cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

configure CRS2008 to using AD and Kerberos with Java application servers.

Go to solution
Former Member

on ‎01-22-2009 5:00 AM

0 Kudos

Hi All,

I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.

I have create service account in domain controller: CMSACC

I have create two user account: CRuser1 and CRuser2

I have create domain group: CRSGroup

After I had run the setspn in domain controller,I got the message at below:

Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:

BOBJCentralMS/BDMGTSRV.BD.com

CMC Setting:

AD Administration Name: BD\administrator

Default AD Domain: BD.com

Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com

Service principal name:BOBJCentralMS/CMSACCatBD.com

I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.

bscLogin.conf:

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required;

};

krb5.ini:

[libdefaults]

default_realm = BD.com

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

forwardable = true

BD.com = {

default_domain = BD.com

kdc = BDMGTSRV.BD.com

}

I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:

Exception: krb_error 41 Message stream modified (41) Message stream modified

KrbException: Message stream modified (41)

at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)

at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)

at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)

at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)

at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)

at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

My problem is failed to logon CMC and infoview and got error message at below:

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.

Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?

Ken.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-23-2009 1:55 AM
0 Kudos

Anyone help me to fix this problem?

Show replies
Show replies
BasicTek
Advisor
Advisor
‎01-23-2009 11:59 AM
0 Kudos

if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.

So the problem is likely with the java portion (krb5/bsclogin or java options)

If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username

then enter and password/enter again

Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)

kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.

also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section

libdefaults

default_realm = BD.com

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

Regards,

Tim

Former Member
‎01-28-2009 7:15 AM
0 Kudos 
http://technet.microsoft.com/en-us/library/cc772897.aspx

Just a quick note, you can set any/all SPN's and they have no effect on kinit. Since this issue was with kinit, it involved the krb5.ini, maybe the java SDK, but not SPN. Also since it worked from client tools that usually indicates the SPN is configured properly.

-Regards,

Tim

Former Member
‎02-03-2009 2:13 AM
0 Kudos

HI Tim. Thank to your reply.

I followed your instruction to add modify krb5.ini as below:

[libdefaults]

default_realm = BD.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

forwardable = true

BD.COM = {

default_domain = BD.COM

kdc = BDMGTSRV.BD.COM

}

However, i still got the same error message.. have you other idea to solve the porblem?

Thanks

Ken

BasicTek
Advisor
Advisor
‎02-03-2009 3:56 AM
0 Kudos

well forwardable = true should only be in the lib defaults section, not realms. Was that just a typo?

Former Member
‎02-04-2009 3:42 AM
0 Kudos

Hi Tim,

I got another problem... I tried to logon business view client, but I got a error message at below:

Kerberos target name BOBJCentralMS/CMSACCatBD.com is unknown. Please contact your system administrator to make sure it's set up properly. (FWM 00003)

Domain Controller: BDMGTSRV.BD.com

CRS2008 Name: CRS2008.BD.com

I have confused to set up service account now.. Could you tell me which command should be used?

1. setspn -A BOBJCentralMS/BDMGTSRV.BD.com CMSACC

2. setspn -A BOBJCentralMS/CRS2008.BD.com CMSACC

1 or 2?

BasicTek
Advisor
Advisor
‎02-04-2009 3:07 PM
0 Kudos

So the error indicates a bad, missing, or duplicate SPN configured in the CMC > Authentication > WindowsAD > Service Principal Name

BOBJCentralMS/CMSACCatBD.com is the problem

You can use a tool like AD explorer to search for duplicate SPN's

A quick work around would be to put the username in the service principal name CMSACC and then test logon again. If it works don't leave the system this way or you will not be able to logon from multiple domains and you could run into SSO issues. You should verify why the SPN cannot be found and delete the duplicate or replace it with one that can be found.

Regards,

Tim

Former Member
‎02-13-2009 2:46 AM
0 Kudos

HI Tim,

After I had checked the SPN, I could not find any duplicated SPN... Do you have any suggestion?

In my situation, could you tell me which command should be used to create SPN account?

1. setspn -A BOBJCentralMS/BDMGTSRV.BD.com CMSACC

2. setspn -A BOBJCentralMS/CRS2008.BD.com CMSACC

Should be 1 or 2?

Regards,

Kenneth

Former Member
‎02-13-2009 2:54 AM
0 Kudos

Hi Ken,

SPN should be set for the server where your app server (e.g: Tomcat) is installed.

Use the command below:

SETSPN -A BOBJCentralMS/<FQDN-JAVAAPPSERVER> SERVICEACCOUNT

-n2

BasicTek
Advisor
Advisor
‎02-13-2009 3:07 AM
0 Kudos

Actually to insure the SPN is unique you could try something like

setspn -A BOBJ/svc CMSACC

provided that CMSACC is the account running the CMS, and has local admin permissions on that server.

Then in the CMC > Authentication > WindowsAD > Service Principal Name enter the value BOBJ/svc

Our product doesn't need any specific value for SPN, as long as the value used for setspn -a =

the value entered in the CMC.

Regards,

Tim

Answers (1)

Answers (1)

Former Member
‎05-17-2013 7:40 PM
0 Kudos

Thanks for this! Just for reference, uppercase of the realm is very important to avoid "Exception: krb_error 41 Message stream modified (41) ".

 

Here's an example of correct notation:

 

[libdefaults]

default_realm = EXAMPLE.COM

[realms]

EXAMPLE.COM = {

kdc = domaincontroller.example.com

admin_server = domaincontroller.example.com

default_domain = EXAMPLE.COM

}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

Regards,

Nika.

Show replies
Show replies
Ask a Question