GSS-API error: No Kerberos SSPI credentials available

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

GSS-API error: No Kerberos SSPI credentials available

Barbat, Calin
Hello Juan,

did you find as solution to the problem below? It's the one you mentioned in your post to the kerberos mailing list a while ago - I cite you here:

I have implemented an SSO solution with kerberos5, SNC, Active Directory 2K3 with SAP(Unix
Server). It Works fine, but I found an error in some clients that I want to investigate.

Some days, in the morning (note: users don't close the windows sessions at the end of work-day,
they block-out their computers), when users try to connect to SAP, they receive the following
client error (in the SAP client log):

**************************************************
Sapgui 620 [Build 8966] Wed Feb 16 10:03:14 2005: 'GSS-API(maj): No valid credentials provided (or
available) GSS-API(min): No Kerberos SSPI credentials available for requested nam
name="p:user at SITE.DOMAIN.COM"
Component SNC (Secure Network Communication)
Release 620
Version 5
Module sncxxall.c
Line 1223
Method SncPAcquireCred
Return Code -4
System Call gss_acquire_cred
Counter 4
**************************************************

or this one:

**************************************************
Sapgui 620 [Build 8966] Tue Feb 15 10:21:59 2005 : 'SNCERR_GSSAPI
An operation failed at the GSS-API level sec_avail="false"
Component SNC (Secure Network Communication)
Release 620
Version 5
Module sncxx.c
Method SncInit
Return Code -4
Counter 2
**************************************************

The problem ends if the user close it windows session and start it again.
Someone knows this error?  

Best regards

Calin Barbat
OSRAM GmbH / IT SP6
Hellabrunnerstr. 1
81543 M√ľnchen

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: GSS-API error: No Kerberos SSPI credentials available

Franco Milicchio-3
On 2005-11-29 09:35:05 +0100, [hidden email] ("Barbat, Calin") said:

> Hello Juan,
>
> did you find as solution to the problem below? It's the one you
> mentioned in your post to the kerberos mailing list a while ago - I
> cite you here:
>
> I have implemented an SSO solution with kerberos5, SNC, Active
> Directory 2K3 with SAP(Unix
> Server). It Works fine, but I found an error in some clients that I
> want to investigate.
>
> Some days, in the morning (note: users don't close the windows sessions
> at the end of work-day,
> they block-out their computers), when users try to connect to SAP, they
> receive the following
> client error (in the SAP client log):

I do not know SAP, I use other softwares, but I give my 2 cents, it
might help you.

Does SAP need principals in the keytab file like

host/hostname@REALM
service/hostname@REALM (like  ldap/ldap.mydomain.com/MYDOMAIN.COM).

You said SSO works right?

--
Sensei <[hidden email]>

Part of the inhumanity of the computer is that, once it is competently
programmed and working smoothly, it is completely honest. (Isaac Asimov)

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

AW: GSS-API error: No Kerberos SSPI credentials available

Barbat, Calin
In reply to this post by Barbat, Calin
Hi,

yes, SSO works well for me. Some colleague is experiencing that error message.

You are right, SAP uses an AD account, which is then exported to a keytab using ktpass. Which gives an entry like you said: <service>/f.q.d.n@REALM where REALM = AD domain in uppercase (in Windows).

Best regards

Calin

-----Urspr√ľngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im Auftrag von Sensei
Gesendet: Dienstag, 29. November 2005 20:49
An: [hidden email]
Betreff: Re: GSS-API error: No Kerberos SSPI credentials available

On 2005-11-29 09:35:05 +0100, [hidden email] ("Barbat, Calin") said:

> Hello Juan,
>
> did you find as solution to the problem below? It's the one you
> mentioned in your post to the kerberos mailing list a while ago - I
> cite you here:
>
> I have implemented an SSO solution with kerberos5, SNC, Active
> Directory 2K3 with SAP(Unix Server). It Works fine, but I found an
> error in some clients that I want to investigate.
>
> Some days, in the morning (note: users don't close the windows
> sessions at the end of work-day, they block-out their computers), when
> users try to connect to SAP, they receive the following client error
> (in the SAP client log):

I do not know SAP, I use other softwares, but I give my 2 cents, it might help you.

Does SAP need principals in the keytab file like

host/hostname@REALM
service/hostname@REALM (like  ldap/ldap.mydomain.com/MYDOMAIN.COM).

You said SSO works right?

--
Sensei <[hidden email]>

Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest. (Isaac Asimov)

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos