[29947] in Kerberos
Re: SAP SSO: "No Kerberos SSPI credentials available for requested
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Michael_Str=F6der?=)
Tue Jun 10 11:31:24 2008
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Date: Mon, 09 Jun 2008 19:20:47 +0200
Message-ID: <fc50i5-9ie.ln1@nb2.stroeder.com>
Mime-Version: 1.0
X-Complaints-To: usenet-abuse@t-online.de
In-Reply-To: <224b6167-6c9e-4c1a-a109-2ef640b27591@8g2000hse.googlegroups.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
tomglx@googlemail.com wrote:
> On 9 Jun., 10:17, Michael Ströder <mich...@stroeder.com> wrote:
>> tom...@googlemail.com wrote:
>>> SAP Support says, that the guys at MIT have successfully implemented
>>> such a scenario
>> One of my customers also successfully installed that. I wasn't involved
>> in that though.
>>
>> With this particular error message I'd examine two things:
>> 1. DNS A and PTR RRs for all involved systems.
>> 2. Attribute servicePrincipalName for the server account.
>
> We have A und PTR for all our systems. But the KDCs are in the DNS
> Domain
> intra.cvk.de and the SAP Servers are in cvk.de.
Check that all RRs are resolvable also from AD.
> What do you mean by Attribute servicePrincipalName? We've already had
> to set a servicePrincipalName per AD SAP ServiceAccount, because
> we've had to produce a keytab with ktpass for each one of them.
I mean exactly this. Double-check that it's really what it should be.
> Does your customer run his SAP Servers on Linux?
Yes, Linux (and AIX).
Ciao, Michael.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
