cancel
Showing results for 
Search instead for 
Did you mean: 

BO XI R2 WIN AD Authentication probem

Former Member
0 Kudos

Hi,

We are not able to implement WIN AD on BO xir2 installed on Win Server 2003.

The steps included in Win AD authentication on BO production server are successfully implemented where:

·
SPN is responding successfully.
·
AD group and users have been imported successfully.
·
All BO services are running successfully using SPN logon.
·
Kerberos is responding successfully.

Still when AD user tries to login in Deski, it's not successful. It throws error "Account information not recognized".

In the same environment on BO UAT server we have successfully implemented AD but issue exist in Production. UAT and PRODUCTION has same infrastructure. No firewall exist, all ports are also open,

We also tried assigning admin rights to user but still not able to login via AD account. On the other hand, Enterprise user can successfully login. This happens with all BO tolls like Infoview, Designer , Deski etc, We also applied trace log on CMS which are as follows:

[Thu Apr 25 12:18:37 2013]        7872        9648        trace message: CObjectSS::GetObjectInternal: Object was found in cache. obj ID=274
[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: CObjectSS::GetObjectInternal: Object was found in cache. obj ID=274

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: SECWINAD: InitPackage() calling GetStaticADImplPtr()

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: GetStaticADImplPtr() allocate global object.

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: ssoplugin: SSOImpl::Initialize() -- Successfully initialized.  Refcount is now 1

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: exit CErrorMgr::TerminateNoLock()

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::SetParasSeq() -----------------------------------------------------------

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::SetParamSeq() -----------------------------------------------------------

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_NAME = secWinAD

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_AVAIL = true

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_DEFAULT_DOMAIN = hbap.adroot.hsbc

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_MAPPED_GROUPS = S-1-5-21-3208199719-2002702367-2867066461-1214162

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_APS_ADMIN_DN = HBAP\43403722-850 (HBAP, 43403722-850)

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- Admin password extracted, not traced.

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_SSO_ENABLED = 0

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_KERBEROS_ENABLED = true

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_CACHE_SECCONTEXT = 0

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_SERVER_SSPI_SPN = 43403722-850

[Thu Apr 25 12:18:38 2013]        7872        4092        trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SSOProviderType = SSPI

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CAccountEntity::ValidateDomain() -- Binding to WinNT://hbap.adroot.hsbc,domain

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADCredentialManager::ValidateSPN() -- Checking an SPN of 43403722-850

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADCredentialManager::ValidateSPN() -- SPN 43403722-850 does not parse with DsCrackSpn(), might still be a user account.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CAccountEntity::ConvertDomainToNTFormat() -- Looking up hbap.adroot.hsbc

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CAccountEntity::ConvertDomainToNTFormat() -- NT form of hbap.adroot.hsbc is HBAP.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: SSOHandlerFactory::GetHandler() -- Looking for a handler for SSPI

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: SequenceParser::Pop() -- key=SI_CACHE_SECCONTEXT, value=0, type=3
[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: SequenceParser::Pop() -- key=SI_SERVER_SSPI_SPN, value=43403722-850, type=1
[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: Parameters::CheckParameters() -- Nothing to check!

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: Parameters::GetParameter(long) -- SSPI_CTXT_CACHE_EXPIRY not found

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: Parameters::GetParameter(bool) -- CONTEXT_RENEWALS_ALLOWED not found

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: KerberosSSPIHandler::InitHandler() -- Turning off caching of contexts.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: ssoplugin: SSOImpl::InitSSOProvider() -- Not starting the cache cleanup thread; may start later if needed.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADAggregationManager::Refresh() -- Initializing all data.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADAggregationManager::Refresh() -- Reading registry keys:

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ReadKeys() -- Key secWinAD/GraphTimeOut not set; using default value of 15

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseGraph

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ToBoolean() -- Empty input.  Returning default of true

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseOldGraphWhileBuildingNew

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ToBoolean() -- Empty input.  Returning default of true

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseFQDNForDirectoryServers

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADRegistry::ToBoolean() -- Empty input.  Returning default of false

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADAggregationManager::Refresh() -- Setting graph timeout:

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADGraphKeeper::SetUpdateInterval() -- Update interval is 900000 ms

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADAggregationManager::Refresh() -- Expiring current graph:

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADGraphKeeper::ExpireGraph() -- No graph to expire.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADGraphKeeper::ExpireGraph() -- Graph expired.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: ADAccountFactory::InvalidateCache() -- Clearing the cache.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CGroupMgr::UpdateMappedGroups() -- Mapped groups set to S-1-5-21-3208199719-2002702367-2867066461-1214162

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADGraphKeeper::ExpireGraph() -- No graph to expire.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADGraphKeeper::ExpireGraph() -- Graph expired.

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADImpl::AcceptLogin() -----------------------------------------------------------

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: WINAD: CADImpl::AcceptKerbLogin() -----------------------------------------------------------

[Thu Apr 25 12:18:39 2013]        7872        4092        trace message: UnPackBuffer: ssIdBuffer=SSPI

25448240

NOKEY

hbap.adroot.hsbc\43403722-850

Can anybody help us?

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hello experts,

The Win AD authentication problem resolved.

Below is the occurrence:-

1. When we create a SPN i.e. AD id, there is a property of DES encryption to be checked as per SAP's standard recommendations. In fact it is required and we have successfully implemented AD in one case.

2. But in existing case it didn't work. The moment we unchecked this property, Authentication worked fine.

3. Due to some security group policies, it was not authentication AD ids while logging in.

So the question still exist that when to check this check box and when not.  Is it differs from case to case, we might require to follow multiple permutations and combinations which is not practical. 

So any advice about  what is the standard to be followed while doing third party authentication?