cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Silent Sign On using AD Authentication problem

Go to solution
Former Member

on ‎03-08-2014 10:04 PM

0 Kudos

Using Crystal Reports Server 2013 with tomcat on Windows Server 2008. Trying to set up silent sign on with AD authentication by following http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4. Things work up to step 9; when I try to test silent single sign on from the browser I get:



Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

The tomcat stdout log has the following:



Commit Succeeded




Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false


        [Krb5LoginModule] user entered username: @AA.BBB.COM




Acquire TGT using AS Exchange


        [Krb5LoginModule] authentication failed


Generic error (description in e-text) (60)

If I put in AD username and credentials, it does work. Re-checked .ini and properties, SPNs, realms, domains; everything seems to be right. Any ideas on how to resolve?

Message was edited by: Charles DiTrani

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member205064
Active Contributor
‎03-09-2014 8:09 PM
0 Kudos

Make sure you put the correct case of the Service Account in the global.propertie file.

idm.princ=BIService (the way it reflect on the AD side.)

Is the  Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’. on AD side.

Also check if the DES Encryption is not checked of the service account in the AD side.

if it still fails then use Kerbtray.exe to check if the SPN's are getting generated or not.

check for Duplicate SPN use SAP note 1387370

-raunak

Show replies
Show replies
former_member136842
Employee
Employee
‎03-10-2014 9:56 AM
0 Kudos

Hi,

if raunak`s hints did not solved the issue please try also the syntach "BIService@REALM.COM" for the idm.princ paramter.

In your case this would be "idm.princ=BIService@AA.BBB.COM"

Are you using a keytab file for the password within the Tomcat or did you put it into the Java Options ofthe Tomcat?

Regards

-Seb.

Former Member
‎03-13-2014 7:53 PM
0 Kudos

Took a while to get some of the information, but:

DES Encryption is enabled;

We confirmed the SPN’s were generating;

No Duplicate SPNs.


I did find out that the service account user did not have ‘Act as part of the operating system’ right on the CRS 2013 server; going to assume this could be a contributing  cause and go from there.

former_member205064
Active Contributor
‎03-14-2014 3:47 AM
0 Kudos

uncheck DES Encription.

-Raunak

Answers (3)

Answers (3)

Former Member
‎03-26-2014 8:49 PM
0 Kudos

It turns out this was a two part problem. The global.properties originally had idm.princ=BIService; I changed it to idm.princ=BIService@USERDNSDOMAIN. That didn't work, but I didn't change it back to idm.princ=BIService. Then I re-coded each and every properties, .ini and the tomcat Java parameters.

Today, after engaging SAP support, I recoded the global.properties back to idm.princ=BIService (mixed case), restarted tomcat, and silent SSO worked.

I'm going to attribute the cause of the issue to a spurious character in one of the config files or Java params, since I got the same error regardless of how idm.princ was coded. The service account was coded everywhere exactly the same, with mixed case.

Thanks to everyone who contributed.

Show replies
Show replies
Former Member
‎03-18-2014 7:23 AM
0 Kudos

I'm also having the same problem. The same SPN is working on a different environment. We wanted to use the same SPN for our new POC on 4.1 and getting the error Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal

Show replies
Show replies
Former Member
‎03-14-2014 4:59 PM
0 Kudos

Got DES unchecked, and Act as part of the operating system right granted. Now trying to verify that SSO Authentication (not silent) works, but this is a Crystal Report Server 2013 install, so no WebI Rich Client. Is there another way to test SSO? Tried logging into the CMC with an AD user from a browser, but got the FWM 00006 error.

Show replies
Show replies
former_member189884
Contributor
‎03-14-2014 5:42 PM
0 Kudos

the launchpad should be the area you want to test from.

former_member205064
Active Contributor
‎03-14-2014 6:01 PM
0 Kudos

FWM 00006  is primarily due to incorrect path and content of the krb5.ini and bscLogin.conf.


if possible Plz share the your krb5.ini and bscLogin.conf and the path used to specify them.


-Raunak

Former Member
‎03-14-2014 7:55 PM
0 Kudos

krb5.ini:

[libdefaults]

default_realm = UserDNSDomain

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

UserDNSDomain  = {

kdc = ADserverName.UserDNSDomain

default_domain = UserDNSDomain

}

bscLogin.conf:

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};


Both are in C:\Windows.


Tomcat stdout.log has:

2014-03-14 13:10:29 Commons Daemon procrun stdout initialized

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

        [Krb5LoginModule] user entered username: @myRealm

Acquire TGT using AS Exchange

        [Krb5LoginModule] authentication failed

Generic error (description in e-text) (60)



Message was edited by: Charles DiTrani.

former_member189884
Contributor
‎03-16-2014 10:42 PM
0 Kudos

All of the domain names and server names should be in capitals in the krb5.ini as well as in the ad plugin of the cmc.

former_member136842
Employee
Employee
‎03-17-2014 9:25 AM
0 Kudos

Hi,

maybe you want to go through there troubleshooting tips:

http://service.sap.com/sap/support/notes/1476374

Regards

-Seb.

Former Member
‎03-17-2014 3:47 PM
0 Kudos

The domain and server names in the krb5.ini are all caps (UserDNSDomain and ADServerName are placeholders; the actual values are all caps).

My Service account is mixed case, like BIService.

It was added to the Administrators group as USERDOMAIN\BIService

The result of setspn -L BIService looks like:

HTTP/SERVERNAME.USERDNSDOMAIN

HTTP/BIService.USERDNSDOMAIN

BICMS/BIService.USERDNSDOMAIN

HTTP/SERVERNAME

In the Authentication area of the CMC:

AD Administration Name = USERDOMAIN\BIService

Default AD Domain = USERDNSDOMAIN

Service principal name = BICMS/BIService.USERDNSDOMAIN

The Mapped AD Member Groups came in ok, and an AD user can log in to BI Launchpad using AD credentials

.Also tried changing the idm.princ entry in global.properties as Sebastian suggested, but that didn't resolve the issue. Silent SSO still not working.

former_member189884
Contributor
‎03-17-2014 5:02 PM
0 Kudos

ok so if manual logins are working then all you need is sso, what the settings from the global.properties and java options?

Former Member
‎03-17-2014 5:17 PM
0 Kudos

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=USERDOMAIN

idm.princ=BIService

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Java Options:

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

-Dcom.wedgetail.idm.sso.password=password

-Djcsi.kerberos.debug=true

former_member205064
Active Contributor
‎03-17-2014 6:32 PM
0 Kudos

whats is the result of setspn -l BIService

also use this SAP note to remove the duplicate SPN:-

1387370 How to use setspn -L and AD Explorer to search for duplicated Service Principal Names (2008)

Former Member
‎03-17-2014 8:11 PM
0 Kudos

The result of setspn -L BIService looks like:

HTTP/SERVERNAME.USERDNSDOMAIN

HTTP/BIService.USERDNSDOMAIN

BICMS/BIService.USERDNSDOMAIN

HTTP/SERVERNAME

There aren't any duplicate SPNs

Result of kinit BIService: New ticket is stored in cache file C:\path


Following the steps in Configuring_Active_Directory_Manual_Authentication_and_SSO_for_BI4.pdf by Steve Fredell, in Step 7, after configuring the application server's Java Options of AD single sign on, I do not get a line like INFO: Server startup in ###### ms in tomcat stderr.log. Also, I do not get jcsi.kerberos: ** credentials obtained .. ** in tomcat's stdout.log.

former_member205064
Active Contributor
‎03-17-2014 9:46 PM
0 Kudos

configure browser settings:-

SAP note:-1379894

Download kerbtray.exe on client to check if you are able to get the SPN on the client machine.

former_member189884
Contributor
‎03-18-2014 11:32 AM
0 Kudos

you can also just use klist purge from a command line on the client to remove kerberos tickets and then after trying a sso attempt use klist to see which, if any, tickets you have gotten.

Former Member
‎03-21-2014 7:58 AM
0 Kudos

Hi Charles,

Even we have mixed case service account. But we have done the seetings all in small case

So make the changes as follows

Note :- Service Account :- BIService

In the Authentication area of the CMC:

AD Administration Name = userdomain\biservice(small case)

Default AD Domain = USERDNSDOMAIN

Service principal name = BICMS/BISERVICE.USERDNSDOMAIN

in Global properties under tomcat>webapp folder (custom)

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=USERDOMAIN (caps)

idm.princ=BISERVICE (capitals)

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

I know below settings had been suggested by other experties.

Put the service account in administrator group

as USERDOMAIN\biservice

Under local sec. policy

make entry of USERDOMAIN\biservice in below policies

act as part of OS

log on as batch job

log on as service

Restart the tomcat and check.

Former Member
‎03-21-2014 7:21 PM
0 Kudos

Thanks - going through that. There was a long delay in getting someone with admin rights engaged; sorry for the delay.

I was able to get silent SSO working on the server using Manage Servers from the CCM. When I looked at klist there, I did see the 2 krbtgt tickets, but not sure which http server the KB is referring to. I assume it is the AD server; that one is not there. Another thing I noticed in klist output is that the session key type is AES-256-CTS-HMAC, but in my krb5.ini the default types are rc4-hmac.

Silent SSO is still not working on the client (BI Launchpad), and haven't been able to trace tickets there (admin rights again). I'll post results when the resource is re-engaged.

Former Member
‎03-21-2014 7:22 PM
0 Kudos

Tried that but it still throws the same error. Thanks for your help.

Former Member
‎03-21-2014 7:26 PM
0 Kudos

As soon as I can get someone with admin rights I will check that on the client machine. I am getting tickets on the server when I do silent SSO into the CCM/Manage servers.

former_member205064
Active Contributor
‎03-21-2014 8:49 PM
0 Kudos

Is the password for the service Account mentioned correctly.?

-Dcom.wedgetail.idm.sso.password=***********


-Raunak

Former Member
‎03-21-2014 9:09 PM
0 Kudos

Yes, I know it is correct because I use the same one for replying to the kinit request for password on the BIService account.

Ask a Question