cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

unable to SSO through web browser

Former Member

on ‎09-26-2013 9:46 AM

0 Kudos

Dear Experts,

I am able to login through BOBJ4.1 client tools like Webi Rich client , information designer tool etc with out given user and password just select Windows AD authentication .

Also able to login manually through web browser in BI launch pad using Windows AD authentication but unable to login SSO in through web browser

Stdout log show

common deamon procrun stdout initialized

  1. com.businessobjects.webpath.rebean3ws.Activator

Debug is true storekey false usrTicketCache false userkeyTab false donotprompt false ticketCache is null isinitiator

true keyTab is null refreshkrb5Config is false principal is null tryFirstpass is false UseFirstpass is False

storepass is false clearpass is false     [krb5LoginModule] user entered username :  smith.dev@uoo.dev

Acquire TGT using As Exchange

             [krb5LoginModule] authentication failed pre-authentication information was invalid (24)

Regards

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎09-26-2013 12:41 PM
0 Kudos

Based in your description, it seems as if you have all of the correct Kerberos/Active Directory configurations. Perhaps you're just missing the settings specific to Single Sign-On (SSO) on your web application server.

I recommend that you review Section 9.4.6 "Single Sign-On Setup" of the BI 4.1 Administrator's Guide. Here's a link to the document: http://help.sap.com/businessobject/product_guides/sbo41/en/sbo41sp1_bip_admin_en.pdf

Regards,

Jeremy Shinall

SAP Business Analytics Services

Show replies
Show replies
Former Member
‎09-26-2013 9:27 PM
0 Kudos

Prasad and Shinall Thank both of you for helping me

I am unable to under stand why SSO not workin through Browser

kinit command also create ticket.

setspn -l  JOO\-svc-BizObjects.dev show

bobjservername/-svc-BizObjects.dev.joo.dev

HTTP/bobjservername.joo.dev

http:/bobjservername

service account name   -svc-BizObjects.dev

domain name   JOO.DEV

I also give in CMC ---- Authentication ---- Windows AD --- in autentication option select kerberos and in service principal name  bobjservername/-svc-BizObjects.dev.joo.dev

after manual configuration I create global.properties file and add

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=JOO.DEV

idm.princ=-svc-BizObjects.dev

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

-Dcom.wedgetail.idm.sso.password=mypassword

-Djcsi.kerberos.debug=true

also check service account paasword through manually login in BI launch pad

Folowing parameters also place in tomcat configuratiob java tab

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

and also find my Domain controller host name from set command and viable is LOGONSERVER

which is used in krb5.ini file

[libdefaults]

default_realm = JOO.DEV

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

upd_perference_limit = 1

[realms]

JOO.DEV = {

kdc = domainhostname.JOO.DEV

default_demain = JOO.DEV

}

Regards

former_member142702
Advisor
Advisor
‎09-26-2013 10:20 PM
0 Kudos

Http:/bobjservername does not look like a valid SPN. Do you use the fqdn url for trying the sso out?

Make sure that your service account is trusted for delegation. This can be done in the windows ad server under the delegation tab in the user properties. In addition to that make sure that the service account has the appropriate rights on the bo server

Make sure that the tomcat runs also under the service account and that you have increased the http header size in the listener definition.

Best regards,

Stratos

former_member189884
Contributor
‎09-27-2013 12:40 PM
0 Kudos

in you initial post you mention the stdout says:

[krb5LoginModule] user entered username :  smith.dev@uoo.dev

whereas you list the domain as idm.realm=JOO.DEV in your most recent post, was this a typo or sudo-domain names or is this the actual domains being represented? If so are there multiple domains involved?

-Josh

Former Member
‎09-29-2013 4:37 PM
0 Kudos

Dear Experts,

I am able to SSO through browser. issue is

I am trying to login through http://IP address:port/BOE/BI  ,But when I login through http://hostname.FQDN:port/BOE/BI  I don't know why it not working with ip or only hostname because I created setspn HTTP://IPaddress   also

HTTP://hostname

I have configure only one AD hostname and one AD host but there is four hostname consist domain JOO.DEV   what is configuration I need to change  Please guide me

Regards

former_member142702
Advisor
Advisor
‎09-29-2013 5:50 PM
0 Kudos

The SPN should be HTTP/<hostname> and NOT HTTP://<hostnname>;

Can you please post here the output of setspn -l <service account>?

Best regards,

Stratos

Former Member
‎09-26-2013 12:31 PM
0 Kudos

SSO uses a completely different mechanism than manual authentication, and so is the tracing. In order to verify that SSO is being initialized properly we need to trace the server. See sections 7 and 8 of this doc for tracing and setup instructions

http://blog.jamiebaldanza.org/wp-content/uploads/2012/04/Crystal-2011-AD-Authentication.pdf

Let me know if you have any difficulties while performing this.

Show replies
Show replies
Ask a Question