What is the best way to monitor AD connectivity when using SNC SSO SAP ?
You can run a vastool auth command, this checks
- The AD configuration in /etc/opt/quest/vas/vas.conf is correct
- The keytab exists and is readable
- AD is reachable
- The service account used for SAP can authenticate against AD (the AD account is valid, is not locked out, and the password is correct and matches the hash stored in the local keytab)
It is advisable to run this check as the SAP user account rather than root to ensure the rights to read the keytab are also tested. If anything other than an exit status of 0 is returned then an error has occurred and it is likely SSO authentication will subsequently fail.
If using a dedicated SAP service account
# /opt/quest/bin/vastool -u SAP/ auth -S SAP/
If using the Computer account HOST/ method
# /opt/quest/bin/vastool -u HOST/ auth -S HOST/