SAP SSO between Windows & SAP users:

Hi all experts,

Really need your help in configuring SAP SSO between Windows 2008 R2 ADS & SAP Users.

I followed all the steps provided in SAP NW SSO SP4 SLL document from SAP.

But, I stuck up at couple of steps, the major is part is our ADS Administrator does'nt want to edit SPN for Kerberos user,

instead he suggested to use either RC4 or AES256.

During the SNC setup, I am facing  a below error in dev_w0 file:

SncInit(): found  snc/gssapi_lib=E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll

N    File "E:\usr\sap\SID\SLL\windows-x86-64\sapcrypto.dll" dynamically loaded as GSS-API v2 library.

N    The internal Adapter for the loaded GSS-API mechanism identifies as:

N    Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2

N  SncInit():   found snc/identity/as=p:CN=SAP/SAPServiceSID@<FQDN>.com

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1439]

N        GSS-API(maj): No credentials were supplied

N        GSS-API(min): No credentials found for this name (not logged on) (USER=SAPServiceAES)

N      Could't acquire ACCEPTING credentials for

N 

N      name="p:CN=SAP/SAPServiceSED@<FQDN>.com"

N  SncInit(): Fatal -- Accepting Credentials not available!

N  <<- SncInit()==SNCERR_GSSAPI

N           sec_avail = "false"

M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    237]

M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    239]

M  in_ThErrHandle: 1

M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   11321]

Below is SNC Status:

E:\usr\sap\SID\SLL\windows-x86-64>snc.exe

Using command 'status -v', call with -h to see more commands

------------------------------------------------------------------------------

------------ status -------------------------------------------------------

------------------------------------------------------------------------------

Product version      : Secure Login Library 1.0 SP 4:
CryptoLib                 : 8.3.7.5

                                  : windows-x86-64

GSS library               : available

GSS library name    : secgss.dll

PSE directory           : (existing) E:\usr\sap\SID\DVEBMGS00\sec

PSE file                     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\pse.zip

STRUST cred file     : (existing) E:\usr\sap\SID\DVEBMGS00\sec\cred_v2

SNC config file        : (existing) E:\usr\sap\SID\SLL\windows-x86-64\gss.xml

PSE accessible        : yes

PSE logged in          : yes

PSE credentials      : MasterPassword SystemDefault

Kerberos keyTab    : 12 entries

SAP/ServiceSID@<fqdn>.com (KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SAP/ServiceSID@<fqdn>.com(KeyType DES)

SAP/ServiceSID@<fqdn>.com(KeyType AES128)

SAP/ServiceSID@<fqdn>.com (KeyType AES256)

SAP/ServiceSID@<fqdn>.com (KeyType RC4) 

SAP/ServiceSID@<fqdn>.com  (KeyType DES)

SAP/ServiceSID@<fqdn>.com  (KeyType AES128)

SAP/ServiceSID@<fqdn>.com(KeyType AES256)

SAP/ServiceSID@<fqdn>.com(KeyType RC4)

SNC keys registered :  0 entries

Trusted certificates:

in PSE CN=SID, OU=<Cust. No.>, OU=SAP Web AS, O=SAP Trust Community, C=DE

Quick responce really needed as pressure increased.

Thanks and Regards

Ahsan.