-
Title
Login to SAP with SSO authentication fails with SAS 4.2.x -
Description
A situation may arise where logging in to SAP with SSO authentication works for a system with SAS 4.1.x installed on it but once that system is upgraded to SAS 4.2.x or higher, authentication may fail.
-
Cause
The Heimdal (kerberos) libraries were updated with the release of SAS 4.2.x and expects that the FQDN is set as the canonical hostname in the hosts file and not the alias
The format of the entries in the hosts file is
IP_address canonical_hostname [aliases...]
If the canonical_hostname is the shortname instead of the FQDN then authentication will fail
-
Resolution
- Update the /etc/hosts file so that the canonical_hostname is the fqdn and not the shortname
eg: 1.2.3.4 server.domain.com server
- Running the following command may also help:
# /opt/quest/bin/vastool configure vas libdefaults check-rd-req-server ignore
To remove this setting run
# /opt/quest/bin/vastool configure vas libdefaults check-rd-req-server
.
Here is the description of the setting from the Heimdal krb5.conf man page:
check-rd-req-server
If set to "ignore", the framework will ignore any the server input to krb5_rd_req3, this is very useful when the GSS-API server input the wrong server name into the gss_accept_sec_context call.