Skip to Content

WinAD SSO is not working after configuring keytab file

Hello All,

We have successfully implemented WIn AD SSO on SAP BO 41 SP5 but after configuring keytab file; WinAD SSO is not working successfully.

We have followed following procedure:

1. Generated keytab file and placed it in c:\windows of BO Server

2. Stopped tomcat

3. Added following line in


4. Removed wedgetail line from java options in tomcat configuration.

5. Restarted tomcat

After this only we are not able to find 'credentials obtained' in stderr file in tomcat logs.

We have special characters like %,@,^ etc. in our service account's password.

When we tested with kinit command it says pre authentication failed and gives the attached error message.

We could also see that, some blogs says remove the special characters from service account password but same has not any valid SAP note, so our infra team is reluctant to do so.



kinit error.PNG (18.8 kB)
Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Oct 27, 2015 at 08:39 AM

    I assume if you revert the changes and put password in Java Option. SSO works fine!

    in that case there is some issue with the Ktpass command u running.

    Share the command

    Complex passwod can also be one of the issue, not sure, if possible try keeping littile simple passwod and then generate a Keytab.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 27, 2015 at 09:27 AM

    Hi Kushal,

    If you have used the below command -

    ktpass -out bosso.keytab -princ service-account-name@REALM.COM –pass service-account-password -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

    then you should be using the kinit command as -

    kinit -k -t new2.keytab serviceaccount

    Make sure the command to generate keytab is not copy pasted and type it manually.

    Hope you are not using mapuser parameter.

    You can generate the keytab file on your BO server which is in domain.

    To add to Raunak's suggestion, make sure that the idm.princ in matches with -princ

    in ktpass command (without the "@REALM.COM" in -princ).



    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.