cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows AD Authentication Suddenly not working (FWM 00006 Error)

Former Member

on ‎07-07-2014 6:45 PM

0 Kudos

Hello,

We are running BOE XI (14.0.7) and have had no issues in the few years I've been here as the admin.  However, today suddenly no one can log in.  We are all getting the FWM 00006 error - which normally indicates someone has entered their AD login or password incorrectly.  But this isn't an error like that because EVERYONE is getting the error.  I've logged into the CMC using the Enterprise Administrator login and verified that Win AD authentication is enabled (it is), that we are not exceeding session logins with our license (we are not - no sessions at all except Admin), then I restarted all the Core Servers thinking perhaps something got "stuck" (for lack of better word) and sometimes a reboot will clear an issue.  No change.

Any ideas out there?  I AM able to log in with Enterprise authentication. 

Everything worked fine through last week.  Then suddenly today, something is wrong.  Something happened over the weekend perhaps?  But what?  How?

Help!

Amber Anten

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member205064
Active Contributor
‎07-08-2014 11:07 AM
0 Kudos

check these 2 lines in your Krb5 if they are not present then add them.

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

Eg:-

[libdefaults]

default_realm = DOMAIN.INTERNAL

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

  1. DOMAIN.INTERNAL ={

kdc = ADSERVER.DOMAIN.INTERNAL

default_domain = DOMAIN.INTERNAL

}

Show replies
Show replies
Former Member
‎07-08-2014 6:55 AM
0 Kudos

HI Amber,

To isolate the issue you should try and login to client tools like webi rich client or in CCM (manage servers) using your AD credentials.

Case 1: Login to client tool works:

Your CMC config and service account is ok.

Check the tomcat stdout.log file to find any errors related to kerberos.

Also, check the krb5.ini file.

Case 2: Login to client tool doesnt work:

If not, then you might want to run a check on the SPN entered in CMC --> Authentication --> Windows AD.

You can also check the password validity of service account using the kinit test (steps provided by Ajay).

Also, Start a trace on CMC and try and make this work first before going for web client login.

Regards,

Jatin


Show replies
Show replies
CdnConnection
Active Contributor
‎07-07-2014 6:56 PM
0 Kudos

Amber,

  Couple things you do to validate the SET command is working properly prior to trouble-shooting in BI 4.x:

  • SETSPN -L <SERVERNAME>  [ Provides List of all records against Server ]
  • setspn -L <SERVICEACCOUNT> [ Provides List of all records / Servers associated against Service Account ]
  • \jdk\bin>kinit <SrvAccount>@FQN <password>
  • \winnt\bscLogin.conf [update debug=true ]


These trouble-shooting tip will help you understand if AD Auth is broken. If all works then you know you have BI 4.x related issue.

Validate the NT Service Account has NOT been locked by mistake, run the above command to make isolate if the problem is with BI 4.x &/or NT.

Good Luck,

Ajay

Show replies
Show replies
Former Member
‎07-07-2014 7:05 PM
0 Kudos

Okay.. I'll do this ... but where do I enter that?  I'm not super techie.. so pretend you are walking me through this like someone who knows squat. 🙂

(I'm not a DBA, just a report developer and I administer the BOE site)

Thanks!

Amber

CdnConnection
Active Contributor
‎07-07-2014 7:13 PM
0 Kudos

Amber,

     The first TWO commands are run at a DOS Prompt.   3rd Command also run DOS prompt but you need to switch to the location of JAVA JDK directory being used.  4th command is change to file and restart BOBJ.

I would suggest to get assistance from an NT Administrator to first make sure you NT Service Account has NOT been locked on the Domain controller.

Regards,

Ajay

Former Member
‎07-07-2014 9:36 PM
0 Kudos

Thank you!  My boss is the NT Admin and he's out today.  So I'll have him check into this tomorrow for me.  MUCH appreciated!

I will respond with the results in case this is something anyone else has experienced.

Amber

Ask a Question