[29949] in Kerberos
Re: SAP SSO: "No Kerberos SSPI credentials available for requested
daemon@ATHENA.MIT.EDU (tomglx@googlemail.com)
Tue Jun 10 11:35:12 2008
From: tomglx@googlemail.com
Date: Mon, 9 Jun 2008 06:40:48 -0700 (PDT)
Message-ID: <224b6167-6c9e-4c1a-a109-2ef640b27591@8g2000hse.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 9 Jun., 10:17, Michael Ströder <mich...@stroeder.com> wrote:
> tom...@googlemail.com wrote:
> > SAP Support says, that the guys at MIT have successfully implemented
> > such a scenario
>
> One of my customers also successfully installed that. I wasn't involved
> in that though.
>
> With this particular error message I'd examine two things:
> 1. DNS A and PTR RRs for all involved systems.
> 2. Attribute servicePrincipalName for the server account.
>
> Ciao, Michael.
We have A und PTR for all our systems. But the KDCs are in the DNS
Domain
intra.cvk.de and the SAP Servers are in cvk.de.
The settings dns_lookup_realm = false and dns_lookup_kdc = false
should
suppress at least some of the DNS requests.
What do you mean by Attribute servicePrincipalName? We've already had
to set a
servicePrincipalName per AD SAP ServiceAccount, because we've had to
produce
a keytab with ktpass for each one of them.
Does your customer run his SAP Servers on Linux?
Regards, Thomas
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
