on 07-07-2014 6:45 PM
Hello,
We are running BOE XI (14.0.7) and have had no issues in the few years I've been here as the admin. However, today suddenly no one can log in. We are all getting the FWM 00006 error - which normally indicates someone has entered their AD login or password incorrectly. But this isn't an error like that because EVERYONE is getting the error. I've logged into the CMC using the Enterprise Administrator login and verified that Win AD authentication is enabled (it is), that we are not exceeding session logins with our license (we are not - no sessions at all except Admin), then I restarted all the Core Servers thinking perhaps something got "stuck" (for lack of better word) and sometimes a reboot will clear an issue. No change.
Any ideas out there? I AM able to log in with Enterprise authentication.
Everything worked fine through last week. Then suddenly today, something is wrong. Something happened over the weekend perhaps? But what? How?
Help!
Amber Anten
check these 2 lines in your Krb5 if they are not present then add them.
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
Eg:-
[libdefaults]
default_realm = DOMAIN.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
kdc = ADSERVER.DOMAIN.INTERNAL
default_domain = DOMAIN.INTERNAL
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI Amber,
To isolate the issue you should try and login to client tools like webi rich client or in CCM (manage servers) using your AD credentials.
Case 1: Login to client tool works:
Your CMC config and service account is ok.
Check the tomcat stdout.log file to find any errors related to kerberos.
Also, check the krb5.ini file.
Case 2: Login to client tool doesnt work:
If not, then you might want to run a check on the SPN entered in CMC --> Authentication --> Windows AD.
You can also check the password validity of service account using the kinit test (steps provided by Ajay).
Also, Start a trace on CMC and try and make this work first before going for web client login.
Regards,
Jatin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Amber,
Couple things you do to validate the SET command is working properly prior to trouble-shooting in BI 4.x:
These trouble-shooting tip will help you understand if AD Auth is broken. If all works then you know you have BI 4.x related issue.
Validate the NT Service Account has NOT been locked by mistake, run the above command to make isolate if the problem is with BI 4.x &/or NT.
Good Luck,
Ajay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Amber,
The first TWO commands are run at a DOS Prompt. 3rd Command also run DOS prompt but you need to switch to the location of JAVA JDK directory being used. 4th command is change to file and restart BOBJ.
I would suggest to get assistance from an NT Administrator to first make sure you NT Service Account has NOT been locked on the Domain controller.
Regards,
Ajay
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.