Skip to Content
0

BI 4.2 SSO on windows

Jun 13, 2017 at 10:11 PM

146

avatar image
Former Member

hi, bi 4.2 sp3 . manual SSO works fine. But when doing , SSO , I see the below message in tomcat logs. What does this mean

Using keytab entry for: BOPRD@DOMAIN.COM

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: ** decrypting ticket .. **

with key

Principal: BOPRD@DOMAIN.COM

Type: 1

TimeStamp: Tue Jun 13 17:25:07 EDT 2017

KVNO: -1

Key: [18, 67 2 d4 e9 19 66 7d b2 2d 55 e8 cb bc 1c 31 34 5f c2 4e 2d 17 95 ef 6d 46 fd 77 6a 8f 12 54 49 ]

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 3, Principal "HTTP/BOSERVER.DOMAIN.COM@DOMAIN.COM" using key:

Principal: [1] BOPRD@DOMAIN.COM

TimeStamp: Tue Jun 13 17:25:07 EDT 2017

KVNO: -1 EncType: 18 Key: 32 bytes, fingerprint = [69 c6 77 e3 ef 45 6e 84 b 8c 11 c4 95 0 fa 80]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

[DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: Caused by: com.dstc.security.kerberos.CryptoException, Integrity check failure [DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: GSS: Initiator supports: KRB5 [DEBUG] Tue Jun 13 17:25:08 EDT 2017 jcsi.kerberos: GSS: Initiator TGS key type:

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
avatar image
Former Member Jun 20, 2017 at 09:05 PM
0

this was found to be a issue with aes256 encryption

Share
10 |10000 characters needed characters left characters exceeded
Ivan Yin
Jun 14, 2017 at 02:02 AM
0

Hi,

1. Please run "setspn -x" in your AD DC machine and check if there is any duplicate SPN.

2. Please check your global.properites to see if the service account name(idm.princ) is with exact lowercase and upercase as seen in AD.

Regards,

Ivan

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

There are no duplicate SPN's

0
Former Member

idm.principal is set to service account name exact as on the AD

0
avatar image
Former Member Jun 14, 2017 at 03:26 AM
0

seems issue with the keytab file.

try using password method for testing if SSO works then generate new keytab.

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

this is with password hardcoded. kinit works , How ever

0