cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI 4.1 SP4 - SSO Setup Issue using Load Balancer

Go to solution
former_member1334801
Explorer

on ‎02-05-2015 5:59 AM

0 Kudos

I am able to setup SSO for Web Server URL. However I am having trouble with Load balancer URL.


We are using Business Objects 4.1 SP4 and here's the infrastructure details of the environment:


1. BO CMS Server - This is a list of 4 clustered windows 2008 R2 servers.


2. Web Server - We are using WebLogic 10.3.6 to host the BO application called BOE. WebLogic is running in two Linux servers. WebLogic URL http://isdwlqax12:17607/BOE/BI http://isdwlqax11:17607/BOE/BI


3. Load Balancer - The URL is hosted by iPlanet webserver from 2 Linux servers and it acts as a load balancer.

URL http://bat-cmt-reporting.domain.com/BOE/BI  -- The users will use this URL to launch BI LaunchPad

Server Names

isdwhqa001

isdwhqa002


The SSO is working fine when I use the WebLogic URL i.e. http://isdwlqax12:17607/BOE/BI. However, when I use the Load Balancer URL, the SSO is not working. I have to manually enter username and password to login.


I have also added below SPN for load balance servers and URL in the service account. Still the SSO is not working.

http/bat-cmt-reporting.domain.com

http/bat-cmt-reporting

http/isdwhqa001

http/isdwhqa002

http/isdwhqa001.domain.com

http/isdwhqa002.domain.com


Anyone has experience with SSO setup for similar kind of environment? What I am missing when the load balancer is involved?


Thanks

Thanamjeyam R

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member1334801
Explorer
‎03-27-2015 4:01 PM
0 Kudos

Thanks for your help, guys... It's never too late to say thanks

The issue is resolved after removing the web server. Now load balancer directs the URL to WebLogic directly.

It is strange though it was working for few users when we had web server. I don't see any reason for having web server anymore as we got rid of siteminder too.

Show replies
Show replies

Answers (5)

Answers (5)

Former Member
‎08-14-2015 8:45 AM
0 Kudos

Hi Ramasamy we have similiar setup and SSO working for direct but not for loadbalancer. we are using f5 as loadbalancer and SSL is enabled for load balancer. so for spn i created spn as https/loadbalancerDNS serviceaccount namr its not working. can you let us know what web tier you have removed to make it working

Show replies
Show replies
Former Member
‎05-05-2015 4:54 PM
0 Kudos

Hi Ramasamy,

I am new to Server Adminstration and no idea anything about Load Balancer. As of now in the current BOE architecture , DNS round robin load balancer is configured and found issues with load balancer example sticky sessions .

when I talked to the team - they are saying DNS round robin is not compatible for Business Objects. Can you please let me know some load balancer names or  what is the load balancer you used in BO 4.1 project.

Could you please provide some information.

Thanks,

Bharathi.

Show replies
Show replies
denis_konovalov
Active Contributor
‎05-05-2015 5:03 PM
0 Kudos

Load balancers : Google

For any load balancer to work correctly with BOE - it has to be configured with session persistence.
Here is that functionality explained : Google

former_member1334801
Explorer
‎02-13-2015 9:41 PM
0 Kudos

Josh/Nagendra,

SSO is not working for users. It works only for service accounts. Not sure what's causing this issue. Any ideas please?

I have enabled trace in Windows Event viewer and I am receiving three types of Kerberos error messages.

******************ERROR-1********************************************

A Kerberos Error Message was received:

on logon session BISERVICEACCOUNT@ad2.prod

Client Time:

Server Time: 21:12:51.0000 2/13/2015 Z

Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED

Extended Error:

Client Realm:

Client Name:

Server Realm: AD2.PROD

Server Name: krbtgt/AD2.PROD

Target Name: krbtgt/AD2.PROD@AD2.PROD

Error Text:

File: e

Line: a05

Error Data is in record data.

******************ERROR-1-END********************************************

******************ERROR-2********************************************

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 21:29:45.0000 2/13/2015 Z

Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP

Extended Error:

Client Realm:

Client Name:

Server Realm: AD2.PROD

Server Name: krbtgt/AD2.PROD

Target Name: krbtgt/AD2.PROD@AD2.PROD

Error Text:

File: 9

Line: f09

Error Data is in record data.

******************ERROR-2-END********************************************

******************ERROR-3********************************************

 

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 21:30:59.0000 2/13/2015 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc00000bb KLIN(0)

Client Realm:

Client Name:

Server Realm: AD2.PROD

Server Name: servername$@AD2.PROD

Target Name: servername$@AD2.PROD@AD2.PROD

Error Text:

File: 9

Line: f09

Error Data is in record data.

******************ERROR-3-END********************************************

Show replies
Show replies
former_member197037
Participant
‎02-16-2015 6:57 AM
0 Kudos

Hi,

Could you please verify if the service account has been allowed delegation. (in Windows AD server)

i.e. Select the option which says: trust this user for delegation to any service (kerberos only)

PS: this is different from setting up constrained delegation.

Also, see if KINIT for a user account returns a ticket.

Regards,

Nagendra

former_member189884
Contributor
‎02-16-2015 1:34 PM
0 Kudos

KDC_ERR_ETYPE_NOTSUPP sounds like an issue with encryption, check the service account and let us know exactly which options are selected.

-Josh

former_member1334801
Explorer
‎02-17-2015 6:56 AM
0 Kudos

I have this enabled for the service account

"Trust this user for delegation to any service (kerberos only)"

Also KINIT is returning the ticket.

former_member197037
Participant
‎02-17-2015 7:06 AM
0 Kudos

Could you please attach a screenshot of the kinit command (when run for a user account)?

Also, just to confirm the SSO for all users is working through the direct URL.

But when using the load balancer SSO works only for the service account.

Is this where the issue stands currently?

Be sure that you are logged in the system as the user account and not the service account when trying the SSO.

-Nagendra

Message was edited by: Nagendra Agarwal

former_member1334801
Explorer
‎02-17-2015 7:14 AM
0 Kudos

Are you looking for anything in particular?

Under the Delegation tab, 'Trust this user for delegation to any service (Kerberos)' is enabled.

Under the Account tab, Password never expires is enabled. Also Account expires Never is enabled.

Encryption is not enabled.

Do not require Kerberos preauthentication is not enabled.

former_member189884
Contributor
‎02-17-2015 6:28 PM
0 Kudos

Encryption is not enabled, would have been the one. Since it is only working for service accounts I would not know what to say.

As Nagendra asked it is still only the LB SSO that is failing correct? you really would need a wireshark trace of the SSO attempt from the client machine to see what is occurring.

-Josh

former_member189884
Contributor
‎02-06-2015 3:01 PM
0 Kudos

You need to put wireshark on your client and trace the Kerberos traffic via the LB to determine the correct HTTP spn, it may be different than what you are entering in the URL bar. Trace and filter for Kerberos looking for the requests made to the ad server.

-Josh

Show replies
Show replies
former_member1334801
Explorer
‎02-10-2015 4:09 PM
0 Kudos

Hi Josh,

Thanks for your reply.

WireShark is not allowed in my client location. I cannot use the Microsoft Network Monitor also. I have reached out to the Network team for the traces.

I will update this thread as soon as I receive the logs.

Thanks

Thanamjeyam R

former_member189884
Contributor
‎02-10-2015 4:18 PM
0 Kudos

Good luck. you may be able to enable the Kerberos logging via the registry to see if it gets captured in the event viewer: http://support.microsoft.com/kb/262177

former_member197037
Participant
‎02-06-2015 7:43 AM
0 Kudos

Hi,

The settings as specified by you looks perfect and SSO should work for you through the load balancer.

However, since its not, please recheck the following:

1) Any duplicate SPN entry for the load balancer

2) The URL that you have mentioned in the load balancer for redirect (i.e. try specifying FQDN URL)

Consider using kerbtray to identify what kerberos tickets  are being generated on the client machine.

Keep the thread posted.

Regards,

Nagendra

Show replies
Show replies
former_member1334801
Explorer
‎02-10-2015 4:06 PM
0 Kudos

Hi Nagendra,

Thanks for your reply.

1. I checked and there is no duplicate SPN.

2. I realized that http://bat-cmt-reporting.domain.com/BOE/BI is an alias and the actual URL is http://bat-cmt-reporting.hfdgslb.domain.com/BOE/BI. So I created a new SPN for HTTP/bat-cmt-reporting.hfdgslb.domain.com and deleted the old SPN http/bat-cmt-reporting.domain.com.

Still the SSO is not working. Also once I created the new SPN, URL stopped working completely. I had to add the URL to the trusted sites to be able to launch it. Do you know why this trust required suddenly?

Thanks

Thanamjeyam R

former_member189884
Contributor
‎02-10-2015 4:16 PM
0 Kudos

It depends on what is considered a local intranet site per your IE settings, if it's not a local intranet site then it'll need to be added to trusted.

former_member1334801
Explorer
‎02-11-2015 10:59 PM
0 Kudos

Good news... the SSO is working now.

When I added the URL to the trusted sites, it did not work.

But when I added the URL to the Local Intranet, SSO is working.

Now the problem is that the Local Intranet settings are controlled by Windows GPO settings. None of the end users have the privilege to add this URL to Local Intranet zone. I think I will have to work towards modifying the GPO now

I did some more testing. Disabled the "Show Friendly HTTP error messages" in Internet Options --> Advanced --> Browsing. Also removed the URL from Local Intranet zone. Now I am getting the error message "Bad request. Your browser sent a query this server could not understand". When I checked the website's zone detection at the bottom right in IE, it shows Local Intranet. It seems the current GPO setting is identifying the URL as Local Intranet, but something else is wrong. Unless I explicitly mention the URL as Local Intranet, this bad request error is displayed.

Any suggestions?

former_member197037
Participant
‎02-12-2015 7:36 AM
0 Kudos

Hi,

Glad to know that the SSO is working for you.

From what has been my experience, URLs containing the domain name (FQDN) or when using the IP address tends to be taken as an internet request.

Thus, such URL's need to be explicitly added under the local intranet sites of the browsers to get the SSO working.

The network admin should be able to run a script/update which will add the URL under local intranet for all the users.

Regards,

Nagendra

Ask a Question