Description:

A prerequisite for configuring the Siteminder ERP Agent with SAP ITS is to enable SAP SNC Encryption.  If this step is not performed, a browser error will appear, stating the following:

"Error during authentication process.  The following error occured: You could not log on to the SAP system.  The external authentication was successful, but you could not log on to the SAP system and therefore you did not receive a logon ticket.  Check the SNC configuration between the AGate and the application server, and also your user mapping settings in the mapping table USREXTID."

Solution:

If you are at the point of seeing this message, it is likely that the Siteminder-side configuration was successful, however the SNC component of SAP is not functioning correctly.  In addition to the browser error, this condition is also indicated by following the transaction in the SAP logs themselves.  Beginning within the "agate0.trc" file, see the example transaction below.  If you follow this transaction, you can see the username was propagated correctly. However, the following lines show the failure point:

-----------------------
2009-02-26T15:06:11.406 p002592 t4744 s027D2798 [w3xxxgat.c, 1220]: Calling gateway: sapextauth function XGatHandleLogin(session 027D2798)
2009-02-26T15:06:11.421 p002592 t4744 s027D2798 [w3xxwork.c, 1420]: WorkDoWork: WorkDoProcessLogin() returns WORKRCloginrequired/endofrequest
-----------------------

Following this failure to the "agate0_sapextauth.trc" file, looking at the matching timestamp of "2009-02-26T15:06:11.406", you will see the following error:
-----------------------
2009-02-26T15:06:11.421 p002592 t4744 s027D2798 [sapextauth, 1395]: *W* sapextauth - DLL Module: Either ~login or ~password missing, returning XGDKRCloginrequired.
2009-02-26T15:06:12.078 p002592 t4744 s027D2798 [sapextauth, 1484]: *W* sapextauth: XGatHandleLogin for DLL: <parameters might be set before> 2009-02-26T15:06:12.093 p002592 t4744 s027D2798 [sapextauth, 2640]: *E* sapextauth: Error in Rfc Login: connect string was: (TRACE=0 SNC_MODE=1 SNC_QOP=9 SNC_MYNAME="p:CN=RT1Agate, OU=TEST, O=CA, C=US" SNC_PARTNERNAME="p:CN=RT1, OU=TEST, O=CA, C=US" SNC_LIB="D:\Program Files\SAP\ITS\6.20\programs\sapcrypto.dll" CLIENT=300 LANG="en" MSHOST="rt1.test.com" GROUP="RT1GROUP" R3NAME="RT1" GETSSO2=1 EXTIDTYPE="ID" EXTIDDATA="TESTUSER01")
2009-02-26T15:06:12.093 p002592 t4744 s027D2798 [sapextauth, 2641]: *E* sapextauth: Error in Rfc Login: System returned: "Connect to message server failed Connect_PM  MSHOST=rt1.test.com, R3NAME=RT1, GROUP=RT1GROUP

ERROR       no server with SNC found for group RT1GROUP
-----------------------

This error indicates that SNC is not properly configured, and this system is required for the operation of the Siteminder ERP Agent (PAS module).  At this point SAP Support must be contacted to configure SNC encryption with SAP ITS.

Please see the following screen shot of the front end server Browser Error: click here.