SAP，IIS和SSO - 的Kerberos SSPI不能使用这个用户账号 [英] SAP, IIS and SSO - Kerberos SSPI not usable with this User account

问题描述

我的目标是让内网用户的凭据通过一个asp.net网页到SAP RFC。

My goal is to let intranet user's credentials pass through a asp.net webpage to an SAP RFC.

背景
我们有SAP SSO设置与我们的广告系统。用户可以打开SAP GUI和登录，而无需输入用户名/密码。

Background
We have SAP SSO setup with our AD system. Users can open the SAP gui and login without entering a username/password.

我们正在使用ERPConnect来调用SAP的RFC。如果我们提供的凭据连接字符串它的伟大工程。我们也可以用下面的code以下使用SSO如果网页是在我们的本地计算机上运行。

We are using ERPConnect to call RFCs in SAP. If we supply credentials to the connection string it works great. We can also use the following code below to use SSO if the webpage is running on our local machine.

Dim db As New SAPContext("ashost=sapsandbox.xxxsap.ad.xxx.com snc_mode=1 sysnr=00 SNC_QOP=9 snc_partnername=p:SAPUserAccount@xxxSAP.AD.XXX.COM SNC_LIB=C:\windows\system32\gsskrb5.dll")

当我们移动到Windows 2003 Server的机器运行IIS6，我们得到以下错误。

When we move to a windows 2003 server machine running IIS6 we get the following error.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): Kerberos SSPI not usable with this User account
           STOP! -- initial call to gss_indicate_mechs() failed
TIME        Fri Sep 02 14:13:47 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -1
MODULE      sncxxdl.c
LINE

我有残疾的匿名访问我的IIS6的网站。我也跟着如何在IIS6上启用Kerberos身份验证此的文章。

I have disabled anonymous access on my IIS6 site. I have also followed this article on how to enable kerberos authentication on IIS6.

有谁知道如何得到这个工作？我们可以移动到IIS7，如果有一个更简单的方法得到它与合作。

Does anyone know how to get this working? We could move to IIS7 if there is an easier way to get it to work with that.

修改
我设置＆LT;身份冒充=真/＆GT; ，我现在得到一个新的错误

EDIT
I set <identity impersonate="true" /> and I get a new error now.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): SSPI::AcqCredHdl(INI)==No credentials available
           in secur
           Could't acquire DEFAULT INITIATING credentials
TIME        Tue Sep 06 11:45:11 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -4
MODULE      snc

修改
我想我必须有AD设置为使用SPN。这是我看到的<一个href="http://stackoverflow.com/questions/2963812/end-to-end-kerberos-delegated-authentication-in-asp-net">this问题。
设置SPN您的应用程序池帐户为您的前端应用程序的

EDIT
I think I have to have AD setup to use SPN. Here's what I saw on this question.
Set up a SPN on your application pool account for your front end application

推荐答案

不熟悉SAP，但 代表团的是除了SPN这里的关键，AD必须信任本机发送Kerberos票据，我强烈建议你阅读这篇文章：

Not familiar with SAP, but delegation is key here in addition to SPN, AD has to trust the machine sending the kerberos ticket, I'd highly recommend reading this article:

了解Kerberos的双跳

这篇关于SAP，IIS和SSO - 的Kerberos SSPI不能使用这个用户账号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！