on 05-22-2015 1:10 AM
Hi,
Hope you experts can help me with this issue.
I am doing SSO setup on SAP BI 4.1 SP5 on Windows Server 2012 R2. I have followed the process as outlined in the article at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4.
I am stuck at the Step 9, as I cannot get silent SSO no matter what. I understand lot of people have had this issue and there's been a lot of discussions in the SAP blog about it and I've read all of them.
However, does anyone have a solution for this problem ?
Here are my configurations (with sanitized domain names):
Environment:
Domain Name: XXXXCO (FQDN: CORP.XXXXCO.COM)
BO Service Account: CMS41SVC (password: F4M34!xl )
Domain Controller: VM-DC-GH-01.CORP.XXXXCO.COM
BusinessObjects Server: DEV-BOB-APP-01.CORP.XXXXCO.COM
BusinessObjects AD Group: XXXXCO\DL-Business Objects
krb5.ini file
----------------
[libdefaults]
default_realm = CORP.XXXXCO.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
CORP.XXXXCO.COM = {
kdc = VM-DC-GH-01.CORP.XXXXCO.COM
default_domain = CORP.XXXXCO.COM
}
bscLogin.conf file
---------------------------------
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
BIlaunchpad.properties file
--------------------------------------------
authentication.visible=true
authentication.default=secWinAD
sso.types.and.order=vintela
global.properties file
-------------------------------------
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=CORP.XXXXCO.COM
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Tomcat added options
-----------------------------------------
...
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
-Dcom.wedgetail.idm.sso.password=F4M34!xl
-Djcsi.kerberos.debug=true
What I've done so far:
-All steps 1-8 verified (as per Josh's article above)
-(NOTE: Under Delegation tab for service account CMS41SVC, turned on ‘Trust this user for delegation to any service (Kerberos only)’.)
-I can get the ticket with kinit CMS41SVC.
-There are no duplicate SPNs.
-I got "commit succeeded" after step 8 and was able to get Manual AD access to the system with AD accounts.
-After application of step 9 I do not get silent SSO and, perhaps not surprisingly, cannot login with AD accounts any more.
I have not performed the keytab steps as this is a showstpper I guess.
What is wrong here ?? !! Any suggestions ?
Some additional questions:
- Does my service account CMS41SVC need to be member of BusinessObjects AD Group: XXXXCO\DL-Business Objects ? In my setup it is not.
- Further, what is the impact of SSO on deployment of Mobile server. If we manage to setup SSO, will it be propagated to Mobile clients ?
- Is there a special process on how to setup Mobile clients for platform with SSO setup ?
- Similarly, impact on SSO on integration with SharePoint ?
- Is there a special process on how to setup SharePoint integration for platform with SSO setup ?
Many thanks for your help in the past and your effort regarding this one.
Regards,
Davor Mitrasevic
Hi Davor,
The idm.princ=service_account value is missing from the global.properties file.
-Ambarish-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ambarish,
Thanks for your prompt reply.
Sorry, the content of global.properties file I provided in my post is missing that line. My bad.
However, I do and did have it in the file while doing these tests as per below:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=CORP.XXXXCO.COM
idm.princ=CMS41SVC
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Reagrds,
Davor
Hi Davor,
Can you list the service account SPN's with command and paste the output.
setspn -l service_account
Also make sure there are no white spaces neither in global.properties file or Tomcat config >> Java options.
To delete tomcat cache, you can stop tomcat and navigate to <Tomcat install dir/work/Cataline> . Rename localhost to localhost_old and start tomcat. Starting it will rebuild the cache.
You can also clear browser cache and then try to execute the URL.
-Ambarish-
Hi Ambarish,
Just checked, I have no white spaces in neither global.properties not Java options for Tomcat.
I also checked stderr file. I could not find entry "credentials obtained'. No errors whatsoever in the file.
When I am on the server I CAN log into BI Launchpad with network accounts, but if try the same thing from another machine on the network I get logon error as below:
"Account information not recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)"
Not sure what is going on here.
Kind regards,
Davor
Hi Davor,
The below error indicates that the authentication being selected is enterprise authentication and not Windows AD authentication
Account information not recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)"
The authentication.default in BI Launchpad.properties file should be secWinAD. I think its not picking the default authentication set in .properties.
Can you redo the changes. Stop tomcat, delete bi launchpad.properties from custom folder, copy bi launchpad.properties from default folder, make the authentication.default changes to secWinAD and authentication.visible to true, rename the latest tomcat cache to localhost_oldold and start tomcat.
Also let me know if you are manually able to login into BI launchpad using Windows AD authentication.
-Ambarish-
Hi Ambarish,
Thanks for your input.
You wrote:
"Can you redo the changes. Stop tomcat, delete bi launchpad.properties from custom folder, copy bi launchpad.properties from default folder, make the authentication.default changes to secWinAD and authentication.visible to true, rename the latest tomcat cache to localhost_oldold and start tomcat."
Pardon my ignorance, I do have some questions on this process:
1. Once I do above changes to BILaunchpad.properties file, do I need to run wdeploy ? I am on BO 4.1 SP5 and my understanding that that tomcat webaps are auto-deployed i.e. no need to wdeploy them ?
2. So far, I haven't run wdeploy for my SSO setup. I just run original auto installation. Do I need to run wdeploy whenever I change any of the .properties files like "global" or "BILaunchpad" ?
How do I run GUI version on wdeploy and what does it do ?
3. When I copy a default BILaunchpad.properties file to the custom folder and edit it, do I just leave those 3 lines of config:
authentication.default=secWinAD
authentication.visible=true
sso.types.and.order=vintela ?
Many thanks for your help so far. I am really desperate to resolve this issue.
Regards,
Davor
Hi Ambarish,
Hope you can help me again.
Problem: after successful silent SSO, I went on and get produced keytab file with command:
ktpass -out bosso.keytab -princ CMS41SVC@CORP.XXXXCO.COM -pass F4M34!xl -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Command Result:
I then: Stoped Tomcat.
1. Removed wedgetail option in Tomcat (hardcoded password.)
2. Placed bosso.keytab in C:/WINDOWS
3. Modified global.properties to point to C:/WINDOWS/bosso.keytab
4. Started Tomcat
I found in the stderr file: that the "credentials obtained" and:
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: GSS: Acceptor supports: KRB5 :
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: Ticket service name is: HTTP/DEV-BOB-APP-01.corp.xxxxco.com@CORP.XXXXCO.COM
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: GSS name is: CMS41SVC@CORP.XXXXCO.COM
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: Using keytab entry for: CMS41SVC@CORP.XXXXCO.COM
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: ** decrypting ticket .. ** with key Principal: CMS41SVC@CORP.XXXXCO.COM
Type: 1 TimeStamp: Thu Jan 01 10:00:00 EST 1970 KVNO: -1 Key: [23, dc b5 85 a7 a8 72 fa d4 92 a5 45 76 64 b6 d6 a8 ]
[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: decrypted ticket: Ticket: encryption type: 23 (DECRYPTED OK)
So far so good.
BUT, when I test silent SSO from another machine I get AD Prompt dialog instead of going straight in. Before I included keytab file this worked !!
What's wrong now ?
Question:
1. I now understand that KeyTab method is optional. So I tried to revert back my changes for KeyTab but again , but I could not get silent SSO to work like it work 2 days ago . How do I revert my KeyTab changes ?
2. Is it even possible to easy revert KeyTab modifications ? What do I need to do ? Do I need to start again or from some point in the SSO setup process ?
Hope you can help me with this one.
Regards,
Davor
Hi Ambarish,
Thanks for your help.
Done all of what you suggested earlier and still no go.
What's worse, I can't even get into CMC anymore as I am getting this error:
"Account information not recognized: Could not reach CMS. Specify the correct host and port and check for network issues. (FWM 20030)"
What do I do now ?
I am thinking of starting again with SSO , create a fresh service account, etc. Any gothchas here ?
And , NO MORE KEYTAB crap, as it is completely optional.
I fear I'll have to reinstall everything and start from scratch. I hope and pray I won't have to do this.
Kind Regards,
Davor
Hi Davor,
Can you check if you observe any changes in the service account properties on AD Server?
As far as the below error is concerned
Account information not recognized: Could not reach CMS. Specify the correct host and port and check for network issues. (FWM 20030)
Can you check if you are able to login into CMC from BO server ? Try restarting SIA and check in the task manager >> process to verify if the process are visible.
Regards,
Ambarish
Hi Ambarish,
There were no service account changes on AD.
As I said, I can't log into CMC on BO server even through Enterprize authentication because of the "Account information cannot be recognized..." error.
I've tried restarting SIA still no go. I stopped CIA and inspected what is it running under: it is my service account.
Task manager: couldn't find CIA there. Maybe it is under different name.
This is crazy. It looks as if I can't get into the CMC that means I have to install. Damn!! Damn!!
What do I do now ?
Many thanks Ambarish for all of your effort here.
Kind Regards,
Davor
Thanks, Ambarish.
As of this morning at least I can log onto CMC via Enterprize Authentication. Yesterday, I could not.
As far as my problem with silent SSO setup involving KeyTab file, it is still not working.
I'll repeat the whole SSO setup without the last KeyTab file step.
This is what I am planning to do:
1. Create new service account
2. Delete SPNs for old service account
3. Create SPNs for new service account
...etc, continue the SSO process
Any gotchas here that I need to be mindful of ?
Many thanks for your help.
Your Service account is not required to be a member of BusinessObjects AD Group.
I think Mobile SSO is still not possible. but for sharepoint its possible
For Sharepoint can refer these link:-
what is the error msg you getting for manual as well SSO after step 9.
Also try checking after restating the tomcat and rebuilding the tomcat cache.
-Raunak
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raunak,
Thank you for your response.
I examined stderr log. Could not find any errors there except these warnings:
WARNING: [SetContextPropertiesRule]{Context} Setting property 'trusted' to 'false' did not find a matching property.
Or
WARNING: [SetContextPropertiesRule]{Context} Setting property 'debug' to '0' did not find a matching property.
You suggested rebuilding the tomcat cache. Does this mean deleting Catalina folder ?
Regards,
Davor
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.