cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory and Kerberos XI 3.0

Go to solution
I051914
Advisor
Advisor

on ‎10-17-2008 4:51 PM

0 Kudos

Hello,

After reading all the post concerning the topic i didn't manage to solve the issue

I am able to connect with com product usind AD auth, the kinit command is also OK

I have checked the CAPS in both ini files and in the CMC

any idea?

thank you

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-17-2008 6:09 PM
0 Kudos

What is not working?

Show replies
Show replies

Answers (2)

Answers (2)

I051914
Advisor
Advisor
‎10-24-2008 1:48 PM
0 Kudos

Thank you for the help . I will log a case

Show replies
Show replies
BasicTek
Advisor
Advisor
‎10-18-2008 1:06 AM
0 Kudos

child domain?

all domains?

What did you enter in the CMC/Service Principal Name?

Have you added debug=true to the bsclogin? If so what is the error in the java logs (tomcat = tomcat55\logs\std.out)?

If kinit works and tomcat is using a good bsclogin/krb5.ini you should see a commit succeeded for every attempt (= successful kinit)

If you have that and it is failing we will have to add a deeper level of tracing in XI 3.x

Regards,

Tim

Show replies
Show replies
I051914
Advisor
Advisor
‎10-20-2008 9:39 AM
0 Kudos

Hello here are information and the stdout file

bscLogin.conf

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

krb5.ini

.dev-test-visa.lan = DEV-TEST-VISA.LAN

dev-test-visa.lan = DEV-TEST-VISA.LAN

default_realm = DEV-TEST-VISA.LAN

dns_lookup_kdc = true

dns_lookup_realm = true

DEV-TEST-VISA.LAN = {

admin_server = DC-W2K3

kdc = DC-W2K3

default_domain = DEV-TEST-VISA.LAN

}

the kinit command return a correctly generated ticket

In CMC:

Nom adminitrateur principal :Administrateur

SETSPN Command: SETSPN BOE120SIADCW2K3/DC-W2K3 Administrateur

where BOE120SIADCW2K3 is the name of the BOE service and DC-W2K3 is the server name

The environment is a VM configured with AD2003 and single Domain

STDOUT FILE:

20 oct. 2008 10:27:45 org.apache.catalina.core.AprLifecycleListener lifecycleEvent

INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:WINDOWSsystem32;C:Program FilesBusiness ObjectsBusinessObjects Enterprise 12.0win32_x86;C:winnt

20 oct. 2008 10:27:45 org.apache.coyote.http11.Http11BaseProtocol init

INFO: Initialisation de Coyote HTTP/1.1 sur http-8080

20 oct. 2008 10:27:45 org.apache.catalina.startup.Catalina load

INFO: Initialization processed in 1218 ms

20 oct. 2008 10:27:45 org.apache.catalina.core.StandardService start

INFO: Démarrage du service Catalina

20 oct. 2008 10:27:45 org.apache.catalina.core.StandardEngine start

INFO: Starting Servlet Engine: Apache Tomcat/5.5.20

20 oct. 2008 10:27:45 org.apache.catalina.core.StandardHost start

INFO: XML validation disabled

log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).

log4j:WARN Please initialize the log4j system properly.

2008-10-20 10:28:12,703 ERROR com.businessobjects.qaaws.internal.ServiceProvider () 3500 - initInstance()

org.apache.axis2.AxisFault: Your Web Intelligence session is invalid or has reached timeout. Log out and log in again to Query as a Web Service.

at com.businessobjects.dsws.DSWSExceptionFactory.CreateAxisFault(Unknown Source)

at com.businessobjects.qaaws.internal.BOEHelper.logon(Unknown Source)

at com.businessobjects.qaaws.internal.ServiceProvider.initInstance(Unknown Source)

at com.businessobjects.qaaws.internal.transport.QaaWSServlet.initServiceProvider(Unknown Source)

at com.businessobjects.qaaws.internal.transport.QaaWSServlet.init(Unknown Source)

at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1105)

at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:932)

at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3951)

at org.apache.catalina.core.StandardContext.start(StandardContext.java:4225)

at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)

at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)

at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)

at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)

at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)

at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)

at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)

at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)

at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)

at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)

at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)

at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)

at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)

at org.apache.catalina.core.StandardService.start(StandardService.java:450)

at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

at org.apache.catalina.startup.Catalina.start(Catalina.java:551)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

Initializing Performance Management

done (4562)

Initializing Performance Manager

done (156)

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: action: Initializing configuration from resource path /WEB-INF/struts-config.xml

register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'

register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'

register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'

resolveEntity('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 'http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd')

Resolving to alternate DTD 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'

New org.apache.struts.action.ActionMapping

Set org.apache.struts.action.ActionMapping properties

New org.apache.struts.action.ActionForward

Set org.apache.struts.action.ActionForward properties

Call org.apache.struts.action.ActionMapping.addForward(ActionForward[default])

Pop org.apache.struts.action.ActionForward

Call org.apache.struts.action.ActionServlet.addMapping(ActionMapping[path=/Flash_FlashVars/flashvarsEdit, type=com.businessobjects.clientaction.flash.flashvars.FlashVarsEditAction])

Pop org.apache.struts.action.ActionMapping

register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'

register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'

register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN', 'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'

Call org.apache.struts.action.ActionServlet.addServletMapping(DocumentDownload/java.lang.String,/opendoc/documentDownload/java.lang.String)

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: action: Process servletName=DocumentDownload, urlPattern=/opendoc/documentDownload

Call org.apache.struts.action.ActionServlet.addServletMapping(action/java.lang.String,*.do/java.lang.String)

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: action: Process servletName=action, urlPattern=*.do

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: action: Mapping for servlet 'action' = '*.do'

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: , , ]

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: ContextListener: contextInitialized()

20 oct. 2008 10:29:02 org.apache.catalina.core.ApplicationContext log

INFO: SessionListener: contextInitialized()

20 oct. 2008 10:29:03 org.apache.catalina.core.ApplicationContext log

INFO: ContextListener: contextInitialized()

20 oct. 2008 10:29:03 org.apache.catalina.core.ApplicationContext log

INFO: SessionListener: contextInitialized()

20 oct. 2008 10:29:03 org.apache.coyote.http11.Http11BaseProtocol start

INFO: Démarrage de Coyote HTTP/1.1 sur http-8080

20 oct. 2008 10:29:04 org.apache.catalina.storeconfig.StoreLoader load

INFO: Find registry server-registry.xml at classpath resource

20 oct. 2008 10:29:04 org.apache.catalina.startup.Catalina start

INFO: Server startup in 78391 ms

BasicTek
Advisor
Advisor
‎10-20-2008 5:19 PM
0 Kudos

OK so like most AD cases there could be multiple issues. Lets start with what we know

admin_server = DC-W2K3

kdc = DC-W2K3

default_domain = DEV-TEST-VISA.LAN

}

admin server - not needed

KDC should = FQDN maybe DC-W2K3.DEV-TEST-VISA-LAN

also add udp_preference_limit = 1 in the libdefaults section - best practice

but if you are getting tickets these are not your problems just FTI.

the problem seems that your bsclogin is not being read properly. There is no error in 3.x as the tomcat logging mechanism has changed a bit. Instead follow the XI 3.0 admin guide for setting up vervose tracing. Our answers shoud be there

Some things to quickly check are

Are the java options specified correctly?

try creating a new bsclogin (be sure there is no formatting is use ansi)

make sure no typos or that your text editor didn't append a .txt to the file

If none of the above then we will need to check out the verbose logs.

The reason I don't think the bscloging is loading is because you would at least see the logon attempt in the java logs (pass or fail) once you add debug=true to the bsclogin. There are no login attempts in your log (format would be principa user@REALM followed by the commit succeeded - krb5.ini works or error message krb5.ini failed)

I always recommend opening a message with support - authentication team to get an engineer working on it and provide an escalation path. I'll try to help via forums but there could be many possible issues.

Regards,

Tim

I051914
Advisor
Advisor
‎10-20-2008 6:48 PM
0 Kudos

Hello tim, if i change the KDC from DC-W2K3 to DC-W2K3.DEV-TEST-VISA-LAN the kinit command doesn't work anymore

so i have reset to DC-W2K3

i have set the java options

-Djava.library.path=C:\WINDOWS\system32\;C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\;C:\winnt\

-Djava.security.auth.login.config=C:\winnt\bscLogin.conf

-Djava.security.krb5.conf=C:\winnt\krb5.ini

-Dcrystal.enterprise.trace.configuration=verbose

-Djcsi.kerberos.debug=true

-Dcatalina.base=C:\Program Files\Business Objects\Tomcat55\

-Dcatalina.home=C:\Program Files\Business Objects\Tomcat55\

-Djava.endorsed.dirs=C:\Program Files\Business Objects\Tomcat55\common\endorsed\

-Dbobj.enterprise.home=C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\

-Xrs

-XX:MaxPermSize=256M

-Dbusinessobjects.olap.bin=

-Dbusinessobjects.olap.stylesheets=C:\Program Files\Business Objects\OLAP Intelligence 12.0\stylesheets\

-Djava.awt.headless=true

ans as following the doc for the trace

-Dcrystal.enterprise.trace.configuration=verbose

-Djcsi.kerberos.debug=true

but there is no logfile under C:\Documents and Settings\Administrateur\.businessob

jects\jce_verbose.log

BasicTek
Advisor
Advisor
‎10-21-2008 5:07 AM
0 Kudos

again message= best route,

it does require a logon attempt to create the log

also try starting tomcat with a local admin account (the directory will change to be the user profile directory instead

unless we get that log to give an actual error or unless you see logon attempts in the std.out then I can't provide any more help. There's nothing for me to go on...

-Tim

Ask a Question