Hi Tim,

I'm not dealing with multiple domains, just one "LOGI.FR"

The Windows AD plugin is well enabled because when I close the widow and after I re-open it, parameters are still there "LOGI\bossosvcacct" and "LOGI.FR"

the service used just below is "BOCMS/bossosvcacct.logi.fr", when I update this configuration there's no error, but when I try to map AD group I get an error like unreachable groups.

I tried to enter group like this "LOGI\Users" and "CN=Users, OU=PROD, DC=LOGI, DC=FR" and still get error.

I can't see what's wrong, I updated the service AD account bossosvcacct in Admin group to get all rights and my spn are well-shown when I run the command line "setspn -l bossosvcacct

I'll try all workaround tomorrow...If you think about something, I can give you more details....

Regards

this group should be mapped in as domain users

never tried the dn but technically that should work as well

Only reason this has ever failed is if AD has soem super extra restrictive security policy on the account you have mapped in so that read/query permissions have been blocked.

Iy you can login to domains and computers (from 2003 server start > run > dsa.msc (logged in as that user) and try to view the groups you want to map in

Regards,

Tim

I'll try to connect in dsa.msc with this specific user but my user is administror of the current domain.

Maybe they're some restrictive rules which block query on AD. Furthermore, it's an AD 2008.

This newly version of active directory could involve issues ?

2008 is fine but the dsa.msc is not installed by default you have to add RSAT and reboot.

Ok thanks TIM for advices, I discover my terrific mistake because I was trying to map an "OU" of Active Directory instead of a group of users...I'm not really proud of this !

It works like a charm and I'm now able to login into Infoview and CMC and from Client Tools with manuel authentication with secWinAD.

But the unique connection as SSO is not working (the last step), it occurs when I modify the server.xml from Tomcat directory (works fine, no problem) but mainly when I try to modify the web.xml of InfoviewApp.

Set "authentication.default" to "secWinAD"

Set "siteminder.enabled" to "false"

Set "vintela.enabled" to "true"

Uncomment filter "authFilter" with new entries "idm.realm" to "MYDOMAIN.COM" in all caps and "idm.princ" to "bossosvcacct".

Uncomment filter mapping "authFilter"

Should I comment <!-- --> the section "idm.logger.name" into filter section ? because when I save the web.xml after these changes, I get a 404 error when I try to log in InfoView.

All the test are done with kinit and logs std.out

I successfully send request to the domain controller and there's no error in log files...

Have you an idea or suggests with this changes in web.xml ?

404 means there is an issue with the auth filter, you don't need to enable anything else.

1st when you take the value of idm.princ @IDM.REALM and kinit that should fail as well if you are getting 404, or else maybe something simple like no keytab or password option is specified. The -Djcsi.kerberos.debug tracing should show the problem.

Regards,

Tim

I run the kinit command line tool with this setting :

kinit bossosvcacct (and I put my password)

When I use klist I get that :

D:\BusinessObjects\javasdk\bin>klist

Credentials cache: C:\Users\SAP\krb5cc_SAP

Default principal: bossosvcacct@MYDOMAIN.COM, 1 entry found.

[1]  Service Principal:  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM

     Valid starting:  May 15,  2012 15:49

     Expires:         May 16,  2012 01:49

See attachments to get the std.out to analyze traces. This log file is created after all the changes in web.xml and server.xml as it's defined in your best practices. And it's in this configuration that I met the 404 HTTP error page.

I look forward with your analysis.

Regards,

Thanks for taking time.

check the tomcat.log. I t still looks like passwrod or keytab issue as there are no entries for credentials obtained (which there should be if account can kinit.

Regards,

Tim

See attachment with log file

should be file called tomcat.log with error message. Is this tomcat 5.5? or other version?

version of Tomcat : 5.5.33

version of BO : XI 3.1 SP5

I can't find this file : tomcat.log, it doesn't exist. I've only std.out, stderr.log and commons-daemon.2012-05-15.log

Ok, maybe I've to créate a keytab and store it in C:\WINNT and also pu tthis new parameter in the web.xml file.

I don't know, I'll try everything, the success is almost here, may the force be with me (and you).

The errors are always in the tomcat.log for 5.5, we can check the std.err, but not sure why that log is missing?

Regards,

Tim

see attachment

I don't know Tim why there's no Tomcat.log, it's a standard installation of BO XI 3.1 with Tomcat integrated 5.5.33 and the most funny is that everything is working in manual login (secWinAD) and it seems that my service account is sending and receiving request from the domain controller without error.

not showing up in the err either. The manual logon is required to get SSO to work, but they work off of different processes, you can have manual and not SSO, and in some cases SSO but not manual (tomcat) The tomcat.log will show errors when credentials obtained doesn't show in the std.out which It doesn't. Normally if you can kiniit it would show but isn't in your case, possibly the java option for the password is wrong, it's weird that tomcat doesn't have that log. I have not needed it lately and I'm wondering if some update removed it?

Regards,

Tim

Do I have to create a keytab in SP5 ?

When the manually AD connection is working, I've just to change server.xml and web.xml or I've to do more than that ?

I still don't have any tomcat.log abd there's no update on the target server, it's a standard configuration with no alter folder or other actions on Tomcat folder.

I've done a lot of test with many configuration possible, still don't work. I go on with other tests.

problem is in your web.xml, server.xml isn't used until SSO. You have to resolve the 404, the error is normally stored in the tomcat.log which you do not have, so we have to guess at what you could have done wrong (404 means the vintela filter can't load with current values and has nothing to do with SSO working). The idm.princ @IDM.REALM doesn't seem to be the issue so the next most common thing would be the password (java options) is wrong or missing. You can avoid putting in the password if you use keytab (shows how to create at the end of the doc you have). To note until 404 is resolved we haven't even begun to troubleshoot SSO. We are only troubleshooting your web.xml which isn't working.

Regards,

Tim

Ok TIM, it works !

the last problem was the keytab and parameters in JAVA options with Tomcat configuration.

Now, it works like a charm and SSO is OK, I've deleted password option in Tomcat configuration and I've done KTPASS with all the option in order to generate a correct keytab file.

Thanks for your advices and your time, it was really helpful !

Best regards,