cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Mostly Working, AD Manual Auth

former_member1102654
Discoverer

on ‎02-08-2018 12:28 PM

0 Kudos

Hello all,

I am attempting to configure AD Authentication/SSO for my users to access the BI Launchpad, however I've run in to an odd issue. We have no problems authenticating in to the BI Launchpad via kerberos SSO; however manually authenticating returns this error:

Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

I have no clue how to proceed as I am not finding any errors in the logs, and from what I can tell all should be working...

Also, neither SSO, nor manual AD Auth work to get in to the CMC; is that perhaps related? Any assistance would be greatly appreciated!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

BasicTek
Advisor
Advisor
‎02-08-2018 7:46 PM

SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.

Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini

CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831

-Tim

Show replies
Show replies
former_member1102654
Discoverer
‎02-11-2018 7:43 AM
0 Kudos

I followed the linked article initially, and that is how I got where I am. I have read through most of the linked articles, and none of them have provided the answer - all my settings are correct; how else would kerberos SSO work? Is there a way to turn on a debug for the Active Directory authentication module without turning on kerberos debug?

I am able to kinit from the sapjvm directory successfully, and users and groups populate in the CMC appropriately. I walked through the set-up guide a second time, and validated all my settings, just to be sure. What would the next steps in debugging be?

Honestly, I'm not even that concerned about manual auth working, as my users won't be encountering it in my planned deployment. I do, however, want to test and make sure my permissions are correct, and not being able to log in to my test account makes that difficult, to say the least...

Show replies
Show replies
BasicTek
Advisor
Advisor
‎02-13-2018 6:35 PM
0 Kudos

I answered all these questions 2 days ago

"SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.

Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini

CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831"

To add the kinit from the jvm only tests the krb5.ini in the c:\windows directory. If that succeeds then the java options, the bsclogin.conf, and the default domain in the CMC can also make manual logon fail. If the users you are trying to login are in another domain then the krb5 needs to be much more complex, see below.

https://apps.support.sap.com/sap/support/knowledge/preview/en/1245178

-Tim

patelyogesh
Active Contributor
‎02-08-2018 4:28 PM
0 Kudos

Hello Jon Skinner,

Please go through blog below to verify your configuration

SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

For your error you will find so many SAP notes as below

  • 2456939 - Windows AD manual authentication in CMC and BI Launchpad fails for users outside default domain with error code FWM 00006
  • 1942012 - Error: Account Information Not Recognized: Active Directory Authentication failed to log you on... (FWM 00006) when trying to use AD SSO for BI launch pad
  • 1675441 - SBOP BI 4.0: Error: "Account Information Not Recognized: (FWM 00006)" after authentication against Windows AD with Kerberos using Vintela SSO was implemented
  • 1413156 - Users get active directory authentication failed error (FWM 00006) error
  • 1655908 - Account Information Not Recognized: Active Directory Authentication failed to log you on-FWM 00006
  • And so on ......

But I think first note in the list will be helpful to you

Thank you

Yogesh

Show replies
Show replies
Ask a Question