Skip to Content
avatar image
Former Member

Windows AD redundancy of authentication (Kerberos)

I have been using the AD authentication.
I use single domain to make redundancy.

※reference:1581958 - Windows AD authentication takes very long time to logon
--------------------
[libdefaults]
default_realm = ABCD.MFROOT.ORG
dns_lookup_kdc = true
dns_lookup_realm = true

[realms]
ABCD.MFROOT.ORG = {
kdc = ABCDIR99.ABCD.MFROOT.ORG  ←non-existent domain
kdc = ABCDIR21.ABCD.MFROOT.ORG
kdc = ABCDIR22.ABCD.MFROOT.ORG
kdc = ABCDIR23.ABCD.MFROOT.ORG
default_domain = ABCD.MFROOT.ORG
}
--------------------

In order to test the redundancy, I use a domain not to exist.
But an error(FWM 00006) is output.
Or you can not test in the absence of domain?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 18, 2018 at 07:41 PM

    the bsclogin.conf must have debug=true set at the end of the 2nd line for the kerberos errors to output to the tomcat std.out

    com.businessobjects.security.jgss.initiate {

    com.sun.security.auth.module.Krb5LoginModule required debug=true;

    };

    If the non existent domain is at all reachable (resolves to an IP) then the krb5 will likely timeout trying to communicate with it. If it is really non existent then it should simply skip it and try the next, the multiple KDC's work like round robin.

    For real redundancy using SSO via KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070 would be the way to go as that uses DNS instead of the krb5.ini the krb5 is only used for manual logon which currently goes through our java SDK.

    -Tim

    Add comment
    10|10000 characters needed characters exceeded