SAP Connector and Kerberos:

As of connector version 5.7.0, you can now use Kerberos connection with SNC, between Mule Applications and SAP.

Error in Mule Application at start-up:

If you see an error like the following for example:

SAP_Config
INFO  2023-03-22 16:10:31,551 [[MuleRuntime].uber.04: [sap-connection].uber@org.mule.runtime.core.internal.connection.DefaultConnectivityTesterFactory$1.testConnectivity:81 @42f67358] [processor: ; event: ] 
org.mule.runtime.core.internal.connection.DefaultConnectivityTesterFactory: Connectivity test failed for config 'SAP_Config'. Application deployment will continue. Error was: krb_error 
0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error

org.mule.runtime.api.connection.ConnectionException: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error

This means that something is incorrect in the Keytab or Kerberos files. 

Checking the keytab and Kerberos configuration files:

If you are having issues with the keytab or kerberos configuration files, you can try using the kinit Command to see if a Ticket Granting Ticket can be retrieved successfully.

Firstly, use the klist command to get the Service Principal Name from the key tab. For example:

klist -k machine.keytab

Then, use the kinit command to retrieve a Ticket Granting Ticket for the principal. For example:

kinit -k -t machine.keytab SAP/SVC_SQL_RID@MDC.LOCAL

This can return the following errors:

kinit: Keytab contains no suitable keys for SAP/SVC_SQL_RID@MDC.LOCAL while getting initial credentials

or:

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 4 more

When you have kinit command resulting in success then you know your environment Kerberos is OK.

Kerberos connection Successful:

After you have a successful Kerberos connection with the keytab and Kerberos configuration files you can try connecting to SAP via SAP GUI with Kerberos:
Kerberos for SAP GUI Authentication and SAP GUI for Windows

Once you have this working you should be able to map this information to the SAP Connector Configuration in the Mule Application:

The configuration should look something like this when using the Commoncryptolib and Secure Login Client to implement the Kerberos SNC.
p:CN=SAP/<Service Principal Name>@<Domain>
p:CN=SAP/<Service Principal Name>
p:CN=<Service Principal Name>@<Domain>
p:CN=<Service Principal Name>

2544831 - Error "GSS-API(maj): An invalidname was supplied" "Import of a namefailed" when logon to AS ABAP system viaSNC
Otherwise, for example, if you use "p:<Service Principal Name>@<Domain>", the error will occur.