Hello André,
An interesting thread ......
1. What version of SSO2 are you working with ? Please try with at least SP05.
2. For your AD user make sure that "user cannot change password" and "password never expires" are selected.
3. Make sure that your UPN is SAPServicePG1@<DOMAIN>
4. Make sure that your SPN is SAP/SAPServicePG1
5. I had a issue with special characters (think it was @) in the password of the AD user. Please initially try with a simple UPPERCASE/lowercase/numbers mix for your password.
6. As already suggested by Stephan Andre please do not use the SLL (legacy). Download and extract in your kernel directory the latest commoncryptolib.
7. Set SECUDIR permanently in the environment of pg1adm.
8. Run the following commands (post output of all commands please)
sapgenpse keytab -p SAPSNCSKERB.pse -x <password of AD user> -X <password of AD user> -a SAP/SAPServicePG1@<DOMAIN>
sapgenpse seclogin -p /usr/sap/PG1/DVEBMGS00/sec/SAPSNCSKERB.pse -x <password> -O pg1adm
sapgenpse seclogin -l
sapgenpse get_my_name -p /usr/sap/PG1/DVEBMGS00/sec/SAPSNCSKERB.pse
9. Set parameters and restart instance.
snc/enable = 1
snc/gssapi_lib = $(DIR_EXECUTABLE)$(DIR_SEP)$(FT_DLL_PREFIX)sapcrypto$(FT_DLL)
snc/identity/as = p:SAPServicePG1@<DOMAIN>
snc/data_protection/max = 3
snc/data_protection/min = 2
snc/data_protection/use = 3
snc/r3int_rfc_secure = 0
snc/r3int_rfc_qop = 8
snc/accept_insecure_cpic = 1
snc/accept_insecure_gui = 1
snc/accept_insecure_rfc = 1
snc/permit_insecure_start = 1
snc/force_login_screen = 1
snc/accept_insecure_r3int_rfc = 1
Please go through the above and let us know how you get on.
KR,
Amerjit