cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows AD login configuration issue

Go to solution
Former Member

on ‎03-04-2014 9:08 AM

0 Kudos


Hi Experts and Guru's

I am facing issue with Windows Active Directory login configurations

the error i am getiing is as blow:

"Accout Information Not Recognized: Active Directory Authentication failedto log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

My Landscape Detaisl:

SAP BO XI 3.1 SP5 installed in Window 2008 R2

My doubts:

I am following Tim Ziemba document "Configuring Vintela SSO in Distributed Environments – Complete Guide"

A little about our AD Server land scape

Our AD server is a cluster of servers which is managed by a load balancer: GC.ED.NET

eg: GC.ED.NET >> Node 1,Node 2,Node 3

so we intially created SPN against servie account "Puser" in "Node 1" among the AD cluster where user and Group is created but when we tried with the load balancer id : GC.ED.NET in Krb5.ini it was not working, I tested this using KINIT command and no ticket were raising.

setspn -a BICMS/SYSTEMNAME.ED.NET Puser


then we had given the node server name "Node 1" where the service account and group is created, still no response

then the Window AD Administrator suggested that we need to create SPN against the Node too so he created a SPN against "Node 1"

setspn -a BICMS/SYSTEMNAME.ED.NET Node 1

then the KINIT command was generating ticket but when i tried this in BO infoview i am getting the erro i mentioned above

Kindly help as I am finding very difficut to move forward

Thanks in Advance

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member136842
Employee
Employee
‎03-04-2014 9:50 AM
0 Kudos

Hi,

you have to run the setspn command against the User, not the Domain Controller.

Are you able to leverage the WinAD Authentication when using Client Tools such as the CCM or the Universe Designer?

Regards

-Seb.

Show replies
Show replies
Former Member
‎03-04-2014 10:14 AM
0 Kudos

Hi Sebastian,

Thannks for the reply..

I tried with Webi rich client and i am able to login by selecting Windows AD user name and password

The SPN i have provided in CMC is against service account only

setspn -a BICMS/SYSTEMNAME.ED.NET Puser

but why i mentioned about the SPN against the system is:

first when i tried KINIT from jdk/bin folder, the ticket was not generating so the Windows AD Admin created one more SPN against the system

Then KINIT started issueing ticket..

Please suggest....

former_member136842
Employee
Employee
‎03-04-2014 10:22 AM
0 Kudos

Hello,

OK if you can login with the WRC with Win AD Authentication than that part is OK. So the problem is with your Java configuration.

Please enable the Kerberos debugger, re- create the error message and check the Tomcat logs

http://service.sap.com/sap/support/notes/1372493

Here you can see the most common Kerberos error message and their explanation

http://service.sap.com/sap/support/notes/1794675

Regards

-Seb.

Former Member
‎03-04-2014 11:30 AM
0 Kudos

Hi Sebastian,

Thanks for the SAP notes...

i am getiing this error in Tomcat STDOUT

Acquire TGT using AS Exchange

  [Krb5LoginModule] authentication failed

Could not load configuration file  C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)

88096 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  - servletPath=/jsp/Shared_Logon/logon.jsp, pathInfo=null, queryString=null, name=null

Kindly see the Krb5.ini file below

[libdefaults]

default_realm = ED.NET

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

ED.NET = {

kdc = DEFRARMPAD01.ED.NET

default_domain = ED.NET

}

I have gone through the file and cant find any Syntax error

Thanks in Advance

Former Member
‎03-04-2014 11:58 AM
0 Kudos

Adding few more points

STDOUT log is also showing this message

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

  [Krb5LoginModule] user entered username: p.fldw.1@ED.NET

then

cquire TGT using AS Exchange

  [Krb5LoginModule] authentication failed

Could not load configuration file  C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)

2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  - servletPath=/jsp/Shared_Logon/logon.jsp, pathInfo=null, queryString=null, name=null

2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  -  Path Based Forward

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  - JspEngine --> /jsp/Shared_Logon/logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -       ServletPath: /jsp/Shared_Logon/logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -          PathInfo: null

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -          RealPath: D:\Program Files (x86)\Business Objects\Tomcat55\webapps\PlatformServices\jsp\Shared_Logon\logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -        RequestURI: /PlatformServices/jsp/Shared_Logon/logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -       QueryString: null

2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  - servletPath=/jsp/Shared_Logon/_logon.jsp, pathInfo=null, queryString=null, name=null

2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  -  Path Based Include

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  - JspEngine --> /jsp/Shared_Logon/_logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -       ServletPath: /jsp/Shared_Logon/logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -          PathInfo: null

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -          RealPath: D:\Program Files (x86)\Business Objects\Tomcat55\webapps\PlatformServices\jsp\Shared_Logon\_logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -        RequestURI: /PlatformServices/jsp/Shared_Logon/logon.jsp

2235804 [http-8080-Processor23] DEBUG org.apache.jasper.servlet.JspServlet  -       QueryString: null

2235804 [http-8080-Processor23] DEBUG org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/PlatformServices]  -  Disabling the response for futher output

satishsoni
Participant
‎03-04-2014 12:05 PM
0 Kudos

Hi,

can you check the name its case sensitive,

it should be "krb5.ini" in you case "k" is in upper case..

Also place both the files under this path: "C:\windows\krb5.ini"

Tomcat Options should be this:

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

hope this helps.

-Satish

former_member136842
Employee
Employee
‎03-04-2014 12:27 PM
0 Kudos

Hi,

Satish is right here. Looks like Tomcat is searching in the wrong place for the krb5.ini file. Please check this and re- try. Also check for typos in the path.

Regards

-Seb.

former_member247159
Explorer
‎03-04-2014 3:02 PM
0 Kudos

Hi,

The location of the krb5.ini doesn't truly matter as long as it is correctly specified in Tomcat's java options and accessible by the account running the service.  From the error, it looks as if there is a white space (blank) in between the folder and backslash:

Acquire TGT using AS Exchange

  [Krb5LoginModule] authentication failed

Could not load configuration file  C:\WINNT \Krb5.ini (The filename, directory name, or volume label syntax is incorrect)

Correct the file location in the java option to correctly point to the krb5.ini file (whether it's stored in C:/Windows or C:/WINNT), then restart Tomcat to enforce the change.

Regards,

Morgan

satishsoni
Participant
‎03-05-2014 5:34 AM
0 Kudos

True, you do have space in the syntax. Please remove an extra space between:

C:\WINNT and \Krb5.ini..


Other than this tomcat will allow only backward slash.

Former Member
‎03-05-2014 6:24 AM
0 Kudos

Hi Sebastian and Satish,

First a Big Thanks to you both.....

The issue is resolved as you both pointed out the space was the real issue.

now i am able to login into the Infoview successfuly.

Once again....Thank you guys....

Answers (1)

Answers (1)

TammyPowlas
Active Contributor
‎03-04-2014 10:08 AM
0 Kudos

Moved to BI Platform space

Show replies
Show replies
Ask a Question