on 02-05-2015 5:59 AM
I am able to setup SSO for Web Server URL. However I am having trouble with Load balancer URL.
We are using Business Objects 4.1 SP4 and here's the infrastructure details of the environment:
1. BO CMS Server - This is a list of 4 clustered windows 2008 R2 servers.
2. Web Server - We are using WebLogic 10.3.6 to host the BO application called BOE. WebLogic is running in two Linux servers. WebLogic URL http://isdwlqax12:17607/BOE/BI http://isdwlqax11:17607/BOE/BI
3. Load Balancer - The URL is hosted by iPlanet webserver from 2 Linux servers and it acts as a load balancer.
URL http://bat-cmt-reporting.domain.com/BOE/BI -- The users will use this URL to launch BI LaunchPad
Server Names
isdwhqa001
isdwhqa002
The SSO is working fine when I use the WebLogic URL i.e. http://isdwlqax12:17607/BOE/BI. However, when I use the Load Balancer URL, the SSO is not working. I have to manually enter username and password to login.
I have also added below SPN for load balance servers and URL in the service account. Still the SSO is not working.
http/bat-cmt-reporting.domain.com
http/bat-cmt-reporting
http/isdwhqa001
http/isdwhqa002
http/isdwhqa001.domain.com
http/isdwhqa002.domain.com
Anyone has experience with SSO setup for similar kind of environment? What I am missing when the load balancer is involved?
Thanks
Thanamjeyam R
Thanks for your help, guys... It's never too late to say thanks
The issue is resolved after removing the web server. Now load balancer directs the URL to WebLogic directly.
It is strange though it was working for few users when we had web server. I don't see any reason for having web server anymore as we got rid of siteminder too.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ramasamy we have similiar setup and SSO working for direct but not for loadbalancer. we are using f5 as loadbalancer and SSL is enabled for load balancer. so for spn i created spn as https/loadbalancerDNS serviceaccount namr its not working. can you let us know what web tier you have removed to make it working
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ramasamy,
I am new to Server Adminstration and no idea anything about Load Balancer. As of now in the current BOE architecture , DNS round robin load balancer is configured and found issues with load balancer example sticky sessions .
when I talked to the team - they are saying DNS round robin is not compatible for Business Objects. Can you please let me know some load balancer names or what is the load balancer you used in BO 4.1 project.
Could you please provide some information.
Thanks,
Bharathi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Josh/Nagendra,
SSO is not working for users. It works only for service accounts. Not sure what's causing this issue. Any ideas please?
I have enabled trace in Windows Event viewer and I am receiving three types of Kerberos error messages.
******************ERROR-1********************************************
A Kerberos Error Message was received:
on logon session BISERVICEACCOUNT@ad2.prod
Client Time:
Server Time: 21:12:51.0000 2/13/2015 Z
Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
Extended Error:
Client Realm:
Client Name:
Server Realm: AD2.PROD
Server Name: krbtgt/AD2.PROD
Target Name: krbtgt/AD2.PROD@AD2.PROD
Error Text:
File: e
Line: a05
Error Data is in record data.
******************ERROR-1-END********************************************
******************ERROR-2********************************************
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 21:29:45.0000 2/13/2015 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: AD2.PROD
Server Name: krbtgt/AD2.PROD
Target Name: krbtgt/AD2.PROD@AD2.PROD
Error Text:
File: 9
Line: f09
Error Data is in record data.
******************ERROR-2-END********************************************
******************ERROR-3********************************************
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 21:30:59.0000 2/13/2015 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: AD2.PROD
Server Name: servername$@AD2.PROD
Target Name: servername$@AD2.PROD@AD2.PROD
Error Text:
File: 9
Line: f09
Error Data is in record data.
******************ERROR-3-END********************************************
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Could you please verify if the service account has been allowed delegation. (in Windows AD server)
i.e. Select the option which says: trust this user for delegation to any service (kerberos only)
PS: this is different from setting up constrained delegation.
Also, see if KINIT for a user account returns a ticket.
Regards,
Nagendra
Could you please attach a screenshot of the kinit command (when run for a user account)?
Also, just to confirm the SSO for all users is working through the direct URL.
But when using the load balancer SSO works only for the service account.
Is this where the issue stands currently?
Be sure that you are logged in the system as the user account and not the service account when trying the SSO.
-Nagendra
Message was edited by: Nagendra Agarwal
Are you looking for anything in particular?
Under the Delegation tab, 'Trust this user for delegation to any service (Kerberos)' is enabled.
Under the Account tab, Password never expires is enabled. Also Account expires Never is enabled.
Encryption is not enabled.
Do not require Kerberos preauthentication is not enabled.
Encryption is not enabled, would have been the one. Since it is only working for service accounts I would not know what to say.
As Nagendra asked it is still only the LB SSO that is failing correct? you really would need a wireshark trace of the SSO attempt from the client machine to see what is occurring.
-Josh
You need to put wireshark on your client and trace the Kerberos traffic via the LB to determine the correct HTTP spn, it may be different than what you are entering in the URL bar. Trace and filter for Kerberos looking for the requests made to the ad server.
-Josh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Good luck. you may be able to enable the Kerberos logging via the registry to see if it gets captured in the event viewer: http://support.microsoft.com/kb/262177
Hi,
The settings as specified by you looks perfect and SSO should work for you through the load balancer.
However, since its not, please recheck the following:
1) Any duplicate SPN entry for the load balancer
2) The URL that you have mentioned in the load balancer for redirect (i.e. try specifying FQDN URL)
Consider using kerbtray to identify what kerberos tickets are being generated on the client machine.
Keep the thread posted.
Regards,
Nagendra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nagendra,
Thanks for your reply.
1. I checked and there is no duplicate SPN.
2. I realized that http://bat-cmt-reporting.domain.com/BOE/BI is an alias and the actual URL is http://bat-cmt-reporting.hfdgslb.domain.com/BOE/BI. So I created a new SPN for HTTP/bat-cmt-reporting.hfdgslb.domain.com and deleted the old SPN http/bat-cmt-reporting.domain.com.
Still the SSO is not working. Also once I created the new SPN, URL stopped working completely. I had to add the URL to the trusted sites to be able to launch it. Do you know why this trust required suddenly?
Thanks
Thanamjeyam R
Good news... the SSO is working now.
When I added the URL to the trusted sites, it did not work.
But when I added the URL to the Local Intranet, SSO is working.
Now the problem is that the Local Intranet settings are controlled by Windows GPO settings. None of the end users have the privilege to add this URL to Local Intranet zone. I think I will have to work towards modifying the GPO now
I did some more testing. Disabled the "Show Friendly HTTP error messages" in Internet Options --> Advanced --> Browsing. Also removed the URL from Local Intranet zone. Now I am getting the error message "Bad request. Your browser sent a query this server could not understand". When I checked the website's zone detection at the bottom right in IE, it shows Local Intranet. It seems the current GPO setting is identifying the URL as Local Intranet, but something else is wrong. Unless I explicitly mention the URL as Local Intranet, this bad request error is displayed.
Any suggestions?
Hi,
Glad to know that the SSO is working for you.
From what has been my experience, URLs containing the domain name (FQDN) or when using the IP address tends to be taken as an internet request.
Thus, such URL's need to be explicitly added under the local intranet sites of the browsers to get the SSO working.
The network admin should be able to run a script/update which will add the URL under local intranet for all the users.
Regards,
Nagendra
User | Count |
---|---|
79 | |
9 | |
9 | |
7 | |
7 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.