Skip to Content
avatar image
Former Member

SSO is not working on Business Objects 4.1 SP6 with AD/Tomcat

Hi Guys,

I setup SSO on Business Objects 4.1 SP6 with AD/Tomcat , followed all the suggested steps but keeps running into the following issue when I launch the BI Launchpad as follows. We are not using SSL in this case.

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 18, KVNO 5, Principal "HTTP/bisdox.xxx.com@AD.xxx.com" using key: Principal: [1] _svc-bobj@AD.xxx.com TimeStamp: Fri Sep 25 09:36:12 CDT 2015 KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [47 38 25 a b9 4f bd 5b 5d 4a 1c 35 b2 4c 42 aa] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

Please let me know if anyone has any suggestions on troubleshooting this issue.

Thanks,

Puru.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Sep 28, 2015 at 08:19 PM

    Hi Puru,

    There might be following reasons-

    Single Sign On fails due to duplicate Service Principle Name (SPN)

    1. Delete the duplicate Service Principle Name (SPN) for service account.


    2. Restart tomcat

    Java parameters for Kerberos are not included in Tomcat java options.

    1. Open Tomcat configuration.
    2. Open JAVA tab.
    3. In JAVA OPTIONS, add the following switches:

    -Djava.security.auth.login.config=c:\windows\bscLogin.conf

    -Djava.security.krb5.conf=c:\windows\krb5.ini

    If these files are in any other directory, change the path accordingly.

    Regards,

    Rajshree

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Rajshree,

      Thanks for the response.

      I followed those steps that you mentioned already and there is no duplicate SPN. Still it is an issue.

      Please let me know if there are any other options.

      Thanks,

      Puru.

  • avatar image
    Former Member
    Sep 29, 2015 at 08:33 AM

    Hi Puru,

    Please confirm if you have referred below post.

    Active Directory SSO for SAP BusinessObjects BI4

    The steps mentioned here usually work well. As per the error message there may be some issue with SPN created on DC.

    Regards,

    Hrishikesh

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 29, 2015 at 09:39 AM

    seems you using Keytab then try to make it work with forced password option first then switch to Keytab.

    Also use this Guide for Keytab and other configuration:-

    Configuring Vintela SSO in Distributed Environments: Complete Guide

    If possible try to remove the SSL and then make it work once its working create one more SPN for SSL

    HTTPS\servername.domain.com

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member raunak kumar

      Thanks for your help guys.

      Its working for us now. We fixed it by deleting a space( ) within the service account password. Hope this helps someone.

      Appreciate your time.

      Puru.