cancel
Showing results for 
Search instead for 
Did you mean: 

AD and multidomains.ERROR FWM 00005

Former Member
0 Kudos

Hi!

I have installed BO XO 3.1 SP2 on windows 2003 + default tomcat.

And i have a big trouble in configuring AD (+ SSO) for multi domains in diffrenet forests.

A have used a guide Configuring Vintela SSO in Distributed Environments - Complete.pdf

As a result the user in own domain, where BO is installed can login successful, even using SSO, but user from domain from other forest can't.

Bo gives an error:

Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)

and

in stdout.log

Commit Succeeded

What wrong?

May be it because of i'm loging to BO from a BO-server (in this domain) with the user from other domain like username(DOG)OTHER.DOMAIN ???

Thanks

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor
0 Kudos

Search a coupld KB's on the SMP.

1) advanced AD troubleshooting

2) multiple forests

The troubleshooting one will link to the forests. The 1st thought is that you do not have a 2 way forest trust. Or if you do then possibly the UseFQDNForDirectoryServers registry key may be needed.

The commit succeeded indicates there was a successful AS request using the krb5.ini try logging in a client tool like deski, designer or CCM. If that works then additional info will be needed on the krb5.ini (also notd in the torubleshooting KB)

Regards,

Tim

Former Member
0 Kudos

Thanks, Tim Ziemba

AN error when connecting with a user from other forest in designer is:

[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Failed to contact the Active Directory server.(hr=#0x80042909)

The logging with user from native domain where BO installed is fine!

BasicTek
Active Contributor
0 Kudos

So either the CMS cannot resolve the other forest (the FQDN setting would likely resolve this) or more likely is the proper trust/permissions are not in place.

The troubleshooting KB is 1476374, multi forest requirements is KB 1323391, and the FQDN setting is KB 11999935.

Regards,

Tim

Former Member
0 Kudos

Tim, thank you! FQDN helps to solve the problem with logging users from other domain to designer!

BUT, this users can't login in Infoview error is:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: alsvinogradov(DOG)BEE.VDOMAIN.RU

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

Acquire TGT using AS Exchange

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=164

>>>DEBUG: TCPClient reading 240 bytes

>>> KrbKdcReq send: #bytes read=240

>>> KrbKdcReq send: #bytes read=240

>>> KDCRep: init() encoding tag is 126 req type is 11

>>>KRBError:

sTime is Fri Jun 25 00:51:18 ICT 2010 1277401878000

suSec is 336443

error code is 25

error Message is Additional pre-authentication required

realm is BEE.VDOMAIN.RU

sname is krbtgt/BEE.VDOMAIN.RU

eData provided.

msgType is 30

>>>Pre-Authentication Data:

PA-DATA type = 11

PA-ETYPE-INFO etype = 23

>>>Pre-Authentication Data:

PA-DATA type = 2

PA-ENC-TIMESTAMP

>>>Pre-Authentication Data:

PA-DATA type = 15

AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

Pre-Authentication: Set preferred etype = 23

>>>KrbAsReq salt is BEE.VDOMAIN.RUalsvinogradov

Pre-Authenticaton: find key for etype = 23

AS-REQ: Add PA_ENC_TIMESTAMP now

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=230

>>>DEBUG: TCPClient reading 1628 bytes

>>> KrbKdcReq send: #bytes read=1628

>>> KrbKdcReq send: #bytes read=1628

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbAsRep cons in KrbAsReq.getReply alsvinogradov

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

principal is alsvinogradov(DOG)BEE.VDOMAIN.RU

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A1 82 C1 F2 44 BB 33 C7 54 1A DB 51 0F 67 FD 99 ....D.3.T..Q.g..

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 86 E6 1A A7 3D 9B 8F 8C C1 85 32 D3 2A D9 25 B0 ....=.....2.*.%.

0010: A7 D0 DA 9D D3 1F 73 67

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 49 20 A6 86 CB D3 C8 AF 05 56 E5 4B 06 61 31 BA I .......V.K.a1.

Commit Succeeded

Found ticket for alsvinogradov(DOG)BEE.VDOMAIN.RU to go to krbtgt/BEE.VDOMAIN.RU(DOG)BEE.VDOMAIN.RU expiring on Fri Jun 25 10:51:18 ICT 2010

Entered Krb5Context.initSecContext with state=STATE_NEW

Found ticket for alsvinogradov(DOG)BEE.VDOMAIN.RU to go to krbtgt/BEE.VDOMAIN.RU(DOG)BEE.VDOMAIN.RU expiring on Fri Jun 25 10:51:18 ICT 2010

Service ticket not found in the subject

>>> Realm doInitialParse: cRealm=[BEE.VDOMAIN.RU], sRealm=[BEE.SOTELCO.LOCAL]

>>> Realm parseCapaths: loop 1: target=BEE.SOTELCO.LOCAL

>>> Realm parseCapaths: loop 1: intermediaries=[SOTELCO.LOCAL]

>>> Realm parseCapaths: loop 1: pushed realm on to stack: SOTELCO.LOCAL

>>> Realm parseCapaths: loop 1: added intermediary to list: SOTELCO.LOCAL

>>> Realm parseCapaths: loop 2: target=SOTELCO.LOCAL

>>> Realm parseCapaths: loop 2: intermediaries=[VDOMAIN.RU]

>>> Realm parseCapaths: loop 2: pushed realm on to stack: VDOMAIN.RU

>>> Realm parseCapaths: loop 2: added intermediary to list: VDOMAIN.RU

>>> Realm parseCapaths: loop 3: target=VDOMAIN.RU

>>> Realm parseCapaths: loop 3: no intermediaries

>>> Realm parseCapaths [0]=BEE.VDOMAIN.RU

>>> Realm parseCapaths [1]=SOTELCO.LOCAL

>>> Realm parseCapaths [2]=VDOMAIN.RU

>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/BEE.SOTELCO.LOCAL(DOG)BEE.VDOMAIN.RU

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 3 1 23 16 17.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1638

>>>DEBUG: TCPClient reading 1573 bytes

>>> KrbKdcReq send: #bytes read=1573

>>> KrbKdcReq send: #bytes read=1573

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> Credentials acquireServiceCreds: no tgt; searching backwards

>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/VDOMAIN.RU(DOG)BEE.VDOMAIN.RU

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 3 1 23 16 17.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1634

>>>DEBUG: TCPClient reading 1573 bytes

>>> KrbKdcReq send: #bytes read=1573

>>> KrbKdcReq send: #bytes read=1573

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> Credentials acquireServiceCreds: got tgt

>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 2

>>> Credentials acquireServiceCreds: main loop: [2] tempService=krbtgt/BEE.SOTELCO.LOCAL(DOG)VDOMAIN.RU

Using builtin default etypes for default_tgs_enctypes

default etypes for default_tgs_enctypes: 3 1 23 16 17.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

>>> KrbKdcReq send: kdc=DR-DCS001.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1626

>>>DEBUG: TCPClient reading 1573 bytes

>>> KrbKdcReq send: #bytes read=1573

>>> KrbKdcReq send: #bytes read=1573

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

>>> Credentials acquireServiceCreds: no tgt; searching backwards

>>> Credentials acquireServiceCreds: no tgt; cannot get creds

KrbException: Fail to create credential. (63) - No service creds

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:279)

at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)

at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)

at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)

at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAction.run(SecWinADAction.java:113)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:337)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:315)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startLogin(SecWinADAuthentication.java:152)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:337)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)

at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)

at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)

at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:40)

at com.businessobjects.clientaction.shared.logon.LogonAction.logon(LogonAction.java:288)

at com.businessobjects.clientaction.shared.logon.LogonAction.handleLogon(LogonAction.java:295)

at com.businessobjects.clientaction.shared.logon.LogonAction.perform(LogonAction.java:518)

at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)

at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Thread.java:595)

Edited by: Sergey Fedechkin on Jun 25, 2010 11:02 AM

Former Member
0 Kudos

I Have DOne it!

For user from domain child.first.domain to login in child.second.domain the riht will be:

[capaths]

CHILD.FIRST.DOMAIN = {

FIRST.DOMAIN = .

CHILD.SECOND.DOMAIN = SECOND.DOMAIN

CHILD.SECOND.DOMAIN = FIRST.DOMAIN

}

CHILD.SECOND.DOMAIN ={

SECOND.DOMAIN = .

CHILD.FIRST.DOMAIN = FIRST.DOMAIN

CHILD.FIRST.DOMAIN = SECOND.DOMAIN

}

Former Member
0 Kudos

Hello

How can i get KB 1323391 ?

BasicTek
Active Contributor
0 Kudos
Former Member
0 Kudos

Hello

Answers (0)