the error was : "Account information not recognized. The active directory Authentication plugin couldnt authenticate at this time. please try again later"

what i just noticed was when i ran setspn -l biservice’to confirm SPNs have been created i didnt get anything back - i have reached out to the AD team to create the below listed SPNs for me.

• setspn -a BICMS/biservice.domain.internal biservice
• setspn -a HTTP/bi4server biservice
• setspn -a HTTP/bi4server.domain.internal biservice

I am thinking that will resolve my issue once created - but i will find out soon !

You are correct, these SPN'S are must for SSO only.

and setspn -l should list it but some times it does not list at our side, as long as it present on the AD side, things should be fine.

check with AD team he can send you the screen short from his end.

Is your Manual AD working?

Follow the PDF attached to this SAP note:-1631734

no actually my manual AD is not working - i cant log in using my AD account , it throws the error that i listed above,

i was able to actually see the SPN's for the current service account used in production but could see for the new one thats why i thought they might not be created . but the AD team will test it out and let me know in the morning -

I actually followed the same SAP note to configure my AD. SPN's for the service account are the only things that i felt were missing, i didnt everything else according to the post and configued the bcf and Kr5 file and the token was successful and chnaged the java tab in tomcat also, but still the manual AD is not working.

Is there anything else i can try to test besides the confirmation on the SPN's?

Is this the complete error msg?

"Account information not recognized. The active directory Authentication plugin couldnt authenticate at this time. please try again later"

no FWM00006 or FWM00005  in the end?

Update the CMC Authenticiaon TAB with service account and the Default Domain Name and try login.

Only the Default Domain should be in Upper case.

java option :-

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

and bscLogin.conf and krb5.ini should be present at the exact locaion with the exact extention with no .txt attached in the end.

Are you able to login in Clinet tool with AD user?

The error has  FWM00005  in the end.

====================================================

Update the CMC Authenticiaon TAB with service account and the Default Domain Name and try login.

Only the Default Domain should be in Upper case.

-This comment is interesting, because e.g. my enteries are as follows:

AD Administration name: DOMAIN\Service account   (But domain is all Caps and service account has mixed caps and small letter along with "-"   so e.g. sv-Xyz-AAA

is that an issue?

============================================================

java option :-

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

and bscLogin.conf and krb5.ini should be present at the exact locaion with the exact extention with no .txt attached in the end.

-The files are at the right location under windows and also referenced correctly in tomcat configuration java tab and have no additional .txt in extension- i specifically checked for that based on the note.

===========================================================

Are you able to login in Clinet tool with AD user?

-No - one question i might have is ; i dont ahve client tools on the new server, the old server which is on 4.1 SP5 has client tools and i logged onto that server and connected the rich client to the new server using the windows AD but it didnt work, but the enterprise Admin account is working fine.

One confusion i had was that the old server is referencing a different service account and bcf and Kr5 files on that server are potentially different then this new server. So do you think that might have caused the client log on using rich client to fail to this new server?

Should i have client tools on this server to test?

Please provide your feedback.

No need to install client tool on server to test.

you can test the login in CCM with AD for test purpose.

But first:-

Go to CMC->Authenticaion->AD-SerpvicePrinciple section.

enter the SPN as

serviceAccount@DOMAIN.COM

Update at the bottom and try login.

Try login in CCM with AD account

also in the KRB file the KDC value should be the value of your AD server this you need from your AD Admin.

Go to CMC->Authenticaion->AD-SerpvicePrinciple section.

enter the SPN as

serviceAccount@DOMAIN.COM

Update at the bottom and try login.

Try login in CCM with AD account

- Current SPN was : BICMS/ServiceAccount.DOMAIN,INTERNAL.COM

based on your comment i changed it to ServiceAccount@DOMAIN.COM

I threw an error when i tried to update: error was

"The active directory plugin failed to verify the provided SPN. Please ensure the SPN identifies the a valid account"

==============================================================

also in the KRB file the KDC value should be the value of your AD server this you need from your AD Admin.

I entered the AD server name for KDC, but i also sent a email to confirm the name. Can we have two KDC enteries in KBR file, e.g.

In SPN enter

BICMS/ServiceAccount.DOMAIN,INTERNAL.COM

make sure there is no extra space after.COM or before BICMS.

Yes you can enter multiple KDC value in Krb5.

KDC=Key Distribution Center.(Host name of your Domain Controller)

what is the result of loggin in CCM with AD account?

Hey Ronak,

I had the AD team create the SPN's, apparently they were not created as suspected - and i restarted the server and BOBJ services and now i can log in using AD fine -Let me try doing the SSO now and i will let you know if i run into any issues.

I appreciate your help

Ronak i hope you read my earlier reply that i was able to login using AD creds. But now i was woking on the SSO piece but it doesnt seem to work : what i have done is created a global.properties file with the following content

princ should be service account name.

idm.princ=serviceAccount name

add maxHttpHeaderSize in server.xml.

take a backup of the file and add the following entery.

C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml

 The line should look like this after adding the bold text and single space:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" maxHttpHeaderSize="65536" />

restart the tomcat and check if SSO works

if its still fail then need to check for duplicate SPN

i have added that line already but SSO was still failing.

How do i check for duplicate SPN 's?

plus the credential passing entry was getting written to the stderr.log file rather than the stdout.log file as i mentioned in the message above - what does this mean in your opinion?

tomcat file are ok no need for any modificaion there.

for duplicate SPN check with following note:-1387370 2220591

Hi Ronak,

I looked at the note and i think i am a little confused, it mentions that cluster name in identifying the SPN's which were done. So i have two nodes (Server1,Server2) in a cluster

and i have the following Spns for my service account that are created:

HTTP/Server1

HTTP/Server1.DOMAIN.INTERNAL

HTTP/Server2

HTTP/Server2.DOMAIN.INTERNAL

BICMS/Service Account.DOMAIN,INTERNAL

i think the sap note states how to delete the multiple SPN's but my questions was more on the line of how to identify if we have multple SPN's first. So is there a command to check for multiple SPN's ?

I ran "setspn -l serviceaccount" and it gave me the list of SPN's listed above "

HTTP/Server1

HTTP/Server1.DOMAIN.INTERNAL

HTTP/Server2

HTTP/Server2.DOMAIN.INTERNAL

BICMS/Service Account.DOMAIN,INTERNAL

But when i ran the "setspn -l machinename{Server 2}

It actually showed me the following:

WSMAN/Server2.DOMAIN.INTERNAL

WSMAN/Server2

TERMSRV/Server2.DOMAIN.INTERNAL

TERMSRV/Server2

RestrictedKrbHost/Server2

RestrictedKrbHost/Server2.DOMAIN.INTERNAL

HOST/Server2

HOST/Server2.DOMAIN.INTERNAL

Is this how we check duplicate SPN's? is it suppose to be by local system name or service account name because server name is Server 1 and Server 2 but Service account name used is same for both. Plus none of the SPN's by machine/server name resembles the Service account SPN's created

Please provide your feedback

Duplicate SPN senario:-

for 1 service account if these are the SPN's generated

HTTP/Server1

HTTP/Server1.DOMAIN.INTERNAL

HTTP/Server2

HTTP/Server2.DOMAIN.INTERNAL

BICMS/Service Account.DOMAIN,INTERNAL

Then no other service account should have same SPN register reigister.

ok i will have our AD team cehck it in the morning -

I have been reading posts where they mentioned deleting the content of localhost directories under work/catalina and conf/catalina  --- do you think that is necessary since i am not using a local system account for SIA , i am actually using a service account for SIA also?

Thanks

SIA should be running with domain account.

can delete the tomcat cache when restarting the tomcat for troubleshooting.

i have sent a request for the AD team to check for SPN duplicates. Once i ehar from them tomorrow i will delete the cache also and cehck and keep you posted.

Thanks for all your help

One of the file names in the cache is too long and its not letting me delete it -

i did the following :

• Open a command prompt by running "CMD.EXE"
• Navigate to the folder holding the file
• Use the command DIR /X which will display the short names of files.

but actually the DIR /X is only showing the full name of the file -- is there a better way in your option to delete the file with long names and paths?

actually i was able to rename the folders to a,b,c,detc to shorten the long path and then it let me delete the file --

i restarted tomcat and i will check in 25 mins so it can rebuild the cache -

Hey Ronak ,

Issue resolved !!  Thanks so much for all your help - i mistake iw as doing was checking SSO on the server which is not suppose to work !! i checked it on the client and imported the AD group that has my user that i am logging in the client machine with and it worked, i passed on my credientials for SSO !!!

Thanks !!!

I am glad it worked

thanks for all your help - i guess clearing tomcat cache for local host help also !!

by the way i created another post :

please advise me on this also if possible !

Thanks alot !