Re: SAML SSO is not working for SAP system with ADFS

Hi Thomas,

Yes, I have imported all three certificates of ADFS in my SAP system under STRUST and I can see those certs under STRUSTSSO2 as well.

Please find the dev_icm longs(few).

[Thr 8040] Thu Mar 03 06:43:11 2016

[Thr 8040] *** WARNING => Connection request from (9/10/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0018f32e} [icxxconn.c 2108]

[Thr 8040] Thu Mar 03 06:48:11 2016

[Thr 8040] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 8040]  {0004f351} [icxxconn.c 2108]

[Thr 6640] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 6640]  {0004f352} [icxxconn.c 2108]

[Thr 5792] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 5792]  {0004f353} [icxxconn.c 2108]

[Thr 6640] Thu Mar 03 06:53:06 2016

[Thr 6640] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 6640]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLA.pse"

[Thr 2360] SSL_get_state() returned 0x00001180 "SSLv3 read client certificate A"

[Thr 6640] SecudeSSL_SessionStart: SSL_connect() failed --

[Thr 6640] secude_error 536872221 (0x2000051d) = "Server's certificate (chain) is untrusted (or incomplete)"

[Thr 2360] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 2360]    session uses PSE file "D:\usr\sap\SM1\DVEBMGS00\sec\SAPSSLS.pse"

[Thr 6640] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 2360] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 2360] secude_error 536875074 (0x20001042) = "received a fatal SSLv3 bad certificate alert message from the peer"

[Thr 6640] ERROR in ssl3_get_server_certificate: (536872221/0x2000051d) Server's certificate (chain) is untrusted (or incomplete)

[Thr 6640] ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN"

[Thr 6640] ERROR in get_path: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=SAPhostname.uomsg2.net, OU=I0020272204, OU=SAP Web AS, O=xxxx, C=IN> which does not fit the given PKRoot

[Thr 6640] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 6640] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 2360] WARNING in ssl3_read_bytes: (536875074/0x20001042) received a fatal SSLv3 bad certificate alert message from the peer

[Thr 2360] << ---------- End of Secude-SSL Errorstack ----------

[Thr 2360]   SSL NI-sock: local=10.35.20.54:8001 peer=10.35.20.54:56947

[Thr 2360] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07A50)==SSSLERR_SSL_ACCEPT

[Thr 6640]   SSL NI-sock: local=10.35.20.54:56947 peer=10.35.20.54:8001

[Thr 2360] *** ERROR => IcmConnInitServerSSL: SapSSLSessionStart returned (-56): SSSLERR_SSL_ACCEPT [icxxconn.c   1713]

[Thr 6640] <<- ERROR: SapSSLSessionStart(sssl_hdl=0000000006C07730)==SSSLERR_PEER_CERT_UNTRUSTED

[Thr 6640] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-102): SSSLERR_PEER_CERT_UNTRUSTED {0013f386} [icxxconn.c 1989]

[Thr 10424] Thu Mar 03 06:53:11 2016

[Thr 10424] *** WARNING => Connection request from (0/1/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10424] {0013f389} [icxxconn.c 2108]

[Thr 2360] Thu Mar 03 06:58:11 2016

[Thr 2360] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 2360]  {0004f3c8} [icxxconn.c 2108]

[Thr 7756] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 7756]  {0004f3c9} [icxxconn.c 2108]

[Thr 11104] Thu Mar 03 06:58:12 2016

[Thr 11104] *** WARNING => Connection request from (1/2/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 11104] {0004f3ca} [icxxconn.c 2108]

[Thr 10676] Thu Mar 03 07:03:10 2016

[Thr 10676] *** WARNING => Connection request from (2/3/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

[Thr 10676] {0018f40f} [icxxconn.c 2108]

[Thr 8040] Thu Mar 03 07:08:11 2016

[Thr 8040] *** WARNING => Connection request from (7/8/0) to host: pwdf2625, service: 1090 failed (NIEHOST_UNKNOWN)

Thanks,

Nagaraju