on 06-23-2010 1:48 PM
Hi!
I have installed BO XO 3.1 SP2 on windows 2003 + default tomcat.
And i have a big trouble in configuring AD (+ SSO) for multi domains in diffrenet forests.
A have used a guide Configuring Vintela SSO in Distributed Environments - Complete.pdf
As a result the user in own domain, where BO is installed can login successful, even using SSO, but user from domain from other forest can't.
Bo gives an error:
Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)
and
in stdout.log
Commit Succeeded
What wrong?
May be it because of i'm loging to BO from a BO-server (in this domain) with the user from other domain like username(DOG)OTHER.DOMAIN ???
Thanks
Search a coupld KB's on the SMP.
1) advanced AD troubleshooting
2) multiple forests
The troubleshooting one will link to the forests. The 1st thought is that you do not have a 2 way forest trust. Or if you do then possibly the UseFQDNForDirectoryServers registry key may be needed.
The commit succeeded indicates there was a successful AS request using the krb5.ini try logging in a client tool like deski, designer or CCM. If that works then additional info will be needed on the krb5.ini (also notd in the torubleshooting KB)
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, Tim Ziemba
AN error when connecting with a user from other forest in designer is:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Failed to contact the Active Directory server.(hr=#0x80042909)
The logging with user from native domain where BO installed is fine!
Tim, thank you! FQDN helps to solve the problem with logging users from other domain to designer!
BUT, this users can't login in Infoview error is:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: alsvinogradov(DOG)BEE.VDOMAIN.RU
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=164
>>>DEBUG: TCPClient reading 240 bytes
>>> KrbKdcReq send: #bytes read=240
>>> KrbKdcReq send: #bytes read=240
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri Jun 25 00:51:18 ICT 2010 1277401878000
suSec is 336443
error code is 25
error Message is Additional pre-authentication required
realm is BEE.VDOMAIN.RU
sname is krbtgt/BEE.VDOMAIN.RU
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Pre-Authentication: Set preferred etype = 23
>>>KrbAsReq salt is BEE.VDOMAIN.RUalsvinogradov
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=230
>>>DEBUG: TCPClient reading 1628 bytes
>>> KrbKdcReq send: #bytes read=1628
>>> KrbKdcReq send: #bytes read=1628
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply alsvinogradov
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is alsvinogradov(DOG)BEE.VDOMAIN.RU
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A1 82 C1 F2 44 BB 33 C7 54 1A DB 51 0F 67 FD 99 ....D.3.T..Q.g..
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 86 E6 1A A7 3D 9B 8F 8C C1 85 32 D3 2A D9 25 B0 ....=.....2.*.%.
0010: A7 D0 DA 9D D3 1F 73 67
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 49 20 A6 86 CB D3 C8 AF 05 56 E5 4B 06 61 31 BA I .......V.K.a1.
Commit Succeeded
Found ticket for alsvinogradov(DOG)BEE.VDOMAIN.RU to go to krbtgt/BEE.VDOMAIN.RU(DOG)BEE.VDOMAIN.RU expiring on Fri Jun 25 10:51:18 ICT 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for alsvinogradov(DOG)BEE.VDOMAIN.RU to go to krbtgt/BEE.VDOMAIN.RU(DOG)BEE.VDOMAIN.RU expiring on Fri Jun 25 10:51:18 ICT 2010
Service ticket not found in the subject
>>> Realm doInitialParse: cRealm=[BEE.VDOMAIN.RU], sRealm=[BEE.SOTELCO.LOCAL]
>>> Realm parseCapaths: loop 1: target=BEE.SOTELCO.LOCAL
>>> Realm parseCapaths: loop 1: intermediaries=[SOTELCO.LOCAL]
>>> Realm parseCapaths: loop 1: pushed realm on to stack: SOTELCO.LOCAL
>>> Realm parseCapaths: loop 1: added intermediary to list: SOTELCO.LOCAL
>>> Realm parseCapaths: loop 2: target=SOTELCO.LOCAL
>>> Realm parseCapaths: loop 2: intermediaries=[VDOMAIN.RU]
>>> Realm parseCapaths: loop 2: pushed realm on to stack: VDOMAIN.RU
>>> Realm parseCapaths: loop 2: added intermediary to list: VDOMAIN.RU
>>> Realm parseCapaths: loop 3: target=VDOMAIN.RU
>>> Realm parseCapaths: loop 3: no intermediaries
>>> Realm parseCapaths [0]=BEE.VDOMAIN.RU
>>> Realm parseCapaths [1]=SOTELCO.LOCAL
>>> Realm parseCapaths [2]=VDOMAIN.RU
>>> Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/BEE.SOTELCO.LOCAL(DOG)BEE.VDOMAIN.RU
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1638
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KrbKdcReq send: #bytes read=1573
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: no tgt; searching backwards
>>> Credentials acquireServiceCreds: inner loop: [2] tempService=krbtgt/VDOMAIN.RU(DOG)BEE.VDOMAIN.RU
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=ms-dcs008.bee.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1634
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KrbKdcReq send: #bytes read=1573
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 2
>>> Credentials acquireServiceCreds: main loop: [2] tempService=krbtgt/BEE.SOTELCO.LOCAL(DOG)VDOMAIN.RU
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbKdcReq send: kdc=DR-DCS001.VDOMAIN.ru TCP:88, timeout=30000, number of retries =3, #bytes=1626
>>>DEBUG: TCPClient reading 1573 bytes
>>> KrbKdcReq send: #bytes read=1573
>>> KrbKdcReq send: #bytes read=1573
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> Credentials acquireServiceCreds: no tgt; searching backwards
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:279)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAction.run(SecWinADAction.java:113)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:315)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startLogin(SecWinADAuthentication.java:152)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:337)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)
at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:40)
at com.businessobjects.clientaction.shared.logon.LogonAction.logon(LogonAction.java:288)
at com.businessobjects.clientaction.shared.logon.LogonAction.handleLogon(LogonAction.java:295)
at com.businessobjects.clientaction.shared.logon.LogonAction.perform(LogonAction.java:518)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Edited by: Sergey Fedechkin on Jun 25, 2010 11:02 AM
I Have DOne it!
For user from domain child.first.domain to login in child.second.domain the riht will be:
[capaths]
CHILD.FIRST.DOMAIN = {
FIRST.DOMAIN = .
CHILD.SECOND.DOMAIN = SECOND.DOMAIN
CHILD.SECOND.DOMAIN = FIRST.DOMAIN
}
CHILD.SECOND.DOMAIN ={
SECOND.DOMAIN = .
CHILD.FIRST.DOMAIN = FIRST.DOMAIN
CHILD.FIRST.DOMAIN = SECOND.DOMAIN
}
User | Count |
---|---|
87 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.