cancel
Showing results for 
Search instead for 
Did you mean: 

SSO Not working 4.1

Former Member
0 Kudos

Hi,

I have spent quite a while now looking for a resolution so I decided to post finally.  I am trying SSO and am getting an error.  This is the error I am getting when going to BI Launchpad

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 18, KVNO 2, Principal "HTTP/biwebdev1.corp.domain.com@CORP.DOMAIN.COM" using key: Principal: [1] BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM TimeStamp: Wed Jul 29 02:16:16 CDT 2015 KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [4f 2 e1 98 79 dd 53 1 92 45 6e 61 29 eb a8 fb] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

This is the end of the stderr.log file

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: GSS: Acceptor supports: KRB5

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Ticket service name is: HTTP/biwebdev1.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: GSS name is: BOSSO/SVC_BOE_DEV.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Using keytab entry for: BOSSO/SVC_BOE_DEV.corp.Domain.com@CORP.DOMAIN.COM

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: ** decrypting ticket .. **

  with key

  Principal: BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM

  Type: 1

  TimeStamp: Wed Jul 29 02:16:16 CDT 2015

  KVNO: -1

  Key: [18,  75 67 53 b4 8 b0 df 1b 4d 2f a0 8a 13 bc aa f a e7 ff bd 47 f7 6c 3c 38 2d 9e 4a ca 43 b2 70 ]

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 2, Principal "HTTP/biwebdev1.corp.domain.com@CORP.DOMAIN.COM" using key:

Principal: [1] BOSSO/SVC_BOE_DEV.corp.domain.com@CORP.DOMAIN.COM

  TimeStamp: Wed Jul 29 02:16:16 CDT 2015

  KVNO: -1

  EncType: 18

  Key: 32 bytes, fingerprint = [4f 2 e1 98 79 dd 53 1 92 45 6e 61 29 eb a8 fb]

Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different;  this may or may not be a problem]

[Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

[DEBUG] Wed Jul 29 02:18:38 CDT 2015 jcsi.kerberos: Caused by: com.dstc.security.kerberos.CryptoException, Integrity check failure

This is my global.properties file

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.DOMAIN.COM

idm.princ=BOSSO/SVC_BOE_DEV.corp.domain.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=E:/WINNT/DEV-TESTSSO.KEYTAB

BILaunchpad.properties file

authentication.visible=true

authentication.default=secWinAD

cms.default=BIAPPDEV1:6400

These are my tomcat java options

-Djava.library.path=C:\Windows\SysWOW64\;E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

-Dcatalina.base=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Dcatalina.home=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Djava.endorsed.dirs=E:\Program Files (x86)\SAP BusinessObjects\tomcat\common\endorsed\

-Dbobj.enterprise.home=E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\

-Xrs

-XX:MaxPermSize=384M

-Djava.awt.headless=true

-XX:+HeapDumpOnOutOfMemoryError

-Xloggc:E:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\tomcat.gc.log

-XX:+PrintGCDetails

-XX:+UseParallelOldGC

-Djava.security.auth.login.config=E:\WINNT\bscLogin.conf

-Djava.security.krb5.conf=E:\WINNT\krb5.ini

-Djcsi.kerberos.debug=true

AD manual login is working great.  Someone please help!

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi, This was due to a misspelling in the SPN command

Former Member
0 Kudos

hi I have the same issue

what  is you misspelling ?

second why you put in idem_princ BOSSO/SVC_....  and not directly the name of acount system   like mentioned in the administration guide ?

Thanks

Answers (0)