Skip to Content

SSO Mostly Working, AD Manual Auth

Hello all,

I am attempting to configure AD Authentication/SSO for my users to access the BI Launchpad, however I've run in to an odd issue. We have no problems authenticating in to the BI Launchpad via kerberos SSO; however manually authenticating returns this error:

Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

I have no clue how to proceed as I am not finding any errors in the logs, and from what I can tell all should be working...

Also, neither SSO, nor manual AD Auth work to get in to the CMC; is that perhaps related? Any assistance would be greatly appreciated!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Feb 08 at 07:46 PM

    SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.

    Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini

    CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831

    -Tim

    Add comment
    10|10000 characters needed characters exceeded

  • Feb 11 at 07:43 AM

    I followed the linked article initially, and that is how I got where I am. I have read through most of the linked articles, and none of them have provided the answer - all my settings are correct; how else would kerberos SSO work? Is there a way to turn on a debug for the Active Directory authentication module without turning on kerberos debug?

    I am able to kinit from the sapjvm directory successfully, and users and groups populate in the CMC appropriately. I walked through the set-up guide a second time, and validated all my settings, just to be sure. What would the next steps in debugging be?

    Honestly, I'm not even that concerned about manual auth working, as my users won't be encountering it in my planned deployment. I do, however, want to test and make sure my permissions are correct, and not being able to log in to my test account makes that difficult, to say the least...

    Add comment
    10|10000 characters needed characters exceeded

    • I answered all these questions 2 days ago

      "SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.

      Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini

      CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831"

      To add the kinit from the jvm only tests the krb5.ini in the c:\windows directory. If that succeeds then the java options, the bsclogin.conf, and the default domain in the CMC can also make manual logon fail. If the users you are trying to login are in another domain then the krb5 needs to be much more complex, see below.

      https://apps.support.sap.com/sap/support/knowledge/preview/en/1245178

      -Tim

  • Feb 08 at 04:28 PM

    Hello Jon Skinner,

    Please go through blog below to verify your configuration

    SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

    For your error you will find so many SAP notes as below

    • 2456939 - Windows AD manual authentication in CMC and BI Launchpad fails for users outside default domain with error code FWM 00006
    • 1942012 - Error: Account Information Not Recognized: Active Directory Authentication failed to log you on... (FWM 00006) when trying to use AD SSO for BI launch pad
    • 1675441 - SBOP BI 4.0: Error: "Account Information Not Recognized: (FWM 00006)" after authentication against Windows AD with Kerberos using Vintela SSO was implemented
    • 1413156 - Users get active directory authentication failed error (FWM 00006) error
    • 1655908 - Account Information Not Recognized: Active Directory Authentication failed to log you on-FWM 00006
    • And so on ......

    But I think first note in the list will be helpful to you

    Thank you

    Yogesh

    Add comment
    10|10000 characters needed characters exceeded