I’m currently facing an issue while trying to connect to SAP using SNC, and I’m getting the following error:
GSS-API(maj): No credentials were supplied
Unable to establish the security context
target=“p:CN=DS4, OU=SAP-HEC, O=SAP SE, C=DE”
We have our SailPoint server installed on a Windows server. We created an SNC folder on the C drive and updated the required environment properties accordingly. The SNC folder is accessible by SailPoint.
Inside the SNC folder, we have the PSE file and the cred_v2 file in place, and both client and server certificates have already been imported.
However, when trying to connect using SNC, we are still encountering the above error.
Could someone please help us understand what might be causing this issue?
we have completed all steps mentioned in below post.
@nitinbibm I never worked on this but based on the articles, please validate if your environment variables are properly set like SNC_LIB & SECUDIR. Also, you need to make sure cred_v2 is generated using the same same Windows account that runs the SailPoint Tomcat service.
Would also recommend opening a sailpoint support ticket for their help.
NC_LIB & SECUDIR I have set it up correctly, SailPoint is able to read the folder also and also, we use shared service account (domain account) to login to SailPoint server, using that only I have created PSE and Cred_v2 file. so, if I change tomcat service logged user account to domain account, SNC connectivity is working.
are there any issues we if change local service account to domain account in tomcat service.
Windows Services do not automatically pick up password changes. Once the password rotates, the Tomcat service will fail to start (or fail to authenticate) until the service configuration is manually updated. To avoid this use a Group Managed Service Account (gMSA)
The account must be granted the Log on as a service right in the Local Security Policy.
Full permissions is required for all the directory and subdirectory inside tomcat.
Can we launch the CMD using the Group Managed Service Account (gMSA)?
What we’ve observed:
When the same user is used both for creating the cred_v2 file and running the Tomcat service, the SNC connection works correctly.
But if the OS user (domain user) and the Tomcat service user are different, SailPoint is unable to read the cred_v2 file.
So effectively, SNC works only when both the cred_v2 file creator and the Tomcat service are using the same account. Is there any way to run CMD as a local service or have to go for service account only which can create cred_v2 and run tomcat Service.
even not sure how what will be the impact if we change tomcat service log on user. so was wondering without changing tomcat user if in any way we can switch user to local service and create cred_v2 file.
