on 09-28-2015 9:05 PM
Hi Guys,
I setup SSO on Business Objects 4.1 SP6 with AD/Tomcat , followed all the suggested steps but keeps running into the following issue when I launch the BI Launchpad as follows. We are not using SSL in this case.
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 18, KVNO 5, Principal "HTTP/bisdox.xxx.com@AD.xxx.com" using key: Principal: [1] _svc-bobj@AD.xxx.com TimeStamp: Fri Sep 25 09:36:12 CDT 2015 KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [47 38 25 a b9 4f bd 5b 5d 4a 1c 35 b2 4c 42 aa] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )
Please let me know if anyone has any suggestions on troubleshooting this issue.
Thanks,
Puru.
Hi Puru,
There might be following reasons-
Single Sign On fails due to duplicate Service Principle Name (SPN)
1. Delete the duplicate Service Principle Name (SPN) for service account.
2. Restart tomcat
Java parameters for Kerberos are not included in Tomcat java options.
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
If these files are in any other directory, change the path accordingly.
Regards,
Rajshree
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I had to create a keytab file even though I had the wedgetail password option set:
-Dcom.wedgetail.idm.sso.password={...}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you ran Ktpass command in your Env?
Specify
CMC->Authenticaion->AD->SPN:- serviceAccount@DOMAIN.COM
global.properties:-
idm.princ:- serviceAccount
Stop Tomcat, clear cache. Start tomcat test the behavior.
Test on the client machine do not test on Tomcat server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.