Hello, we have the following enviroment:
Windows 2003 SP2 KDC and ktpass.exe from the SP2 Support Tools Package. We've produced a keytab for each SAP Instance. The principal names used were like SAPService<SID>/<fqdn of the machine>@<W2k3 Kerberos realm>. e.g. SAPServiceS01/[EMAIL PROTECTED] We've tried other variations, with no difference. The Keytab encryption mode was RC4-HMAC-NT, but we've also tried DES encryption. No difference. SAP Netweaver 7.0 AS on Novell SLES10SP1 Linux used Linux MIT Kerberos Versions are v1.4.3 and self-compiled v1.6.3 with no seen difference with the problem. We're using the SAP BC SNC Wrapper Library v1.1 (SAP BC-SNC Adapter). Here's an excerpt of our krb5.conf [libdefaults] ticket_lifetime = 24000 default_realm = INTRA.CVK.DE default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = false [realms] INTRA.CVK.DE = { kdc = cvk020.intra.cvk.de:88 admin_server = cvk020.intra.cvk.de:749 default_domain = intra.cvk.de } [domain_realm] .intra.cvk.de = INTRA.CVK.DE intra.cvk.de = INTRA.CVK.DE Here's an excerpt from our SAP Profile: snc/enable = 1 snc/identity/as = p:SAPServiceS01/[EMAIL PROTECTED] snc/gssapi_lib = /usr/local/lib/snckrb5.so and the rest of the needed snc parameters. SAP Client is v7.10 on Windows XP SP3 and SP2 Machines with newest GSSKRB5.DLL v1.0.8 from SAP. Also no difference in behaviour between SP2 and SP3. So MS KB885887 could'nt be a factor, because SP3 already includes it. We've installed the SAP SSO Kerberos solution using Calin Barbat's fine instruction posting on this list. In this posting he mentions, that for him Kerberos SSO also doesn't work all the time. With no specifics. SSO works initially every time, but after a while the aforementioned error message shows. We've found some postings from people that had similar problems, but they haven't found a solution yet. It seems just like the needed ticket expires after a while and isn't renewed. SAP Support says, that the guys at MIT have successfully implemented such a scenario and that we should ask them about that. Hopefully someone from that team reads this posting and has some advice on what is going wrong. Has anyone such a scenario in production? Best regards, Thomas ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos