on 12-10-2015 7:30 PM
Hi ,
I referenced a great post listed below for windows AD and SSO with Business objects 4.0
i have completed this till step 8 , where i can see the authentication tab visible on BI launch pad but i am unable to log in as a AD user.
although the ticket at the end of step 7 has been successfully created but what i am not sure about is if i need to run the cmd prompt as a AD service account user or the admin user that i logged into the business objects vm server as?
Please let me know if that is irrelevant and if there is anything else that needs to be tested. I have followed all the other steps and have the service account AD user as part of the Admin group on the server and also act as part of operating system in the local security policy.
Thanks.
No need to run the cmd prompt as a AD service account nor admin user.
that is just a test if the java path and the krb and bsclogin file are correct or not.
First Step:-Manual AD should work.
what is the error are you getting when u login in BILauncpad?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
the error was : "Account information not recognized. The active directory Authentication plugin couldnt authenticate at this time. please try again later"
what i just noticed was when i ran setspn -l biservice’to confirm SPNs have been created i didnt get anything back - i have reached out to the AD team to create the below listed SPNs for me.
I am thinking that will resolve my issue once created - but i will find out soon !
You are correct, these SPN'S are must for SSO only.
and setspn -l should list it but some times it does not list at our side, as long as it present on the AD side, things should be fine.
check with AD team he can send you the screen short from his end.
Is your Manual AD working?
Follow the PDF attached to this SAP note:-1631734
no actually my manual AD is not working - i cant log in using my AD account , it throws the error that i listed above,
i was able to actually see the SPN's for the current service account used in production but could see for the new one thats why i thought they might not be created . but the AD team will test it out and let me know in the morning -
I actually followed the same SAP note to configure my AD. SPN's for the service account are the only things that i felt were missing, i didnt everything else according to the post and configued the bcf and Kr5 file and the token was successful and chnaged the java tab in tomcat also, but still the manual AD is not working.
Is there anything else i can try to test besides the confirmation on the SPN's?
Is this the complete error msg?
"Account information not recognized. The active directory Authentication plugin couldnt authenticate at this time. please try again later"
no FWM00006 or FWM00005 in the end?
Update the CMC Authenticiaon TAB with service account and the Default Domain Name and try login.
Only the Default Domain should be in Upper case.
java option :-
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
and bscLogin.conf and krb5.ini should be present at the exact locaion with the exact extention with no .txt attached in the end.
Are you able to login in Clinet tool with AD user?
The error has FWM00005 in the end.
====================================================
Update the CMC Authenticiaon TAB with service account and the Default Domain Name and try login.
Only the Default Domain should be in Upper case.
-This comment is interesting, because e.g. my enteries are as follows:
AD Administration name: DOMAIN\Service account (But domain is all Caps and service account has mixed caps and small letter along with "-" so e.g. sv-Xyz-AAA
is that an issue?
============================================================
java option :-
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
and bscLogin.conf and krb5.ini should be present at the exact locaion with the exact extention with no .txt attached in the end.
-The files are at the right location under windows and also referenced correctly in tomcat configuration java tab and have no additional .txt in extension- i specifically checked for that based on the note.
===========================================================
Are you able to login in Clinet tool with AD user?
-No - one question i might have is ; i dont ahve client tools on the new server, the old server which is on 4.1 SP5 has client tools and i logged onto that server and connected the rich client to the new server using the windows AD but it didnt work, but the enterprise Admin account is working fine.
One confusion i had was that the old server is referencing a different service account and bcf and Kr5 files on that server are potentially different then this new server. So do you think that might have caused the client log on using rich client to fail to this new server?
Should i have client tools on this server to test?
Please provide your feedback.
No need to install client tool on server to test.
you can test the login in CCM with AD for test purpose.
But first:-
Go to CMC->Authenticaion->AD-SerpvicePrinciple section.
enter the SPN as
Update at the bottom and try login.
Try login in CCM with AD account
also in the KRB file the KDC value should be the value of your AD server this you need from your AD Admin.
Go to CMC->Authenticaion->AD-SerpvicePrinciple section.
enter the SPN as
Update at the bottom and try login.
Try login in CCM with AD account
- Current SPN was : BICMS/ServiceAccount.DOMAIN,INTERNAL.COM
based on your comment i changed it to ServiceAccount@DOMAIN.COM
I threw an error when i tried to update: error was
"The active directory plugin failed to verify the provided SPN. Please ensure the SPN identifies the a valid account"
==============================================================
also in the KRB file the KDC value should be the value of your AD server this you need from your AD Admin.
I entered the AD server name for KDC, but i also sent a email to confirm the name. Can we have two KDC enteries in KBR file, e.g.
DOMAIN.INTERNAL ={kdc = ADSERVER1.DOMAIN.INTERNALkdc = ADSERVER2.DOMAIN.INTERNALdefault_domain = DOMAIN.INTERNAL}and what does kdc stand for?Thanks for your helpRonak i hope you read my earlier reply that i was able to login using AD creds. But now i was woking on the SSO piece but it doesnt seem to work : what i have done is created a global.properties file with the following content
sso.enabled=truesiteminder.enabled=falsevintela.enabled=trueidm.realm=DOMAIN.INTERNALidm.princ=biservice { does this need to be just the service account name or the whole BICMS/service acct?}idm.allowUnsecured=trueidm.allowNTLM=falseidm.logger.name=simpleidm.logger.props=error-log.propertiesand for testing i opened up tomcat config-->java tan and Added the following lines to Tomcat Java Options:-Dcom.wedgetail.idm.sso.password=password-Djcsi.kerberos.debug=truei cleared the tomcat logs: now when i restarted tomcat i suppose to see in "stdout.log" file the credientials being passed but all i see is "Comons Daemon Procrun stdout initilizedcom.businessobjects.webpath.rebean3ws.Activitor"the kicker is that when i open stderr.log file and search for "credientials" i see a entry in there saying "jcsi.kerberos :** credientials obtained..**Credientialclient : biservice@INTERNAL.DOMAIN.COMsession key: [18,9e..........] service principal: krbtgt/INTERNAL.DOMAIN.COM@INTERNAL.DOMAIN>COMvalid [ ..] "There is more text in the stderr.log for valid till etc. But i dont know why there is an entry on stderr.log and stdout.log and whats the difference between these two logs,now for Business objects - when i uset he url : https://severname/BOE/CMC : it takes me to CMC login page , but BI launch pad it generate a huge error as follows:HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException:com.wedgetail.idm.spnego.server.SPnegoException:com.dstc.security.util.asn1.Asn1Exception:Bad Tag encountered:78"I looked at a blog and someone mentioned that i should add another entry in the global.properties file for "idm.s4u=true" but thats doesnt work either. Please let me know if you have any input for this last SSO pieceprinc should be service account name.
idm.princ=serviceAccount name
add maxHttpHeaderSize in server.xml.
take a backup of the file and add the following entery.
C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml
The line should look like this after adding the bold text and single space:
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" maxHttpHeaderSize="65536" />
restart the tomcat and check if SSO works
if its still fail then need to check for duplicate SPN
tomcat file are ok no need for any modificaion there.
for duplicate SPN check with following note:-1387370 2220591
Hi Ronak,
I looked at the note and i think i am a little confused, it mentions that cluster name in identifying the SPN's which were done. So i have two nodes (Server1,Server2) in a cluster
and i have the following Spns for my service account that are created:
HTTP/Server1
HTTP/Server1.DOMAIN.INTERNAL
HTTP/Server2
HTTP/Server2.DOMAIN.INTERNAL
BICMS/Service Account.DOMAIN,INTERNAL
i think the sap note states how to delete the multiple SPN's but my questions was more on the line of how to identify if we have multple SPN's first. So is there a command to check for multiple SPN's ?
I ran "setspn -l serviceaccount" and it gave me the list of SPN's listed above "
HTTP/Server1
HTTP/Server1.DOMAIN.INTERNAL
HTTP/Server2
HTTP/Server2.DOMAIN.INTERNAL
BICMS/Service Account.DOMAIN,INTERNAL
But when i ran the "setspn -l machinename{Server 2}
It actually showed me the following:
WSMAN/Server2.DOMAIN.INTERNAL
WSMAN/Server2
TERMSRV/Server2.DOMAIN.INTERNAL
TERMSRV/Server2
RestrictedKrbHost/Server2
RestrictedKrbHost/Server2.DOMAIN.INTERNAL
HOST/Server2
HOST/Server2.DOMAIN.INTERNAL
Is this how we check duplicate SPN's? is it suppose to be by local system name or service account name because server name is Server 1 and Server 2 but Service account name used is same for both. Plus none of the SPN's by machine/server name resembles the Service account SPN's created
Please provide your feedback
ok i will have our AD team cehck it in the morning -
I have been reading posts where they mentioned deleting the content of localhost directories under work/catalina and conf/catalina --- do you think that is necessary since i am not using a local system account for SIA , i am actually using a service account for SIA also?
Thanks
One of the file names in the cache is too long and its not letting me delete it -
i did the following :
but actually the DIR /X is only showing the full name of the file -- is there a better way in your option to delete the file with long names and paths?
Hey Ronak ,
Issue resolved !! Thanks so much for all your help - i mistake iw as doing was checking SSO on the server which is not suppose to work !! i checked it on the client and imported the AD group that has my user that i am logging in the client machine with and it worked, i passed on my credientials for SSO !!!
Thanks !!!
one thing i need to add is after looking at the user properties, it seems their database credientials are not "enabled" after the import - not sure why that is happening !
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.