SAP、IIS 和 SSO - Kerberos SSPI 无法用于此用户帐户

发布于 2024-12-02 21:00:50 字数 2265 浏览 1 评论 0原文

我的目标是让 Intranet 用户的凭据通过 asp.net 网页传递到 SAP RFC。

背景
我们在 AD 系统中设置了 SAP SSO。用户无需输入用户名/密码即可打开 SAP gui 并登录。

我们使用 ERPConnect 来调用 SAP 中的 RFC。如果我们向连接字符串提供凭据，效果会很好。如果网页在我们的本地计算机上运行，我们还可以使用下面的代码来使用 SSO。

Dim db As New SAPContext("ashost=sapsandbox.xxxsap.ad.xxx.com snc_mode=1 sysnr=00 SNC_QOP=9 snc_partnername=p:[email protected] SNC_LIB=C:\windows\system32\gsskrb5.dll")

当我们转移到运行 IIS6 的 Windows 2003 服务器计算机时，我们收到以下错误。

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): Kerberos SSPI not usable with this User account
           STOP! -- initial call to gss_indicate_mechs() failed
TIME        Fri Sep 02 14:13:47 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -1
MODULE      sncxxdl.c
LINE

我在 IIS6 站点上禁用了匿名访问。我还关注了这篇文章，了解如何在 IIS6 上启用 kerberos 身份验证。

有谁知道如何让它工作？如果有更简单的方法让它工作，我们可以迁移到 IIS7。

编辑
我设置了现在收到一个新错误。

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): SSPI::AcqCredHdl(INI)==No credentials available
           in secur
           Could't acquire DEFAULT INITIATING credentials
TIME        Tue Sep 06 11:45:11 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -4
MODULE      snc

编辑
我想我必须有 AD 设置才能使用 SPN。这是我在这个问题中看到的内容。
在您的应用程序池帐户上为前端应用程序设置 SPN

原文

My goal is to let intranet user's credentials pass through a asp.net webpage to an SAP RFC.

Background
We have SAP SSO setup with our AD system. Users can open the SAP gui and login without entering a username/password.

We are using ERPConnect to call RFCs in SAP. If we supply credentials to the connection string it works great. We can also use the following code below to use SSO if the webpage is running on our local machine.

Dim db As New SAPContext("ashost=sapsandbox.xxxsap.ad.xxx.com snc_mode=1 sysnr=00 SNC_QOP=9 snc_partnername=p:[email protected] SNC_LIB=C:\windows\system32\gsskrb5.dll")

When we move to a windows 2003 server machine running IIS6 we get the following error.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): Kerberos SSPI not usable with this User account
           STOP! -- initial call to gss_indicate_mechs() failed
TIME        Fri Sep 02 14:13:47 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -1
MODULE      sncxxdl.c
LINE

I have disabled anonymous access on my IIS6 site. I have also followed this article on how to enable kerberos authentication on IIS6.

Does anyone know how to get this working? We could move to IIS7 if there is an easier way to get it to work with that.

EDIT
I set <identity impersonate="true" /> and I get a new error now.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): SSPI::AcqCredHdl(INI)==No credentials available
           in secur
           Could't acquire DEFAULT INITIATING credentials
TIME        Tue Sep 06 11:45:11 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -4
MODULE      snc

EDIT
I think I have to have AD setup to use SPN. Here's what I saw on this question.
Set up a SPN on your application pool account for your front end application

分享到QQ

分享到微博