SAP SSO: "No Kerberos SSPI credentials available for requested name" - Kerberos

This is a discussion on SAP SSO: "No Kerberos SSPI credentials available for requested name" - Kerberos ; Hello, we have the following enviroment: Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools Package. We've produced a keytab for each SAP Instance. The principal names used were like SAPService / @ realm>. e.g. SAPServiceS01/cvk100.cvk.de@INTRA.CVK.DE. We've tried ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: SAP SSO: "No Kerberos SSPI credentials available for requested name"

  1. SAP SSO: "No Kerberos SSPI credentials available for requested name"

    Hello,

    we have the following enviroment:

    Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools
    Package.
    We've produced a keytab for each SAP Instance. The principal names
    used were like SAPService/@ realm>.
    e.g. SAPServiceS01/cvk100.cvk.de@INTRA.CVK.DE. We've tried other
    variations,
    with no difference. The Keytab encryption mode was RC4-HMAC-NT, but
    we've also
    tried DES encryption. No difference.

    SAP Netweaver 7.0 AS on Novell SLES10SP1 Linux

    used Linux MIT Kerberos Versions are v1.4.3 and self-compiled v1.6.3
    with
    no seen difference with the problem. We're using the SAP BC SNC
    Wrapper Library
    v1.1 (SAP BC-SNC Adapter).

    Here's an excerpt of our krb5.conf
    [libdefaults]
    ticket_lifetime = 24000
    default_realm = INTRA.CVK.DE
    default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
    default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
    dns_lookup_realm = false
    dns_lookup_kdc = false

    [realms]
    INTRA.CVK.DE = {
    kdc = cvk020.intra.cvk.de:88
    admin_server = cvk020.intra.cvk.de:749
    default_domain = intra.cvk.de
    }

    [domain_realm]
    .intra.cvk.de = INTRA.CVK.DE
    intra.cvk.de = INTRA.CVK.DE

    Here's an excerpt from our SAP Profile:
    snc/enable = 1
    snc/identity/as = p:SAPServiceS01/cvk100.cvk.de@INTRA.CVK.DE
    snc/gssapi_lib = /usr/local/lib/snckrb5.so

    and the rest of the needed snc parameters.

    SAP Client is v7.10 on Windows XP SP3 and SP2 Machines with newest
    GSSKRB5.DLL
    v1.0.8 from SAP. Also no difference in behaviour between SP2 and SP3.
    So MS KB885887 could'nt be a factor, because SP3 already includes it.

    We've installed the SAP SSO Kerberos solution using Calin Barbat's
    fine
    instruction posting on this list. In this posting he mentions, that
    for him
    Kerberos SSO also doesn't work all the time. With no specifics.

    SSO works initially every time, but after a while the aforementioned
    error
    message shows.

    We've found some postings from people that had similar problems,
    but they haven't found a solution yet. It seems just like the needed
    ticket
    expires after a while and isn't renewed.

    SAP Support says, that the guys at MIT have successfully implemented
    such
    a scenario and that we should ask them about that. Hopefully someone
    from
    that team reads this posting and has some advice on what is going
    wrong.

    Has anyone such a scenario in production?

    Best regards,
    Thomas

  2. Re: SAP SSO: "No Kerberos SSPI credentials available for requestedname"

    tomglx@googlemail.com wrote:
    > SAP Support says, that the guys at MIT have successfully implemented
    > such a scenario


    One of my customers also successfully installed that. I wasn't involved
    in that though.

    With this particular error message I'd examine two things:
    1. DNS A and PTR RRs for all involved systems.
    2. Attribute servicePrincipalName for the server account.

    Ciao, Michael.

  3. Re: SAP SSO: "No Kerberos SSPI credentials available for requestedname"

    On 9 Jun., 10:17, Michael Ströder wrote:
    > tom...@googlemail.com wrote:
    > > SAP Support says, that the guys at MIT have successfully implemented
    > > such a scenario

    >
    > One of my customers also successfully installed that. I wasn't involved
    > in that though.
    >
    > With this particular error message I'd examine two things:
    > 1. DNS A and PTR RRs for all involved systems.
    > 2. Attribute servicePrincipalName for the server account.
    >
    > Ciao, Michael.


    We have A und PTR for all our systems. But the KDCs are in the DNS
    Domain
    intra.cvk.de and the SAP Servers are in cvk.de.

    The settings dns_lookup_realm = false and dns_lookup_kdc = false
    should
    suppress at least some of the DNS requests.

    What do you mean by Attribute servicePrincipalName? We've already had
    to set a
    servicePrincipalName per AD SAP ServiceAccount, because we've had to
    produce
    a keytab with ktpass for each one of them.

    Does your customer run his SAP Servers on Linux?

    Regards, Thomas

  4. Re: SAP SSO: "No Kerberos SSPI credentials available for requestedname"

    tomglx@googlemail.com wrote:
    > On 9 Jun., 10:17, Michael Ströder wrote:
    >> tom...@googlemail.com wrote:
    >>> SAP Support says, that the guys at MIT have successfully implemented
    >>> such a scenario

    >> One of my customers also successfully installed that. I wasn't involved
    >> in that though.
    >>
    >> With this particular error message I'd examine two things:
    >> 1. DNS A and PTR RRs for all involved systems.
    >> 2. Attribute servicePrincipalName for the server account.

    >
    > We have A und PTR for all our systems. But the KDCs are in the DNS
    > Domain
    > intra.cvk.de and the SAP Servers are in cvk.de.


    Check that all RRs are resolvable also from AD.

    > What do you mean by Attribute servicePrincipalName? We've already had
    > to set a servicePrincipalName per AD SAP ServiceAccount, because
    > we've had to produce a keytab with ktpass for each one of them.


    I mean exactly this. Double-check that it's really what it should be.

    > Does your customer run his SAP Servers on Linux?


    Yes, Linux (and AIX).

    Ciao, Michael.

+ Reply to Thread