Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Problem with XIR2 Windows AD authentication - number of password attempts

We enabled Windows AD authentication about a month ago and for the most part it works well. However, it is not forgiving on the number of times you can mistype your AD password. Our domain policy allows a user to mistype their password 5 times before the domain account is locked. However, when logging into Business Objects InfoView using AD authentication the user only gets one chance to get it right. If you mistype your password when logging into InfoView, your AD account is locked.

When I look at the Tomcat stdout.log file when this happens I see (5) entries for the failed authentication and then the lockout message.

10770032 [http-8080-Processor23] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Pre-authentication information was invalid (24)
10770251 [http-8080-Processor23] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Pre-authentication information was invalid (24)
10770298 [http-8080-Processor23] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Pre-authentication information was invalid (24)
10770329 [http-8080-Processor23] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Pre-authentication information was invalid (24)
10770376 [http-8080-Processor23] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Pre-authentication information was invalid (24)
10781595 [http-8080-Processor15] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication  - Authentication failed. Clients credentials have been revoked (18)

If the user is only trying once, why is BO trying the wrong password against the domain controller 5 times?

You can imagine that this is a huge burden for us. When this happens they call us, and we have to conference in the helpdesk to get them to unlock the user's AD account. Any help that anyone can provide would be most appreciated. If you know some methods for troubshooting, monitoring or logging what the kerberos plugin is doing, let me know.

Not what you were looking for? View more on this topic or Ask a question