Skip to Content

Manual AD Authentication with subdomain

I am implementing BI 4.2 SP4 for a customer at the moment. They have a production system and a test system, both of which are Windows 2012 R2 Server.

I have got AD Authentication working on the production system, but things here are fairly standard; the users, server and Windows AD group are all in the same domain (let's call this "CUST").

I am having a problem with the test system, which is in a subdomain called "TEST". The Windows AD group and the service account which SPNs are created on are also in TEST, but the members are in "CUST". There is, I am told, two-way trust between the parent and subdomain.

On the test server, the Windows AD configuration settings are okay; I've mapped the Windows AD group in (TEST\Business Objects Test) and the users in this group have appeared in the Users and Groups part of the CMC. Also, Windows AD authentication works with the client tools. So that shows that the SPN configured for this is working.

However, I can't get manual AD authentication working using the CMC/BI Launch Pad. I have added the krb5.ini file with details as follows:

[libdefaults]
default_realm = CUST.CO.UK
dns_lookup_kdc=true
dns_lookup_realm=true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
TEST.CUST.CO.UK = {
kdc = LCCTST-DC-01.TEST.CUST.CO.UK
default_domain = TEST.CUST.CO.UK
}
CUST.CO.UK = {
kdc = LCC-DCP-001.CUST.CO.UK
default_domain = CUST.CO.UK
}

I can successfully use the kinit script in win64_x64/sapjvm/jre/bin to get a ticket for one of the users in the "CUST" domain that is a member of the mapped group.

When I try and use the CMC to log in with the same user, I get an error "Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time...."

In the Windows AD Authentication page of the CMC, I have the following settings:

AD Administration Name: TEST\SVC-WEBTSTBO-01 (this user is also used to run the SIA)

Default AD Domain: CUST.CO.UK

Authentication Option: Use Kerberos Authentication

SPN: BI4TEST/SVC-WEBTSTBO-01.TEST.CUST.CO.UK

Please can anyone offer any advice?

Darren

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Oct 06, 2017 at 12:57 PM

    A few questions or comments.

    You said the test domain is a child of the customer domain, if this is correct the trust is automatic. If the test domain is actually another forest the the rules will change significantly. So I'll assume same forest, child domain.

    When you login form the default domain, you can simply type in the AD username, if you login from client tools then it's domain\username. When you login from the child you must type in username@FQDNDOMAIN.COM by your example that is username@TEST.CUST.CO.UK. Typing the username or domain\username or even username@test.cust.co.uk will all fail.

    Another point is no additional SPN's are required. If you only generated a unique SPN (as you mentioned BI4TEST/SVC-WEBTSTBO-01.TEST.CUST.CO.UK) that shouldn't hurt anything but if you created the same SPN in both domains that will be an issue for at least 1 domain. running setspn -x -f will verify any duplicates in either domain.

    -Tim

    Add comment
    10|10000 characters needed characters exceeded

    • As the users could login to client tools (which uses the service account the same way as logging in from java) that shouldn't make any difference. Any child domain has a 2 way automatic trust. Now if it's not actually a child domain and has another relationship such as tree root, or forest then the java portion could be affected.But this should have been reported with the -Dsun logging.

      There is also a java bug out there affecting certain versions and causing issues so it may have fallen into that catagory as well. Fortunately you had a fairly simple fix and we are quite a bit limited in our troubleshooting using a forum instead of actual contact in a remote session.

      It sounds like that's the way you should keep it going forward, glad you finally got it working.

      -Tim

  • Oct 06, 2017 at 02:48 AM

    Hi,

    A helpful tool in troubleshooting is the -Dsun.security.krb5.debug=true added to tomcat java options (type the option and restart tomcat to take effect, info is in tomcat logs(stderr.log and stdout.log).

    See the link in the references section to KB 1245178 for basic krb5.ini configuration tips please.

    Sungho

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Sungho / Chenghao

      Thanks for your suggestion. I have put this in place, and attempted to log on to the CMC. The user is in the default domain specified in both the krb5.ini and the Authentication options in the CMC. This is the output I got (I have changed the customer's domain to "CUST.CO.UK" to protect their anonymity. As you'll see, it says "succeeded" but then gives other issues. The error I see on screen is "The Active Directory Authentication plugin could not authenticate at this time".

      Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      [Krb5LoginModule] user entered username: csilimited@CUST.CO.UK

      Java config name: c:\windows\krb5.ini
      Loaded from Java config
      >>> KdcAccessibility: reset
      default etypes for default_tkt_enctypes: 23.
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000, number of retries =3, #bytes=155
      >>> KDCCommunication: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000,Attempt =1, #bytes=155
      >>>DEBUG: TCPClient reading 195 bytes
      >>> KrbKdcReq send: #bytes read=195
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      >>> KdcAccessibility: remove LCC-DCP-001.CUST.CO.UK
      >>> KDCRep: init() encoding tag is 126 req type is 11
      >>>KRBError:
      sTime is Sat Oct 07 00:11:47 BST 2017 1507331507000
      suSec is 633624
      error code is 25
      error Message is Additional pre-authentication required
      sname is krbtgt/CUST.CO.UK@CUST.CO.UK
      eData provided.
      msgType is 30
      >>>Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23, salt =

      >>>Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

      >>>Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      >>>Pre-Authentication Data:
      PA-DATA type = 16

      >>>Pre-Authentication Data:
      PA-DATA type = 15

      KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
      default etypes for default_tkt_enctypes: 23.
      default etypes for default_tkt_enctypes: 23.
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsReq creating message
      >>> KrbKdcReq send: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000, number of retries =3, #bytes=233
      >>> KDCCommunication: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000,Attempt =1, #bytes=233
      >>>DEBUG: TCPClient reading 1524 bytes
      >>> KrbKdcReq send: #bytes read=1524
      >>> KdcAccessibility: remove LCC-DCP-001.CUST.CO.UK
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbAsRep cons in KrbAsReq.getReply csilimited
      principal is csilimited@CUST.CO.UK
      Commit Succeeded

      Found ticket for csilimited@CUST.CO.UK to go to krbtgt/CUST.CO.UK@CUST.CO.UK expiring on Sat Oct 07 10:11:47 BST 2017
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Found ticket for csilimited@CUST.CO.UK to go to krbtgt/CUST.CO.UK@CUST.CO.UK expiring on Sat Oct 07 10:11:47 BST 2017
      Service ticket not found in the subject
      >>> Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 23.
      >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      >>> KrbKdcReq send: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000, number of retries =3, #bytes=1546
      >>> KDCCommunication: kdc=LCC-DCP-001.CUST.CO.UK TCP:88, timeout=30000,Attempt =1, #bytes=1546
      >>>DEBUG: TCPClient reading 1512 bytes
      >>> KrbKdcReq send: #bytes read=1512
      >>> KdcAccessibility: remove LCC-DCP-001.CUST.CO.UK
      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType