cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO is not working on Business Objects 4.1 SP6 with AD/Tomcat

Go to solution
Former Member

on ‎09-28-2015 9:05 PM

0 Kudos

Hi Guys,

I setup SSO on Business Objects 4.1 SP6 with AD/Tomcat , followed all the suggested steps but keeps running into the following issue when I launch the BI Launchpad as follows. We are not using SSL in this case.

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 18, KVNO 5, Principal "HTTP/bisdox.xxx.com@AD.xxx.com" using key: Principal: [1] _svc-bobj@AD.xxx.com TimeStamp: Fri Sep 25 09:36:12 CDT 2015 KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [47 38 25 a b9 4f bd 5b 5d 4a 1c 35 b2 4c 42 aa] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

Please let me know if anyone has any suggestions on troubleshooting this issue.

Thanks,

Puru.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-28-2015 9:19 PM
0 Kudos

Hi Puru,

There might be following reasons-

Single Sign On fails due to duplicate Service Principle Name (SPN)

1.    Delete the duplicate Service Principle Name (SPN) for service account.


2. Restart tomcat

Java parameters for Kerberos are not included in Tomcat java options.

  1. Open Tomcat configuration.
  2. Open JAVA tab.
  3. In JAVA OPTIONS, add the following switches:

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

If these files are in any other directory, change the path accordingly.

Regards,

Rajshree

Show replies
Show replies
Former Member
‎09-28-2015 9:26 PM
0 Kudos

Hi Rajshree,

Thanks for the response.

I followed those steps that you mentioned already and there is no duplicate SPN. Still it is an issue.

Please let me know if there are any other options.

Thanks,

Puru.

Answers (3)

Answers (3)

rogerperkins
Explorer
‎08-22-2023 1:26 AM
0 Kudos

I had to create a keytab file even though I had the wedgetail password option set:

-Dcom.wedgetail.idm.sso.password={...}

Show replies
Show replies
former_member205064
Active Contributor
‎09-29-2015 10:39 AM
0 Kudos

seems you using Keytab then try to make it work with forced password option first then switch to Keytab.

Also use this Guide for Keytab and other configuration:-

If possible try to remove the SSL and then make it work once its working create one more SPN for SSL

HTTPS\servername.domain.com

Show replies
Show replies
Former Member
‎10-01-2015 4:08 PM
0 Kudos

Thanks for the response guys.

We are not using the keytab instead we are using the forced password. I tried all the options indicated above.

Please let me know if you guys have any other suggestions.

Appreciate your time and help,

Puru.

former_member205064
Active Contributor
‎10-05-2015 2:02 PM
0 Kudos

Did you ran Ktpass command in your Env?

Specify

CMC->Authenticaion->AD->SPN:- serviceAccount@DOMAIN.COM

global.properties:-

idm.princ:- serviceAccount

Stop Tomcat, clear cache. Start tomcat test the behavior.

Test on the client machine do not test on Tomcat server.

Former Member
‎10-05-2015 10:57 PM
0 Kudos

Thanks for your help guys.

Its working for us now. We fixed it by deleting a space( ) within the service account password.  Hope this helps someone.

Appreciate your time.

Puru.

Former Member
‎09-29-2015 9:33 AM
0 Kudos

Hi Puru,

Please confirm if you have referred below post.

The steps mentioned here usually work well. As per the error message there may be some issue with SPN created on DC.

Regards,

Hrishikesh

Show replies
Show replies
Ask a Question