Windows AD Authentication to CMC

Unable to logon to CMC using Windows AD authentication, error:

"Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

Windows AD authentication is enabled, using Kerberos. Service account "Service Principal Name" is set correctly using SETSPN utility. AD Sync runs successfully every hour and imports any users that are members of the defined group.

Have read threads in this forum related to using all caps, does not seem to help.

Both the Apache Web Server and Server Intelligence service are running with logon set to service account credentials. Service account is member of local Administrators group.

Business Objects Enterprise XI 3.1

Recently installed FixPack 1.3 to see if that helped and to be at latest revision.

SAP Integration Pack is installed. SAP Authentication / SSO works for CMC, InfoView, Web Intelligence. Also using SAP Enterprise Portal can publish BI sourced Crystal reports on BOE using SSO with no prompt for credentials.

Windows 2003 R2 32 Standard Edition

BOE server is in same domain as user accounts attempting to logon. Windows 2003 Forest with Single Domain, at both 2003 Domain and Forest functionailty level.

  • SAP Employee

Use [this doc|] to troubleshoot. Sections 4-6 involve setting up kerberos manual AD auth (disregard ther SSO references.)

You mention SAP auth, which currently is set up external/seperate from enterprise/AD auth. If you are trying to authenticate to SAP then post in the SAP integration kit forum.

For kerberos AD tmake sure you can

1) Login with client tools (CCM/deski/crystal/designer/etc) If that works then the service account and SPN are usually ok. IF not then most common causes are duplicate SPN or DES encryption is not allowed.

2) kinit from the businessobjectsjavasdk in directory. This will require your krb5.ini be in c:winnt and will verify java SDK connectivity to AD and the krb5.ini files only

Typically if the above 2 tests work you should be able to login to infoview unless the java options are not set properly or in more rare cases encryption or multi domain issues exist.

Oh and for no reason do you need to run tomcat under the servide account, switch it back to local service.



0 View this answer in context