on 03-04-2014 9:08 AM
Hi Experts and Guru's
I am facing issue with Windows Active Directory login configurations
the error i am getiing is as blow:
"Accout Information Not Recognized: Active Directory Authentication failedto log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"
My Landscape Detaisl:
SAP BO XI 3.1 SP5 installed in Window 2008 R2
My doubts:
I am following Tim Ziemba document "Configuring Vintela SSO in Distributed Environments – Complete Guide"
A little about our AD Server land scape
Our AD server is a cluster of servers which is managed by a load balancer: GC.ED.NET
eg: GC.ED.NET >> Node 1,Node 2,Node 3
so we intially created SPN against servie account "Puser" in "Node 1" among the AD cluster where user and Group is created but when we tried with the load balancer id : GC.ED.NET in Krb5.ini it was not working, I tested this using KINIT command and no ticket were raising.
setspn -a BICMS/SYSTEMNAME.ED.NET Puser
then we had given the node server name "Node 1" where the service account and group is created, still no response
then the Window AD Administrator suggested that we need to create SPN against the Node too so he created a SPN against "Node 1"
setspn -a BICMS/SYSTEMNAME.ED.NET Node 1
then the KINIT command was generating ticket but when i tried this in BO infoview i am getting the erro i mentioned above
Kindly help as I am finding very difficut to move forward
Thanks in Advance
Hi,
you have to run the setspn command against the User, not the Domain Controller.
Are you able to leverage the WinAD Authentication when using Client Tools such as the CCM or the Universe Designer?
Regards
-Seb.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sebastian,
Thannks for the reply..
I tried with Webi rich client and i am able to login by selecting Windows AD user name and password
The SPN i have provided in CMC is against service account only
setspn -a BICMS/SYSTEMNAME.ED.NET Puser
but why i mentioned about the SPN against the system is:
first when i tried KINIT from jdk/bin folder, the ticket was not generating so the Windows AD Admin created one more SPN against the system
Then KINIT started issueing ticket..
Please suggest....
Hello,
OK if you can login with the WRC with Win AD Authentication than that part is OK. So the problem is with your Java configuration.
Please enable the Kerberos debugger, re- create the error message and check the Tomcat logs
http://service.sap.com/sap/support/notes/1372493
Here you can see the most common Kerberos error message and their explanation
http://service.sap.com/sap/support/notes/1794675
Regards
-Seb.
Hi Sebastian,
Thanks for the SAP notes...
i am getiing this error in Tomcat STDOUT
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Could not load configuration file C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)
88096 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - servletPath=/jsp/Shared_Logon/logon.jsp, pathInfo=null, queryString=null, name=null
Kindly see the Krb5.ini file below
[libdefaults]
default_realm = ED.NET
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
ED.NET = {
kdc = DEFRARMPAD01.ED.NET
default_domain = ED.NET
}
I have gone through the file and cant find any Syntax error
Thanks in Advance
Adding few more points
STDOUT log is also showing this message
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: p.fldw.1@ED.NET
then
cquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Could not load configuration file C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)
2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - servletPath=/jsp/Shared_Logon/logon.jsp, pathInfo=null, queryString=null, name=null
2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - Path Based Forward
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - JspEngine --> /jsp/Shared_Logon/logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - ServletPath: /jsp/Shared_Logon/logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - PathInfo: null
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - RealPath: D:\Program Files (x86)\Business Objects\Tomcat55\webapps\PlatformServices\jsp\Shared_Logon\logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - RequestURI: /PlatformServices/jsp/Shared_Logon/logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - QueryString: null
2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - servletPath=/jsp/Shared_Logon/_logon.jsp, pathInfo=null, queryString=null, name=null
2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - Path Based Include
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - JspEngine --> /jsp/Shared_Logon/_logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - ServletPath: /jsp/Shared_Logon/logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - PathInfo: null
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - RealPath: D:\Program Files (x86)\Business Objects\Tomcat55\webapps\PlatformServices\jsp\Shared_Logon\_logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - RequestURI: /PlatformServices/jsp/Shared_Logon/logon.jsp
2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet - QueryString: null
2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices] - Disabling the response for futher output
Hi,
can you check the name its case sensitive,
it should be "krb5.ini" in you case "k" is in upper case..
Also place both the files under this path: "C:\windows\krb5.ini"
Tomcat Options should be this:
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
hope this helps.
-Satish
Hi,
The location of the krb5.ini doesn't truly matter as long as it is correctly specified in Tomcat's java options and accessible by the account running the service. From the error, it looks as if there is a white space (blank) in between the folder and backslash:
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Could not load configuration file C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)
Correct the file location in the java option to correctly point to the krb5.ini file (whether it's stored in C:/Windows or C:/WINNT), then restart Tomcat to enforce the change.
Regards,
Morgan
Moved to BI Platform space
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.