on 02-27-2012 5:56 PM
Hello -
I thought I had AD authentication with kerberos working - a couple of months ago - got busy - tried to logon now and get this error "Account not recognized...(FWM 0000006). I have the debug = true in bcslogon.conf
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
so looked in the \tomcat\log file folder -- stdout and see a timeout error :
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Receive timed out
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: mylogon-at-mydomain.edu
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Receive timed out
-
HERE IS THE krb5.ini file:
[libdefaults]
default_realm = MYDOMAIN.EDU
dns_lookup_kdc = true
dns_lookup_realm = true
upd_preference_limit = 1
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
MYDOMAIN.EDU = {
kdc = AZD1.MYDOMAIN.EDU
kdc = AZD2.MYDOMAIN.EDU
default_domain=MYDOMAIN.EDU
}
-
please help - ?
Hi,
there is an incorrect parameter in your krb5.ini. It should be:
udp_preference_limit = 1
You should check the server contacted in the previous lines on the file stdout.log and check the connectivity from the BOE server. It could be a temporary network problem or the AD controller is not responding.
Regards,
Julian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the response - that is consistant with what the problem turned out to be.
After scratching my head for several hours, I tried to ping the domain controller and did not get a response.
At that point I emailed the administrator and was told they had upgraded the DC's a few weeks ago and now had new names!
when I had brought a new group into the AD Authentication in the CMC - it worked a-ok, but the logon used the DC name so it timed out.
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.