on 05-14-2012 3:24 PM
Hi everyone,
I'm setting up a SSO on BusinessObjects XI 3.1 SP5 and after reading some guides like in KB "1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 ***Best Practice***", I can't retrieve my mapped AD groups in CMC>Authentification>Windows AD.
I follow the guide and that's what I've done until now (reproducing step by step) :
- Create an AD user (no password expires, can't change logon) wich is "bossosvcacct"
- use "setspn" on my BusinessObjects server which is in my domain MYDOMAIN.COM
For the CMS
setspn -A BOCMS/bossosvcacct.mydomain.com bossosvcacct
For TOMCAT (Tomcat 5.5.33)
setspn -A HTTP/BOSERVERNAME.mydomain.com bossosvcacct
setspn -A HTTP/BOSERVERNAME bossosvcacct
setspn -A HTTP/100.100.100.100
- Choose "Trust this user....(Kerberos only)" for delegation for bossosvcacct
- In the CMC, I've enabled "Windows AD"
- AD Administration Name : MYDOMAIN\bossosvcacct
- Default AD Domain : MYDOMAIN.COM
- I choose "Use Kerberos authentication" with service principal name : "BOCMS/bossosvcacct.mydomain.com"
And after this configuration similar to the best practices, I can't map my AD groups and it seems that it doesn't work.
If you want more informations to resolve this issue, no problem.
Best Regards,
Are you dealing with multiple domains? This portion is pretty straight forward, after enableinthe account does the plugin show as enabled (if you leave and come back is the username/pw/domain still showing)?
Possibly you are entering the group names wrong, are these AD security groups (not distribution lists)? Are you entering the group samaccountname? how about domain\group (needed for non default domain but shouldn't be needed if the groups are in the default)
One other test is to try domain users (default group in every domain)
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim,
I'm not dealing with multiple domains, just one "LOGI.FR"
The Windows AD plugin is well enabled because when I close the widow and after I re-open it, parameters are still there "LOGI\bossosvcacct" and "LOGI.FR"
the service used just below is "BOCMS/bossosvcacct.logi.fr", when I update this configuration there's no error, but when I try to map AD group I get an error like unreachable groups.
I tried to enter group like this "LOGI\Users" and "CN=Users, OU=PROD, DC=LOGI, DC=FR" and still get error.
I can't see what's wrong, I updated the service AD account bossosvcacct in Admin group to get all rights and my spn are well-shown when I run the command line "setspn -l bossosvcacct
I'll try all workaround tomorrow...If you think about something, I can give you more details....
Regards
this group should be mapped in as domain users
never tried the dn but technically that should work as well
Only reason this has ever failed is if AD has soem super extra restrictive security policy on the account you have mapped in so that read/query permissions have been blocked.
Iy you can login to domains and computers (from 2003 server start > run > dsa.msc (logged in as that user) and try to view the groups you want to map in
Regards,
Tim
Ok thanks TIM for advices, I discover my terrific mistake because I was trying to map an "OU" of Active Directory instead of a group of users...I'm not really proud of this !
It works like a charm and I'm now able to login into Infoview and CMC and from Client Tools with manuel authentication with secWinAD.
But the unique connection as SSO is not working (the last step), it occurs when I modify the server.xml from Tomcat directory (works fine, no problem) but mainly when I try to modify the web.xml of InfoviewApp.
Set "authentication.default" to "secWinAD"
Set "siteminder.enabled" to "false"
Set "vintela.enabled" to "true"
Uncomment filter "authFilter" with new entries "idm.realm" to "MYDOMAIN.COM" in all caps and "idm.princ" to "bossosvcacct".
Uncomment filter mapping "authFilter"
Should I comment <!-- --> the section "idm.logger.name" into filter section ? because when I save the web.xml after these changes, I get a 404 error when I try to log in InfoView.
All the test are done with kinit and logs std.out
I successfully send request to the domain controller and there's no error in log files...
Have you an idea or suggests with this changes in web.xml ?
404 means there is an issue with the auth filter, you don't need to enable anything else.
1st when you take the value of idm.princ @IDM.REALM and kinit that should fail as well if you are getting 404, or else maybe something simple like no keytab or password option is specified. The -Djcsi.kerberos.debug tracing should show the problem.
Regards,
Tim
I run the kinit command line tool with this setting :
kinit bossosvcacct (and I put my password)
When I use klist I get that :
D:\BusinessObjects\javasdk\bin>klist
Credentials cache: C:\Users\SAP\krb5cc_SAP
Default principal: bossosvcacct@MYDOMAIN.COM, 1 entry found.
[1] Service Principal: krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
Valid starting: May 15, 2012 15:49
Expires: May 16, 2012 01:49
See attachments to get the std.out to analyze traces. This log file is created after all the changes in web.xml and server.xml as it's defined in your best practices. And it's in this configuration that I met the 404 HTTP error page.
I look forward with your analysis.
Regards,
Thanks for taking time.
I don't know Tim why there's no Tomcat.log, it's a standard installation of BO XI 3.1 with Tomcat integrated 5.5.33 and the most funny is that everything is working in manual login (secWinAD) and it seems that my service account is sending and receiving request from the domain controller without error.
not showing up in the err either. The manual logon is required to get SSO to work, but they work off of different processes, you can have manual and not SSO, and in some cases SSO but not manual (tomcat) The tomcat.log will show errors when credentials obtained doesn't show in the std.out which It doesn't. Normally if you can kiniit it would show but isn't in your case, possibly the java option for the password is wrong, it's weird that tomcat doesn't have that log. I have not needed it lately and I'm wondering if some update removed it?
Regards,
Tim
Do I have to create a keytab in SP5 ?
When the manually AD connection is working, I've just to change server.xml and web.xml or I've to do more than that ?
I still don't have any tomcat.log abd there's no update on the target server, it's a standard configuration with no alter folder or other actions on Tomcat folder.
I've done a lot of test with many configuration possible, still don't work. I go on with other tests.
problem is in your web.xml, server.xml isn't used until SSO. You have to resolve the 404, the error is normally stored in the tomcat.log which you do not have, so we have to guess at what you could have done wrong (404 means the vintela filter can't load with current values and has nothing to do with SSO working). The idm.princ @IDM.REALM doesn't seem to be the issue so the next most common thing would be the password (java options) is wrong or missing. You can avoid putting in the password if you use keytab (shows how to create at the end of the doc you have). To note until 404 is resolved we haven't even begun to troubleshoot SSO. We are only troubleshooting your web.xml which isn't working.
Regards,
Tim
Ok TIM, it works !
the last problem was the keytab and parameters in JAVA options with Tomcat configuration.
Now, it works like a charm and SSO is OK, I've deleted password option in Tomcat configuration and I've done KTPASS with all the option in order to generate a correct keytab file.
Thanks for your advices and your time, it was really helpful !
Best regards,
User | Count |
---|---|
86 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.