cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO 4.3 Windows AD SSO does not work

zeek_khan
Explorer

on ‎04-28-2023 4:20 AM

Hi All,

We are going through BO 4.3 upgrade and decided to do a side by side installation. We have faced nothing but nightmares with the new 4.3 upgrade. We are facing this sso issue for a few weeks now and after not getting proper support from SAP and keep getting sent KBAs, we are turning to the community to see if someone can help or may have ideas or solution for us. We are on Windows server 2016 standard and BO 4.3 SP2 Patch 9. Version: 14.3.2.4469. We have followed the below KBA from A to Z every single step and we currently have our DEV, TEST, and PRD 4.2 environments fully functional with AD SSO enabled.

2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments - Best Practices

SAP Knowledge Base Article, Version: 43, Released On: 16.03.2023

I can provide the logs from stderr.log from tomcat/logs directory but the two errors that we are seeing are:

KrbException: KDC has no support for encryption type (14) (This is in the stderror.log)

and the other error we see when we try to manually enter windows credentials on BILaunchpad with windows ad selected in authentication box is:

Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)

We are really at a loss here and not sure what to do and where to go from here. Would someone chime in and point us in the right direction?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

MC
Participant
‎05-03-2023 8:10 AM
0 Kudos

Hi

Check the SPNs, maybe there is a typo, maybe you need to add additional SPNs, check for duplicate SPNs.

Also if currently not the case then go for constrained delegation.

Keep an eye on the tomcat logs and depending on the entries follow the troubleshooting notes.

Keep testing the config with the idm.password until it's working and once this is the case switch to keytab.

Show replies
Show replies
MC
Participant
‎05-01-2023 6:46 AM
0 Kudos

Hi

Since the manual logon is still not working I would suggest to revise the steps from the start.

You mentioned that this is a new 4.3 system, do you have a proper license applied ? Additionally is the AD User Account that you are testing with, licensed (do you have enough Named /Concurrent licenses for all AD Users)?

Show replies
Show replies
zeek_khan
Explorer
‎05-01-2023 7:44 PM
0 Kudos

Hi Marian,

I have progress. I removed rc4-hmac from the default_tkt_enctypes and default_tgs_enctypes and i am now able to login using manual logon by using my windows user and pw. However, just not able to automatically logon to BO when launching Infoview/launchpad. Any idea what i should do? Thank you again for the help.

JohnClark
Active Participant
‎04-28-2023 2:14 PM
0 Kudos

I've always followed 2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distribut... since BI4.2 and when it was still just a blog post and haven't had any issues.

When I saw this error in your post

KrbException: KDC has no support for encryption type (14) (This is in the stderror.log)

My immediate thought was the encryption configuration in krb5.ini. Specifically these lines:

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 RC4-HMAC

Check for typos. In our krb5.ini file, we have commas between the values for these and the order is different.

default_tkt_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96

The order is because we started using when only rc4-hmac was supported in our company and when it did, it still seems to favor rc4-hmac. Verify your spelling and maybe change the order. I also notice that we have our values separated by commas. You could try this as there could be a mistake in the KBA.

Show replies
Show replies
zeek_khan
Explorer
‎04-28-2023 4:21 PM
0 Kudos

Thank you John for your response. Made a small change as per your recommendation. Please see below my "old" values and "new" values for krb5.ini. As see you, i inserted the spaces after the commas and tried to login using manual AD auth, i got this new error this time. "

Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

Old:

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
new values:
default_tkt_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-9
MC
Participant
‎04-28-2023 7:51 AM
0 Kudos

Hello Zubair

If you follow the steps according to the mentioned note: "2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments - Best Practices" then Win AD SSO should work.

Some hints:

- check the service account(pw never expires, user can not change pw) and the spns

-add the service account to the local administrator group in the beginning and once the config is running restrict the permissions

- start the SIA using the service account

- when you activate the Win AD Authentication from CMC pay attention when entering the Domain (ALL CAPS); verify that the users are showing

- perform the steps for manual AD logon (config files) and check if the manual logon is working; if this is not the case then start all over again, rinse and repeat. Only if the manual AD logon is working proceed with the next steps.

This is a very important milestone and the manual AD logon will confirm if the steps were performed correctly.

Did you document the steps and would it be possble to pm me a document with screenshots with all the performed steps ?

Cheers

Show replies
Show replies
zeek_khan
Explorer
‎04-28-2023 4:13 PM
0 Kudos

Hi Marian,

Thanks for your response. Below are my comments and questions.

"-add the service account to the local administrator group in the beginning and once the config is running restrict the permissions" --The service account is a part of the admin, can you please explain what do you mean by "once config is running restrict the permissions" ?

"- start the SIA using the service account" --SIA and Tomcat both are running with this service account.

"- when you activate the Win AD Authentication from CMC pay attention when entering the Domain (ALL CAPS); verify that the users are showing" --We imported users and groups from 4.2 environment.

"- perform the steps for manual AD logon (config files) and check if the manual logon is working; if this is not the case then start all over again, rinse and repeat. Only if the manual AD logon is working proceed with the next steps." --Manual AD does not work, getting the error "Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)"

Thank you for your help.

Ask a Question