SAP Knowledge Base Article - Preview

3102273 - SNC Error Code A2210217 - The verification of the Kerberos ticket failed

Symptom

  • SNC Logon to the SAP GUI with SAP Single Sign-On 3.0 or SNC Client Encryption 2.0 may result in error:

         A2200217 The verification of the Kerberos ticket failed

  • The CommonCryptoLib traces will have the following errors:

         ERROR(0xA2600204) in KERBEROS module. Function decryptTicket failed: Kerberos ticket decryption failed
         ERROR(0xA2600204) in KERBEROS module. Function sec_kerberos_serviceVerifyTicket failed: Kerberos ticket decryption failed
         Verifying ticket returned a2600204: Kerberos ticket decryption failed

  • The error may be intermittent depending on which type of Kerberos encryption algorithm is being used for the connection.

  • April 14 2026 - Microsoft have released a windows client patch that disables RC4 algorithm usage to encrypt Kerberos tokens.
    This can cause failed authentication for these users if the ABAP system is not correctly configured to handle AES-encrypted tickets. In client machines 
    which have not yet been patched the authentication will still succeed. More details on the patch can be found here.

    One may be affected if AES had not been explicitly enabled in the Service Account configuration in the Active Directory.

    To prepare for this, alternative algorithms that the KDC will use to encrypt Kerberos tokens (usually AES) should be configured in transaction SPNEGO.
    RC4 algorithm usage could allow an attacker to obtain service tickets therefore it is considered insecure. Best practice is to remove this algorithm
    from the SPNEGO configuration in favour of a stronger algorithm like AES-256-CTS-HMAC-SHA1-96.

          *See Resolution section for more details on identifying this as the root cause.

          *Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


Read more...

Environment

  • SAP Single Sign-On 3.0
  • SNC Client Encryption 2.0

Product

ABAP platform all versions ; SAP NetWeaver all versions ; SAP Single Sign-On 3.0

Keywords

SPNEGO, keytab, sso, Active Directory, AES, RC4, Secure Login Client, AD, A2210217, SNCWIZARD , KBA , BC-IAM-SSO-SL , Secure Login , BC-SEC-CRYPTOLIB , CommonCryptoLib , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.