Enabling AES256 for SNC with SAPGUI (no SSO)

Hi all,

I'm configuring SNC encryption (without single sign-on) for my SAPGUI clients, and I've got it to work, but I can't seem to get it to use anything other than RC4 encryption, despite having enabled AES128 and AES256 (as best I can tell).

I've setup my service user in Active Directory with the SPN and with DES disabled and AES128/256 enabled:

I've created the SAPSNCSKERB PSE file on my server and configured it for the service user. Running sapgenpse get_my_name against it reports that four key types are enabled: DES, AES128, AES256, and RC4 (in that order, apparently):

I've configured the profile parameters on the server per the Using SNC Client Encryption for encrypting SAP GUI Connection with CommonCryptoLib guide dated 16 June 2015, and the client parameters per the same guide.

SNC is working. I can connect, I get the lock icon, all the right trace messages in the work process at startup. When I turn on SNC tracing on the client I see in the trace that encryption algorithms AES256, AES128, and RC4 are available on both server and client (no mention of DES, so that's good). But I also see Encrypting session key with shared kerberos key (alg 23).

I understand that algorithm or key type 23 is RC4. I'm really looking to see key type 18 there instead, aren't I? Or am I looking in the wrong place?

The trace messages are somewhat like:

Encrypting session key with shared kerberos key (alg 23)

Get 8 bytes random data, type 0 (20 bits)

Encrypted the premaster secret with the shared Kerberos secret

Msk KeyTransport create successful

Server confirmed Client Encryption mode

Received from server these algs and modes:

Version     : 1.0

Data chunk size     : 65536

DataMac               :HMAC-SHA256

Cipher                    : AES256

HsHash                 : SHA256

HsPrf                    : PHASH-SHA256

DataEncodingMode : DataHeaderV1

KeyExchangeAlg    : kerberos

And so on. So, am I encrypting with RC4 or with AES256? I'm a little confused.

The client is SAPGUI 7.40 patch 9. The server is NW ABAP 7.50 Basis SP3, kernel 745 patch 100. That includes CommonCryptoLib 8.4.48. The server OS is Windows 2012 R2, and client OS is Windows 7.

Cheers,

Matt

Message was edited by: Matt Fraser: Added screenshots that somehow disappeared with first posting