000
 default_realm = INTRA.CVK.DE
 default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 INTRA.CVK.DE = {
  kdc = cvk020.intra.cvk.de:88
  admin_server = cvk020.intra.cvk.de:749
  default_domain = intra.cvk.de
 }

[domain_realm]
 .intra.cvk.de = INTRA.CVK.DE
 intra.cvk.de = INTRA.CVK.DE

Here's an excerpt from our SAP Profile:
snc/enable = 1
snc/identity/as = p:SAPServiceS01/cvk100.cvk.de@INTRA.CVK.DE
snc/gssapi_lib = /usr/local/lib/snckrb5.so

and the rest of the needed snc parameters.

SAP Client is v7.10 on Windows XP SP3 and SP2 Machines with newest
GSSKRB5.DLL
v1.0.8 from SAP. Also no difference in behaviour between SP2 and SP3.
So MS KB885887 could'nt be a factor, because SP3 already includes it.

We've installed the SAP SSO Kerberos solution using Calin Barbat's
fine
instruction posting on this list. In this posting he mentions, that
for him
Kerberos SSO also doesn't work all the time. With no specifics.

SSO works initially every time, but after a while the aforementioned
error
message shows.

We've found some postings from people that had similar problems,
but they haven't found a solution yet. It seems just like the needed
ticket
expires after a while and isn't renewed.

SAP Support says, that the guys at MIT have successfully implemented
such
a scenario and that we should ask them about that. Hopefully someone
from
that team reads this posting and has some advice on what is going
wrong.

Has anyone such a scenario in production?

Best regards,
Thomas
0
tomglx (2)
6/9/2008 8:03:01 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

3 Replies
594 Views

Similar Articles

[PageSpeed] 56

tomglx@googlemail.com wrote:
> SAP Support says, that the guys at MIT have successfully implemented 
> such a scenario

One of my customers also successfully installed that. I wasn't involved 
in that though.

With this particular error message I'd examine two things:
1. DNS A and PTR RRs for all involved systems.
2. Attribute servicePrincipalName for the server account.

Ciao, Michael.
0
michael198 (253)
6/9/2008 8:17:06 AM
On 9 Jun., 10:17, Michael Str=F6der <mich...@stroeder.com> wrote:
> tom...@googlemail.com wrote:
> > SAP Support says, that the guys at MIT have successfully implemented
> > such a scenario
>
> One of my customers also successfully installed that. I wasn't involved
> in that though.
>
> With this particular error message I'd examine two things:
> 1. DNS A and PTR RRs for all involved systems.
> 2. Attribute servicePrincipalName for the server account.
>
> Ciao, Michael.

We have A und PTR for all our systems. But the KDCs are in the DNS
Domain
intra.cvk.de and the SAP Servers are in cvk.de.

The settings  dns_lookup_realm =3D false and dns_lookup_kdc =3D false
should
suppress at least some of the DNS requests.

What do you mean by Attribute servicePrincipalName? We've already had
to set a
servicePrincipalName per AD SAP ServiceAccount, because we've had to
produce
a keytab with ktpass for each one of them.

Does your customer run his SAP Servers on Linux?

Regards, Thomas
0
tomglx (2)
6/9/2008 1:40:48 PM
tomglx@googlemail.com wrote:
> On 9 Jun., 10:17, Michael Str�der <mich...@stroeder.com> wrote:
>> tom...@googlemail.com wrote:
>>> SAP Support says, that the guys at MIT have successfully implemented
>>> such a scenario
>> One of my customers also successfully installed that. I wasn't involved
>> in that though.
>>
>> With this particular error message I'd examine two things:
>> 1. DNS A and PTR RRs for all involved systems.
>> 2. Attribute servicePrincipalName for the server account.
> 
> We have A und PTR for all our systems. But the KDCs are in the DNS
> Domain
> intra.cvk.de and the SAP Servers are in cvk.de.

Check that all RRs are resolvable also from AD.

> What do you mean by Attribute servicePrincipalName? We've already had
> to set a servicePrincipalName per AD SAP ServiceAccount, because
> we've had to produce a keytab with ktpass for each one of them.

I mean exactly this. Double-check that it's really what it should be.

> Does your customer run his SAP Servers on Linux?

Yes, Linux (and AIX).

Ciao, Michael.
0
michael198 (253)
6/9/2008 5:20:47 PM
Reply:

Similar Artilces:

"""""""""ADD ME""""""""""
Hi , Hope you are doing great. Please let me take this opportunity to introduce myself, Iam Karthik working with BhanInfoi Inc, a NY based company. We have consultants on our bench on various technologies, my request is to add me to your distribution list and kindly do send me the requirements. i have the below list available 1. Mainframe 2. Java 3.. Financial Analyst 4. Data Architect If there is any vendor ship agreement which has to be signed then I would like to take an opportunity to represent my company and expect your cooperation... ...

Urgent Requirement in """""""""""""NEW YORK""""""""""""""""
Hello Partners, Please find the requirement below. Please send the updated resume along with rate and contact no. REQ#1: Title : Java Developer ( Rating Project) Duration : 6 months Rate : open Location : NY strong java, WebLogic 9.2, Web Services, Oracle REQ#2: Title : Java Developer Duration : 4 months Rate : open Location : NY Strong java, SQL REQ#3: Title : VB.Net Consultant Location : NY Duration : 4 months Rate : open Primarily looking at someone who has Excel, VB.net and Oracle (good to have). Req #4: Title : Java Developer (MSA Project) Duration : 6+ months Rate : open Location : NY Note : Please send your updated resume along with contact no karthik@bhaninfo.com : No phone calls please. Thanks & Regards Karthik BhanInfo karthik@bhaninfo.com ...

about "++" and "--"
why this program snippet display "8,7,7,8,-7,-8" the program is: main() { int i=8; printf("%d\n%d\n%d\n%d\n%d\n%d\n",++i,--i,i++,i--,-i++,-i--); } > why this program snippet display "8,7,7,8,-7,-8" Ask your compiler-vendor because this result is IMHO implementation-defined. Check this out: http://www.parashift.com/c++-faq-lite/misc-technical-issues.html#faq-39.15 http://www.parashift.com/c++-faq-lite/misc-technical-issues.html#faq-39.16 Regards, Irina Marudina fxc123@gmail.com wrote: > why this program snippet display "8,7,7,8,-7,-8&q...

"If then; if then;" and "If then; if;"
I have a raw data set which is a hierarchical file: H 321 s. main st P Mary E 21 F P william m 23 M P Susan K 3 F H 324 S. Main St I use the folowing code to read the data to creat one observation per detail(P) record including hearder record(H): data test; infile 'C:\Documents and Settings\retain.txt'; retain Address; input type $1. @; if type='H' then input @3 Address $12.; if type='P' then input @3 Name $10. @13 Age 3. @16 Gender $1.; run; but the output is not what I want: 1 321 s. main H 2 321 s. main P Mary E 21 F 3 321 s...

"out" and "in out"
Hi i found the following explaination: In Ada, "in" parameters are similar to C++ const parameters. They are effectively read-only within the scope of the called subprogram. Ada "in out" parameters have a reliable initial value (that passed in from the calling subprogram) and may be modified within the scope of the called procedure. Ada "out" parameters have no reliable initial value, but are expected to be assigned a value within the called procedure. What does "have no reliable initial value" mean when considering the "out" parameter? By c...

"or" and "and"
Hi, I'm just getting to discover ruby, but I find it very nice programming language. I just still don't understand how the "or" and "and" in ruby... I was playing with ruby and for example made a def to print Stem and Leaf plot (for those who didn't have a statistics course or slept on it, e.g. http://cnx.org/content/m10157/latest/) Here is the Beta version of it: class Array def n ; self.size ; end def stem_and_leaf(st = 1) # if st != (2 or 5 or 10) then ; st = 1 ; end k = Hash.new(0) self.each {|x| k[x.to_f] += 1 } k = k.sort{|a, b| a[0].to_f <=&g...

"/a" is not "/a" ?
Hi everybody, while testing a module today I stumbled on something that I can work around but I don't quite understand. >>> a = "a" >>> b = "a" >>> a == b True >>> a is b True >>> c = "/a" >>> d = "/a" >>> c == d True # all good so far >>> c is d False # eeeeek! Why c and d point to two different objects with an identical string content rather than the same object? Manu Emanuele D'Arrigo wrote: >>>> c = "/a" >>>&...

why "::", not "."
Why does the method of modules use a dot, and the constants a double colon? e.g. Math::PI and Math.cos -- Posted via http://www.ruby-forum.com/. On Oct 26, 2010, at 01:48 , Oleg Igor wrote: > Why does the method of modules use a dot, and the constants a double > colon? > e.g. > Math::PI and Math.cos For the same reason why inner-classes/modules use double colon, because = they're constants and that's how you look up via constant namespace. Math::PI and ActiveRecord::Base are the same type of lookup... it is = just that Base is a module and PI is a float....

"my" and "our"
Hi, while testing a program, I erroneously declared the same variable twice within a block, the first time with "my", the second time with "our": { my $fz = 'VTX_Link'; .... ( around 200 lines of code, all in the same block) our $fz = 'VTX_Linkset'; ... } So the initial contents of the $fz declared with "my" is lost, because "our" creates a lexical alias for the global $fz, thus overwriting the previous "my" declaration. It was my error, no question. But I wonder why Perl doesn't mention this - even with "use s...

Does it need a ";" at the very after of "if" and "for"
write code like: int main(void) { int a=10; if(a<20) {} } Compiler ok on dev-cpp . don't we have to add a ";" after if statement? marsarden said: > write code like: > > int main(void) > { > int a=10; > if(a<20) > {} > } > > Compiler ok on dev-cpp . don't we have to add a ";" after if > statement? The syntax for 'if' is: if(expression) statement There is no semicolon after the ) but before the statement. The statement is either a normal statement (which can be empty), ending in a semicolon:- if(expr) ...

A problem about "[ ]" "( )" "="
I want to read several images saved in a director,and give them to I1,I2 ,I3....,using the following codes: filelist=dir(['c:\MATLAB701\work\...\*.jpg']); for i=1 :length(filelist) I=imread(fullfile('c:\MATLAB701\work\...',filelist(i).name)); end; but failed. Then I used I(i)=imread... ,still failed. How could I do? "John" <mailofww@126.com> wrote in message news:ef19e12.-1@webx.raydaftYaTP... >I want to read several images saved in a director,and give them to > I1,I2 ,I3....,using the following codes: > filelist=dir(['c:\MATLAB701\work\.....

"In" "Out" and "Trash"
I just bought a new computer and I re-installed Eudora Light on my new computer. But when I open Eudora, the "In", "Out" and "Trash" links are not on the left side of the screen the way they were on my old computer. How can I get these links back on the left side of the screen? Thank you. On 25 Mar 2007 09:49:22 -0700, "abx" <abfunex@yahoo.com> wrote: >I just bought a new computer and I re-installed Eudora Light on my new >computer. But when I open Eudora, the "In", "Out" and "Trash" links >are ...

What are "Service Name" and "Target Name" fields?
Colleagues, When I look at the Unix "klist -v" output, I see the "Server:" field e.g. "Server: cvs/svn.sibptus.ru@SIBPTUS.TOMSK.RU", which is the kerberos-enabled server the ticket is for. However, in Microsoft's kerbtray.exe I see the "Service Name" and "Target Name" fields. What is the difference between them? They can be like Service name: DC01-SIBPTUS$@SIBPTUS.TRANSNEFT.RU Target name: ldap/dc01-sibptus.sibptus.transneft.ru@SIBPTUS.TRANSNEFT.RU What are those fields? Thanks a lot for any input. -- Victor Sudako...

Not finding "available ports" with "instrfind" or "instrfindall"
I have a USB device (fingertip pulse-oximeter) that pretends to be a serial (COMx) port. It works fine and produces really neat data, but only after I manually find the port it's assigned to. I can't get "instrfind" or "instrfindall" (neither with arguments since I want it/them to find everything) to discover what COM ports are avaliable prior to opening and assigning one to my pulse-ox. When I attempt to open COM1 and assign it, I get: ------------------------------------------------------------------------------------- ??? Error using ==> serial.fopen at 7...

Read form "name" attribute when it contains form field with name "name"
Hello, I have bumped upon this problem: I do some client-side form processing with JavaScript, and for this I loop over all the forms in the document. In order to identify them, I read their "name" property (which sources from "name" HTML attribue). The problem is, that if the form contains form control named "name", it overwrites the form name property. In fact, I'm quite surprised that it's so easy to spoil any of the form object properties - the form just needs to contain a field named, say, "onsubmit", and - voila - it's done! Also, if t...

Suggestion: swap name of "puts" and "print" and rename "puts" to "put_s"
Hello: I've been using Ruby on-and-off for about 4 weeks now and love it. However, some of the naming consistencies really bug me. The ones that bug me the most are the "print", "puts" and "putc". I'd like to suggest that the functionality of the names "puts" and "print" should be swapped so that "print" automatically sends a newline character and "puts" doesn't. The reasons for this are as follows: - "print" in other languages I've used (e.g. Basic) sends out a newline character. - "...

Replacing "RADIO" with "RADIO" NAME="1" VALUE="1", etc..
I am running code below so that "RADIO" gets replaced by "RADIO" NAME="1" VALUE="1" etc. Actually there are 5 RADIO buttons for each question, and the initial web page I generate somehow dord not have NAME="1" VALUE="1", etc. after "RADIO". So I am using Perl to replace simple "RADIO" with "RADIO" NAME="1" VALUE="1", "2", "3", "4", and "5" and for the choices for the problem number 2, "RADIO" NAME="2" VALUE="1", &q...

How to create a file named "\a" and "-a"
Hi !How to create a file named "\a" and "-a"? dolphin wrote: > Hi !How to create a file named "\a" and "-a"? > "touch \\a" nets you "\a" making "-a" filename is harder.. You may have to resort to C code.. Its pretty hard to get the standard tools to ignore what they interpret as switches. On 16 Mar 2007 at 14:36, dolphin wrote: > Hi !How to create a file named "\a" touch '\a' > and "-a"? touch -- -a (assuming GNU touch) -- email: echo t.adllkhsl@iypzavs.hj.br | tr a-gh-pq...

"Best Practices for Integrating Kerberos Into Your Application" Draft Available
I'm pleased to announce to availability our second white paper, "Best Practices for Integrating Kerberos Into Your Application" It is available for free on our web site at: http://www.kerberos.org/software/appskerberos.pdf Additional documentation from a variety of sources is available here: http://www.kerberos.org/software/whitepapers.html Thanks again for your support of the Kerberos Consortium. s _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Stephen C. Buckley Executive Director Kerberos Consortium Massachusetts Institute of Technology 77 Massachusetts Ave W92-159 Cambridge, MA 02139 web: http://www.kerberos.org ...

Urgent JAVA Requirement in """"""NEW YORK"""""""""
Hello Partners, How are you ? Please find the requirement below. Location : NY Duration : 8 mnths Rate :Open Job description: Java/J2EE Web Service Developer =B7 (4+ years of application development experience in Java/J2EE and Web service technologies. =B7 Experience with spring & Hibernate. =B7 Experience with J2EE Application Server (preferably Web logic). =B7 Preferable Aqua logic DSP Experience =B7 Preferable Sonic ESB Composite Service experience Experience w...

redout of "name", "type" and "value" tags into a string
Hello! I hope you can help me: I have a structure. I can redout and print the structure tags using the TAG_NAMES function. But I also want to readout the "Type" and "Value" tags into a string array. How can I do that? Greetings from Bavaria, Michael On May 21, 5:03 am, BavarianMike86 <jo.mich...@gmx.de> wrote: > Hello! > I hope you can help me: > > I have a structure. I can redout and print the structure tags using > the TAG_NAMES function. > But I also want to readout the "Type" and "Value" tags into a string > array. >...

"Name calling" - Generalizations - "who you are" vs "what you say"
Not that I really think that it will do much good, but before we "turn off" many more people (as we did last time) when we tried to deal with post that lead to "naming calling" and other unpleasantries, let me explain what as I see as the problem. Generalizations that are NOT qualified often end up as useless (fruitless) diatribes back and forth. Take the statement (for example) from a recent thread, "Did you mean statically linked? Only mainframers still do that." There are so many "easy to find" exceptions to this generalizations, that the POI...

Protocol specific error code(s): "*", "*", "0".
I am using the ibm_db2 PECL drive in PHP for connecting to or DB2 database. I created a persistent connection and things seemed to work fine at first. However, after a few tests / connections, I started to get this error when running through my queries: [IBM][CLI Driver] SQL30081N A communication error has been detected. Communication protocol being used: "TCP/IP". Communication API being used: "SOCKETS". Location where the error was detected: "10.26.243.61". Communication function detecting the error: "recv". Protocol specific error code(s): "*", "*", "0". SQLSTATE=08001 SQLCODE=-30081 Any help would be great, thanks! On Feb 13, 8:44 am, "Brent Halsey" <brent.hal...@gmail.com> wrote: > I am using the ibm_db2 PECL drive in PHP for connecting to or DB2 > database. I created a persistent connection and things seemed to work > fine at first. However, after a few tests / connections, I started to > get this error when running through my queries: [IBM][CLI Driver] > SQL30081N A communication error has been detected. Communication > protocol being used: "TCP/IP". Communication API being used: > "SOCKETS". Location where the error was detected: "10.26.243.61". > Communication function detecting the error: "recv". Protocol specific > error code(s): "*", "*", "0". SQLSTATE=0800...

Not finding "available ports" with "instrfind" or "instrfindall" #2
I have a USB device (fingertip pulse-oximeter) that pretends to be a serial (COMx) port. It works fine and produces really neat data, but only after I manually find the port it's assigned to. I can't get "instrfind" or "instrfindall" (neither with arguments since I want it/them to find everything) to discover what COM ports are avaliable prior to opening and assigning one to my pulse-ox. When I attempt to open COM1 and assign it, I get: ------------------------------------------------------------------------------------- ??? Error using ==> serial.fopen at 7...

Web resources about - SAP SSO: "No Kerberos SSPI credentials available for requested name" - comp.protocols.kerberos

Credential Recordings - Wikipedia, the free encyclopedia
Credential Recordings is a Nashville-based record label , focusing generally on the pop rock genre. It began branching out when it agreed on ...

GraphicMail, Janrain Engage Enable Email Newsletter Signup Via Facebook Credentials
... Janrain Engage to its clients’ customizable newsletter signup forms, allowing them to sign in with their Facebook account information, or credentials ...

Discussion of credentials of Maajid Nawaz - Quilliam - YouTube
Glenn Beck discusses the background of Quilliam Chairman Maajid Nawaz on Fox News - The Daily Beck.

Christos Kyrgios has ATP credentials revoked, forced to buy ticket to watch his brother Nick Kyrgios ...
Christos Kyrgios has had his ATP credentials revoked, denied entry to watch his brother Nick in his first round match at the Cincinnati Masters ...

John I Dent Cup: Wests show premiership credentials with entertaining 40-31 win against Royals
Wests showed they can't be discounted as a John I Dent Cup premiership threat on Saturday.

Facebook attacked with credential-harvesting malware - MediaFire, applications, Data Protection - Social ...
Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware

Boland pushes Test credentials with five-for
SCOTT Boland rammed home his Test credentials with a five-wicket haul as Victoria put the markers down for a run away Sheffield Shield lead against ...

Obama mocks Romney military credentials
Sky News is Australia's leader in 24-hour news. Barack Obama has aimed to belittle rival Mitt Romney's commander-in-chief credentials, accusing ...

Newly discovered Mac malware tarnishes Apple's security credentials
Apple prides itself on producing more secure gadgets than rivals, but these latest bugs may have iFans worried.

Top AFL draft prospect Christian Petracca proves his midfield credentials
You might already know Christian Petracca. If you like football, like coffee and like to grab one inside the MCG then there's a very good chance ...

Resources last updated: 3/10/2016 9:51:06 PM