Stuck on implementing Kerberos based SNC/SSO with SLL 2.0 SP2 on AIX 6.1

Hi to everyone in the SAP Netweaver Single Sign-On Community,

for the last few days I have been stuck trying to implement Single Sign-On with Kerberos authentication for an AS ABAP system running on AIX 6.1. Whatever I try to do, I always seem to end up with the same generic error:

(domain names in this picture and all following files and traces have been removed or replaced with "generic.domain")

Hopefully somebody with more experience would be so kind to take a look at this post and the attached traces to help me figure out where the problem with my configuration lies.

Attached you will find the developer trace of the first work process, the trace of the Secure Login Library with trace level 4 of an authentication attempt, and the traces of the Secure Login Client during the same authentication attempt. Additionally this post contains the configuration of the application server and the service user.

Generic information:

Platform:    IBM AIX 6.1

Kernel:    7.21 Patch Level 226

Version of the Secure Login Library (output of ./sapgenpse):

Loaded CommonCryptoLib from sapgenpse folder

"/sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so"

Platform:    aix-6.1-ppc-64  (aix-6.1-ppc-64)

Versions:  SAPGENPSE    2.0 SP2 Patch 3 (Feb 22 2014)

  FILE-Version  8.4.10.3

  CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.10 pl40 (2.0 SP2 Patch 3) (Feb 22 2014) MT-safe

USER="k31adm"

Environment variable $SECUDIR is defined:

"/usr/sap/K31/DVEBMGS03/sec"

Configuration of SNC parameters in the instance profile of the application server:

snc/enable = 1

snc/data_protection/use = 3

snc/data_protection/min = 2

snc/data_protection/max = 3

snc/gssapi_lib = /sapmnt/K31/exe/uc/rs6000_64/SLL/libsapcrypto.so

snc/accept_insecure_gui = 1

snc/accept_insecure_cpic = 1

snc/accept_insecure_rfc = 1

snc/permit_insecure_start = 1

snc/force_login_screen = 0

snc/identity/as = p:CN=svc-sap-sso@GENERIC.DOMAIN

snc/r3int_rfc_secure = 0

snc/r3int_rfc_qop = 8

Availability of required personal security environments for the user k31adm (output of ./sapgenpse seclogin -l):

running seclogin with USER="k31adm"

0: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCSKERB.pse

1: CN=svc-sap-sso@GENERIC.DOMAIN

        /usr/sap/K31/DVEBMGS03/sec/SAPSNCS.pse

2 readable SSO-Credentials available

Configuration of the Microsoft Active Directory service user:

domain:                          generic.domain

samaccountname:          svc-sap-sso

serviceprincipalname:    SAP/svc-sap-sso