on 02-08-2018 12:28 PM
Hello all,
I am attempting to configure AD Authentication/SSO for my users to access the BI Launchpad, however I've run in to an odd issue. We have no problems authenticating in to the BI Launchpad via kerberos SSO; however manually authenticating returns this error:
Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
I have no clue how to proceed as I am not finding any errors in the logs, and from what I can tell all should be working...
Also, neither SSO, nor manual AD Auth work to get in to the CMC; is that perhaps related? Any assistance would be greatly appreciated!
SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.
Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini
CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831
-Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I followed the linked article initially, and that is how I got where I am. I have read through most of the linked articles, and none of them have provided the answer - all my settings are correct; how else would kerberos SSO work? Is there a way to turn on a debug for the Active Directory authentication module without turning on kerberos debug?
I am able to kinit from the sapjvm directory successfully, and users and groups populate in the CMC appropriately. I walked through the set-up guide a second time, and validated all my settings, just to be sure. What would the next steps in debugging be?
Honestly, I'm not even that concerned about manual auth working, as my users won't be encountering it in my planned deployment. I do, however, want to test and make sure my permissions are correct, and not being able to log in to my test account makes that difficult, to say the least...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I answered all these questions 2 days ago
"SSO uses DNS where as manual auth uses the bsclogin.conf & krb5.ini. If all users are failing then verify the java options are pointing to those files correctly, you can test part of the logon by performing kinit from the sapjvm for the same user (if krb5 is in windows directory) adding debug=true to the bsclogin.conf will enable some traces in the tomcat logs.
Another gotcha is the default domain in the CMC must be set to the "DNS_DomainName" typically the same name as the default in the krb5.ini
CMC has different SSO setup and was just added fairly recently (4.1 SP7) https://apps.support.sap.com/sap/support/knowledge/preview/en/2190831"
To add the kinit from the jvm only tests the krb5.ini in the c:\windows directory. If that succeeds then the java options, the bsclogin.conf, and the default domain in the CMC can also make manual logon fail. If the users you are trying to login are in another domain then the krb5 needs to be much more complex, see below.
https://apps.support.sap.com/sap/support/knowledge/preview/en/1245178
-Tim
Hello Jon Skinner,
Please go through blog below to verify your configuration
SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)
For your error you will find so many SAP notes as below
But I think first note in the list will be helpful to you
Thank you
Yogesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.