on 09-26-2013 9:46 AM
Dear Experts,
I am able to login through BOBJ4.1 client tools like Webi Rich client , information designer tool etc with out given user and password just select Windows AD authentication .
Also able to login manually through web browser in BI launch pad using Windows AD authentication but unable to login SSO in through web browser
Stdout log show
common deamon procrun stdout initialized
Debug is true storekey false usrTicketCache false userkeyTab false donotprompt false ticketCache is null isinitiator
true keyTab is null refreshkrb5Config is false principal is null tryFirstpass is false UseFirstpass is False
storepass is false clearpass is false [krb5LoginModule] user entered username : smith.dev@uoo.dev
Acquire TGT using As Exchange
[krb5LoginModule] authentication failed pre-authentication information was invalid (24)
Regards
Based in your description, it seems as if you have all of the correct Kerberos/Active Directory configurations. Perhaps you're just missing the settings specific to Single Sign-On (SSO) on your web application server.
I recommend that you review Section 9.4.6 "Single Sign-On Setup" of the BI 4.1 Administrator's Guide. Here's a link to the document: http://help.sap.com/businessobject/product_guides/sbo41/en/sbo41sp1_bip_admin_en.pdf
Regards,
Jeremy Shinall
SAP Business Analytics Services
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Prasad and Shinall Thank both of you for helping me
I am unable to under stand why SSO not workin through Browser
kinit command also create ticket.
setspn -l JOO\-svc-BizObjects.dev show
bobjservername/-svc-BizObjects.dev.joo.dev
HTTP/bobjservername.joo.dev
http:/bobjservername
service account name -svc-BizObjects.dev
domain name JOO.DEV
I also give in CMC ---- Authentication ---- Windows AD --- in autentication option select kerberos and in service principal name bobjservername/-svc-BizObjects.dev.joo.dev
after manual configuration I create global.properties file and add
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=JOO.DEV
idm.princ=-svc-BizObjects.dev
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
-Dcom.wedgetail.idm.sso.password=mypassword
-Djcsi.kerberos.debug=true
also check service account paasword through manually login in BI launch pad
Folowing parameters also place in tomcat configuratiob java tab
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
and also find my Domain controller host name from set command and viable is LOGONSERVER
which is used in krb5.ini file
[libdefaults]
default_realm = JOO.DEV
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
upd_perference_limit = 1
[realms]
JOO.DEV = {
kdc = domainhostname.JOO.DEV
default_demain = JOO.DEV
}
Regards
Http:/bobjservername does not look like a valid SPN. Do you use the fqdn url for trying the sso out?
Make sure that your service account is trusted for delegation. This can be done in the windows ad server under the delegation tab in the user properties. In addition to that make sure that the service account has the appropriate rights on the bo server
Make sure that the tomcat runs also under the service account and that you have increased the http header size in the listener definition.
Best regards,
Stratos
in you initial post you mention the stdout says:
[krb5LoginModule] user entered username : smith.dev@uoo.dev
whereas you list the domain as idm.realm=JOO.DEV in your most recent post, was this a typo or sudo-domain names or is this the actual domains being represented? If so are there multiple domains involved?
-Josh
Dear Experts,
I am able to SSO through browser. issue is
I am trying to login through http://IP address:port/BOE/BI ,But when I login through http://hostname.FQDN:port/BOE/BI I don't know why it not working with ip or only hostname because I created setspn HTTP://IPaddress also
I have configure only one AD hostname and one AD host but there is four hostname consist domain JOO.DEV what is configuration I need to change Please guide me
Regards
The SPN should be HTTP/<hostname> and NOT HTTP://<hostnname>;
Can you please post here the output of setspn -l <service account>?
Best regards,
Stratos
SSO uses a completely different mechanism than manual authentication, and so is the tracing. In order to verify that SSO is being initialized properly we need to trace the server. See sections 7 and 8 of this doc for tracing and setup instructions
http://blog.jamiebaldanza.org/wp-content/uploads/2012/04/Crystal-2011-AD-Authentication.pdf
Let me know if you have any difficulties while performing this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
82 | |
10 | |
10 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.