on 03-08-2014 10:04 PM
Using Crystal Reports Server 2013 with tomcat on Windows Server 2008. Trying to set up silent sign on with AD authentication by following http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4. Things work up to step 9; when I try to test silent single sign on from the browser I get:
Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
The tomcat stdout log has the following:
Commit Succeeded
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: @AA.BBB.COM
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Generic error (description in e-text) (60)
If I put in AD username and credentials, it does work. Re-checked .ini and properties, SPNs, realms, domains; everything seems to be right. Any ideas on how to resolve?
Message was edited by: Charles DiTrani
Make sure you put the correct case of the Service Account in the global.propertie file.
idm.princ=BIService (the way it reflect on the AD side.)
Is the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’. on AD side.
Also check if the DES Encryption is not checked of the service account in the AD side.
if it still fails then use Kerbtray.exe to check if the SPN's are getting generated or not.
check for Duplicate SPN use SAP note 1387370
-raunak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
if raunak`s hints did not solved the issue please try also the syntach "BIService@REALM.COM" for the idm.princ paramter.
In your case this would be "idm.princ=BIService@AA.BBB.COM"
Are you using a keytab file for the password within the Tomcat or did you put it into the Java Options ofthe Tomcat?
Regards
-Seb.
Took a while to get some of the information, but:
DES Encryption is enabled;
We confirmed the SPN’s were generating;
No Duplicate SPNs.
I did find out that the service account user did not have ‘Act as part of the operating system’ right on the CRS 2013 server; going to assume this could be a contributing cause and go from there.
It turns out this was a two part problem. The global.properties originally had idm.princ=BIService; I changed it to idm.princ=BIService@USERDNSDOMAIN. That didn't work, but I didn't change it back to idm.princ=BIService. Then I re-coded each and every properties, .ini and the tomcat Java parameters.
Today, after engaging SAP support, I recoded the global.properties back to idm.princ=BIService (mixed case), restarted tomcat, and silent SSO worked.
I'm going to attribute the cause of the issue to a spurious character in one of the config files or Java params, since I got the same error regardless of how idm.princ was coded. The service account was coded everywhere exactly the same, with mixed case.
Thanks to everyone who contributed.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm also having the same problem. The same SPN is working on a different environment. We wanted to use the same SPN for our new POC on 4.1 and getting the error Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Got DES unchecked, and Act as part of the operating system right granted. Now trying to verify that SSO Authentication (not silent) works, but this is a Crystal Report Server 2013 install, so no WebI Rich Client. Is there another way to test SSO? Tried logging into the CMC with an AD user from a browser, but got the FWM 00006 error.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
krb5.ini:
[libdefaults]
default_realm = UserDNSDomain
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
UserDNSDomain = {
kdc = ADserverName.UserDNSDomain
default_domain = UserDNSDomain
}
bscLogin.conf:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Both are in C:\Windows.
Tomcat stdout.log has:
2014-03-14 13:10:29 Commons Daemon procrun stdout initialized
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: @myRealm
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Generic error (description in e-text) (60)
Message was edited by: Charles DiTrani.
Hi,
maybe you want to go through there troubleshooting tips:
http://service.sap.com/sap/support/notes/1476374
Regards
-Seb.
The domain and server names in the krb5.ini are all caps (UserDNSDomain and ADServerName are placeholders; the actual values are all caps).
My Service account is mixed case, like BIService.
It was added to the Administrators group as USERDOMAIN\BIService
The result of setspn -L BIService looks like:
HTTP/SERVERNAME.USERDNSDOMAIN
HTTP/BIService.USERDNSDOMAIN
BICMS/BIService.USERDNSDOMAIN
HTTP/SERVERNAME
In the Authentication area of the CMC:
AD Administration Name = USERDOMAIN\BIService
Default AD Domain = USERDNSDOMAIN
Service principal name = BICMS/BIService.USERDNSDOMAIN
The Mapped AD Member Groups came in ok, and an AD user can log in to BI Launchpad using AD credentials
.Also tried changing the idm.princ entry in global.properties as Sebastian suggested, but that didn't resolve the issue. Silent SSO still not working.
global.properties:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=USERDOMAIN
idm.princ=BIService
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Java Options:
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
-Dcom.wedgetail.idm.sso.password=password
-Djcsi.kerberos.debug=true
The result of setspn -L BIService looks like:
HTTP/SERVERNAME.USERDNSDOMAIN
HTTP/BIService.USERDNSDOMAIN
BICMS/BIService.USERDNSDOMAIN
HTTP/SERVERNAME
There aren't any duplicate SPNs
Result of kinit BIService: New ticket is stored in cache file C:\path
Following the steps in Configuring_Active_Directory_Manual_Authentication_and_SSO_for_BI4.pdf by Steve Fredell, in Step 7, after configuring the application server's Java Options of AD single sign on, I do not get a line like INFO: Server startup in ###### ms in tomcat stderr.log. Also, I do not get jcsi.kerberos: ** credentials obtained .. ** in tomcat's stdout.log.
Hi Charles,
Even we have mixed case service account. But we have done the seetings all in small case
So make the changes as follows
Note :- Service Account :- BIService
In the Authentication area of the CMC:
AD Administration Name = userdomain\biservice(small case)
Default AD Domain = USERDNSDOMAIN
Service principal name = BICMS/BISERVICE.USERDNSDOMAIN
in Global properties under tomcat>webapp folder (custom)
global.properties:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=USERDOMAIN (caps)
idm.princ=BISERVICE (capitals)
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
I know below settings had been suggested by other experties.
Put the service account in administrator group
as USERDOMAIN\biservice
Under local sec. policy
make entry of USERDOMAIN\biservice in below policies
act as part of OS
log on as batch job
log on as service
Restart the tomcat and check.
Thanks - going through that. There was a long delay in getting someone with admin rights engaged; sorry for the delay.
I was able to get silent SSO working on the server using Manage Servers from the CCM. When I looked at klist there, I did see the 2 krbtgt tickets, but not sure which http server the KB is referring to. I assume it is the AD server; that one is not there. Another thing I noticed in klist output is that the session key type is AES-256-CTS-HMAC, but in my krb5.ini the default types are rc4-hmac.
Silent SSO is still not working on the client (BI Launchpad), and haven't been able to trace tickets there (admin rights again). I'll post results when the resource is re-engaged.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.