Skip to Content
avatar image
Former Member

BI 4.2 SSO on windows

hi, bi 4.2 sp3 . manual SSO works fine. But when doing , SSO , I see the below message in tomcat logs. What does this mean

Using keytab entry for: BOPRD@DOMAIN.COM

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: ** decrypting ticket .. **

with key

Principal: BOPRD@DOMAIN.COM

Type: 1

TimeStamp: Tue Jun 13 17:25:07 EDT 2017

KVNO: -1

Key: [18, 67 2 d4 e9 19 66 7d b2 2d 55 e8 cb bc 1c 31 34 5f c2 4e 2d 17 95 ef 6d 46 fd 77 6a 8f 12 54 49 ]

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 3, Principal "HTTP/BOSERVER.DOMAIN.COM@DOMAIN.COM" using key:

Principal: [1] BOPRD@DOMAIN.COM

TimeStamp: Tue Jun 13 17:25:07 EDT 2017

KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [69 c6 77 e3 ef 45 6e 84 b 8c 11 c4 95 0 fa 80]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: Caused by: com.dstc.security.kerberos.CryptoException, Integrity check failure [DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: GSS: Initiator supports: KRB5 [DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: GSS: Initiator TGS key type:

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Jun 20, 2017 at 09:05 PM

    this was found to be a issue with aes256 encryption

    Add comment
    10|10000 characters needed characters exceeded

  • Jun 14, 2017 at 02:02 AM

    Hi,

    1. Please run "setspn -x" in your AD DC machine and check if there is any duplicate SPN.

    2. Please check your global.properites to see if the service account name(idm.princ) is with exact lowercase and upercase as seen in AD.

    Regards,

    Ivan

    Add comment
    10|10000 characters needed characters exceeded

  • Jun 14, 2017 at 03:26 AM

    seems issue with the keytab file.

    try using password method for testing if SSO works then generate new keytab.

    Add comment
    10|10000 characters needed characters exceeded