cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO XI 3.0 SSO Problem

Former Member

on ‎07-24-2008 9:32 AM

0 Kudos

Hello,

We try to configure the Windows AD SSO with Kerberos but we encounter some problems.

We already followed these steps:

1) Creation of a service account in the domain controller named BO_ADmin_XIR3.

2) Creation of the group of users to use BO.

3) Execution of the SETSPN command as follow:

setspn -a BOE120SIA(name of the computer)/(name of the computer) BO_Admin_XIR3

Problem -> the registration is OK but the part "Delegation" in BO_Admin_XIR3 properties is not visible.

Anyway we continued configuring the CMC with the SPN for Kerberos, ading the group etc. but of course the Windows AD did not work.

Anyone knows how to do? Is the command wrong (what should be the command then)?

Thanks in advance

Nicolas

Edited by: Nicolas Vigouroux on Jul 24, 2008 10:32 AM

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (8)

Answers (8)

Former Member
‎07-31-2008 2:35 PM
0 Kudos

Thanks to Tim Ziemba and Simon Ravindar

Show replies
Show replies
simon_ravindar
Explorer
‎07-25-2008 7:58 AM
0 Kudos

Hi Nicolas,

Make sure if IIS service is stopped on your Tomcat machine. Also I have prepared the document for your scenario. Please verify if you have missed out any step.

Regards,

Simon

STEPS TO DO ON ACTIVE DIRECTORY MACHINE (S-00001)

-

1.setspn -A BOBJCentralMS/S-98072.XM.TEST.INTRA bo_admin_xir3

2.Go to AD users and Computers and right click on user bo_admin_xir3

3.Select the check box u201CAccount is trust for delegationu201D and u201CUse DES encrytption types for this accountu201D

STEPS TO DO ON BO MACHINE (S-98072)

-

4.Stop BO Servers and Tomcat Application Server

5.Add the user bo_admin_xir3 as a member of Administrators group

6.Assign the right u201CAct as Part of Operating Systemu201D to user bo_admin_xir3

7.Create krb5.ini in c:\winnt\ directory and paste the below content.

[libdefaults]

default_realm = XM.TEST.INTRA

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

XM.TEST.INTRA = {

kdc = S-00001.XM.TEST.INTRA

default_domain = XM.TEST.INTRA

}

8.Create the file bscLogin.conf in c:\winnt directory and paste the below content

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required;

};

9.Go to Start->Programs->Tomcat->Tomcat Configuration and go to java tab and enter the below content

-Djava.security.auth.login.config=c:\winnt\bscLogin.conf

-Djava.security.krb5.conf=c:\winnt\krb5.ini

10.Start BO Servers

11.Launch CMC and go Windows AD tab and enter bo_admin_xir3 as Service Principal name

12.Log into Infoview and Deski , by selecting Windows AD . It should be successful.

Show replies
Show replies
Former Member
‎07-25-2008 9:41 AM
0 Kudos

Hi Simon,

Thanks a lot for your help, the Windows AD authentication is now working well.

The only remaining thing is the automatic SSO.

So, here are the steps I have already done:

1) Creation of an account named "VintelaSSO" on the domain controller.

2) Execution of the command: *ktpass -princ HTTP/S-98072.XM.DOMAIN.INTRA @ XM.DOMAIN.INTRA -mapuser

VintellaSSO*

3)Execution of the command ktpass -out host.keytab -princ HTTP/SV-98072 @ XM.DOMAIN.INTRA -pass xxxxx -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

4)Copy of the file host.ketab in the WINNT folder of S-98072

5)Modification of the Web.xml of InfoView as follow:


<!-- You can specify the siteminder Authentication type here -->
    <!-- secLDAP, secWinAD -->
    <context-param>
        <param-name>siteminder.authentication</param-name>
        <param-value>secWinAD</param-value>
    </context-param>

    <!-- Set to true to enable Vintela single sign on. -->
    <context-param>
        <param-name>vintela.enabled</param-name>
        <param-value>true</param-value>
    </context-param>

    <!-- Set to true to enable other single sign on. -->
    <context-param>
        <param-name>sso.enabled</param-name>
        <param-value>false</param-value>
    </context-param>

    <!-- Set to false to disable logon with token. -->
    <context-param>
        <param-name>logontoken.enabled</param-name>
        <param-value>true</param-value>
    </context-param>

.

.

.



    <!-- For Vintela SSO the following filter needs to be uncommented.
         There is also a filter mapping which needs to be uncommented.
         Set idm.realm to the Active Directory realm where the server is in
         and idm.princ to the service principal name.
    -->
   
    <filter>
        <filter-name>authFilter</filter-name>
        <filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>

        <init-param>
            <param-name>idm.realm</param-name>
            <param-value>*XM.TEST.INTRA*</param-value>
        </init-param>

        <init-param>
            <param-name>idm.princ</param-name>
            <param-value>*HTTP/S-98072 @ XM.TEST.INTRA*</param-value>
        </init-param>

        <init-param>
            <param-name>idm.allowUnsecured</param-name>
            <param-value>true</param-value>
        </init-param>

        <init-param>
            <param-name>idm.allowNTLM</param-name>
            <param-value>false</param-value>
        </init-param>

        <init-param>
            <param-name>idm.logger.name</param-name>
            <param-value>simple</param-value>
            <description>
                The unique name for this logger.
            </description>
        </init-param>

        <init-param>
            <param-name>idm.logger.props</param-name>
            <param-value>error-log.properties</param-value>
            <description>
                Configures logging from the specified file.
            </description>
        </init-param>

        <init-param>
            <param-name>error.page</param-name>
            <param-value>/jsp/logon/vintelaError.jsp</param-value>
            <description>
                The URL of the page to show if an error occurs during authentication.
            </description>

	<init-param>
		<param-name>idm.keytab</param-name>
		<param-value>C:\WINNT\host.keytab</param-value>
	</init-param>

        </init-param>
    </filter>

But after these modifications are done, the Infoview web page displays errors

If I comment the 2nd part of the code (Vintella filter part), the page is ok.

BasicTek
Advisor
Advisor
‎07-24-2008 4:05 PM
0 Kudos

That doc I sent earlier also has the SSO config instructions. You will need another service account in AD, similar steps but with ktpass instead of setspn,

You will need to modify several parts in the web.xml and 1 in the server.xml all documented

oh and the original path is correct you just need to copy it to the second path. If you only edit the file under the webapps\infoviewapp directory and you install a patch it will get over written. The directions ask you to edit the war file so this won't happen

Edited by: Tim Ziemba on Jul 24, 2008 11:05 AM

Show replies
Show replies
Former Member
‎07-25-2008 10:48 AM
0 Kudos

I think the problem may come from the line :

<param-value>HTTP/S-98072 @ XM.TEST.INTRA</param-value>

What is your opinion?

Former Member
‎07-25-2008 10:56 AM
0 Kudos

Ok, forget about my 2 previous messages, Vintela is not installed.

Is there a way to use SSO without Vintela?

Because I must enter the password every time I use Infoview to have it working...

Thanks

Nicolas

Former Member
‎07-25-2008 1:07 PM
0 Kudos

Can someone confirm I need to install Vintela for JAVA SSO?

Then, I will mark this post as answered.

Thanks

BasicTek
Advisor
Advisor
‎07-25-2008 1:20 PM
0 Kudos

If you want true Active Directory SSO then you will need to get vintela enabled. To note above the principal (princ) used in ktpass -mapuser MUST = the principal used for ktpass -keytab It appears that you used the FQDN for the -mapuser and the hostname for the keytab. I wrote a command that does these both at once for XI 3.0.

ktpass -out myname.keytab -princ HTTP/TOMCATFQDN@ REALM.COM -mapuser user -pass yourpw -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

replace myname with any name for your keytab (also must be specified in web.xml)

replace TOMCATFQDN with the value in your web.xml idm.princ

replace REALM.COM with the value in your web.xml idm.realm

replace user with the vintelaccount@ REALM.COM (again the REALM used in the web.xml)

replace yourpw with your vintela account password (also specified in the tomcat java options) -mapuser user

ktpass -out test.keytab -princ HTTP/r3-rtm3-tz.winauthtz.com@ WINAUTHTZ.COM -mapuser r3ker3@ WINAUTHTZ.COM -pass maxima -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

here is the output and everything looks ok in AD

Targeting domain controller: bobj-w2k3-db-tz.winauthtz.com

Successfully mapped HTTP/r3-rtm3-tz.winauthtz.com to r3ker3.

Key created.

Output keytab to test3.keytab:

Keytab version: 0x502

keysize 78 HTTP/r3-rtm3-tz.winauthtz.com@ WINAUTHTZ.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16

(0x91c0c7b367db3f2d6684b6690a5ff6e2)

You would then need to follow the normal steps in the doc (reset password, enable delegation, etc). The above simply combines the keytab step and the mapuser step.

Also to note I was receiving errors when creating the keytab separately that didnu2019t seem to cause problems but also occurred for customers. When combining the 2 commands those errors were resolved. I know one was caused by running the mapuser separately the other may have been related to that as well.

This could be followed by creating 2 more SPNu2019s

Setspn u2013a HTTP/hostname user to preemptively solve client issues

Setspn u2013a HTTP/ip.ip.ip.ip to allow vintela to work on the server

To note the directions will work on XIR2 but you should upgrade your java SDK to 1.5 (not JRE or JVM) so that there will be no issues with RC4 encryption. and I had to add spaces to all the principals (anything with an @) in order to post on the forum. remove the spaces if using this command.

some people either log in manually or enable trusted auth for a pseudo SSO that doesn't require kerberos/vintela. If you got java AD working then it shouldn't be much more trouble to do the same with vintela

Regards,

Tim

Former Member
‎07-25-2008 3:54 PM
0 Kudos

I have done all the steps (except installing SDK 1.5), but when I connect to InfoView, I got a 404 error on the page.

What could be the reason?

Former Member
‎07-25-2008 4:06 PM
0 Kudos

Can you please explain me what do you mean by :

"some people either log in manually or enable trusted auth for a pseudo SSO that doesn't require kerberos/vintela. If you got java AD working then it shouldn't be much more trouble to do the same with vintela"?

Is it possible not to use vintela to log automatically? If yes, I'm ok for this solution.

BasicTek
Advisor
Advisor
‎07-25-2008 5:08 PM
0 Kudos

yes with trusted auth, but SSO or single sign on in our product is the ability to actually logon with your OS credentials.

trusted auth is actually logon with usernames (only) from a trusted source. If you wanted to do that with AD you can make IIS your trusted source and tomcat your client. This is also documented in the XI 3.0 admin guide, but at this point you are almost finished.

Former Member
‎07-25-2008 5:20 PM
0 Kudos

The situation has changed, I rebuilt the keytab file and now I get the Log On to Infoview page without 404 error BUT it says:

"Unable to logon to InfoView. Please contact your system administrator for assistance. Please close your browser before continuing."

Do you have an idea?

Have a nice week-end

Regards,

Nicolas

BasicTek
Advisor
Advisor
‎07-25-2008 7:17 PM
0 Kudos

1 vintela will not work by default on the server so all testing must be from the client (this is meantioned in the docs).

2 that's a pretty generic error so we will likely need to trace

3 If possible perform testing on 2003 server and not XP (for several reasons)

When using a keytab vintela does not show any tracing info so the steps beloe are how to trace. I realize that you can't add attachments to these forums so a message with support is the way to go for setting up vintela.

1) comment out the keytab in the web.xml

2) remove verbose tracing from the java options

3) add -Djcsi.kerberos.debug=true in the java options

4) define your vintela service account password in the java options

use the following

-Dcom.wedgetail.idm.sso.password=password where password = the password of the tomcat service account

5) also add the maxpacket size to the java options to reduce UDP errors.

-Djcsi.kerberos.maxpacketsize=0

6) stop tomcat and delete or move the tomcat\logs

7) restart tomcat, wait 20 seconds or so and then check the std.out and localhost logs

Also on the account you created you may want to add a couple SPN the hostname and IP that I mentioned above.

regards,

Tim

Former Member
‎07-28-2008 3:47 PM
0 Kudos

Hi Tim,

I have done all the steps you mentioned and here are the traces obtained.

the company domain name has been replaced by "TEST".

What should I do now?

Thanks


28 juil. 2008 16:36:36 org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: 


C:WINDOWSsystem32;C:Program FilesBusiness ObjectsBusinessObjects Enterprise 12.0win32_x86
28 juil. 2008 16:36:36 org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
28 juil. 2008 16:36:36 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 906 ms
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardService start
INFO: Démarrage du service Catalina
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.20
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
2008-07-28 16:36:52,643 [Thread-1] ERROR com.businessobjects.qaaws.internal.ServiceProvider ()  2344 - initInstance()
org.apache.axis2.AxisFault: Your Web Intelligence session is invalid or has reached timeout. Log out and log in again to Query as a Web Service.
	at com.businessobjects.dsws.DSWSExceptionFactory.CreateAxisFault(Unknown Source)
	at com.businessobjects.qaaws.internal.BOEHelper.logon(Unknown Source)
	at com.businessobjects.qaaws.internal.ServiceProvider.initInstance(Unknown Source)
	at com.businessobjects.qaaws.internal.transport.QaaWSServlet.initServiceProvider(Unknown Source)
	at com.businessobjects.qaaws.internal.transport.QaaWSServlet.init(Unknown Source)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1105)
	at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:932)
	at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3951)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4225)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: sv-99003.TEST.intra (192.168.4.20)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: sv-99004.TEST.intra (192.168.4.21)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** requesting initial ticket .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** creating AS request .. **
 for client: HTTP/SV-98072.MC.TEST.INTRA
 at realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Sending request to KDC .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
 UDP attempt #0 to DNS server sv-99003.TEST.intra/192.168.4.20
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:  Data sent: 
            1e 44 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72 
            6f 73 

04 5f 75 64 70 02 4d 43 09 44 49 45 54 53 4d 41 4e 4e 
            05 49 4e 54 52 41 00 00 21 00 01 
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Data received: 
            1e 44 85 80 00 01 00 04 00 00 00 04 09 5f 6b 65 72 62 65 72 
            6f 

73 04 5f 75 64 70 02 4d 43 09 44 49 45 54 53 4d 41 4e 4e 
            05 49 4e 54 52 41 00 00 21 00 01 c0 0c 00 21 00 01 00 00 02 
            58 00 23 00 00 

00 64 00 58 08 73 76 2d 39 38 30 34 35 02 6d 
            63 09 64 69 65 74 73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0 0c 
            00 21 00 01 00 00 02 58 00 

23 00 00 00 64 00 58 08 73 76 2d 
            39 38 30 35 39 02 6d 63 09 64 69 65 74 73 6d 61 6e 6e 05 69 
            6e 74 72 61 00 c0 0c 00 21 00 01 00 00 

02 58 00 23 00 00 00 
            64 00 58 08 73 76 2d 39 38 30 31 34 02 6d 63 09 64 69 65 74 
            73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0 0c 00 21 00 

01 00 00 
            02 58 00 23 00 00 00 64 00 58 08 73 76 2d 30 30 30 31 33 02 
            6d 63 09 64 69 65 74 73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0 
  

          45 00 01 00 01 00 00 04 b0 00 04 c0 a8 03 16 c0 74 00 01 00 
            01 00 00 04 b0 00 04 c0 a8 32 05 c0 a3 00 01 00 01 00 00 04 
            

b0 00 04 c0 a8 04 06 c0 d2 00 01 00 01 00 00 04 b0 00 04 c0 
            a8 04 01 
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: params: 1000010110000000
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Query sent:
  Qname: _kerberos._udp.MC.TEST.INTRA
  Qtype: 33
  Qclass: 1
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: _kerberos._udp.MC.TEST.INTRA
      Class: 1
      TTL: 600
      Type: SRV
     

 Priority: 0
      Weight: 100
      Port: 88
      Target: sv-98045.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: _kerberos._udp.MC.TEST.INTRA
      Class: 1
      TTL: 600
      Type: SRV
     

 Priority: 0
      Weight: 100
      Port: 88
      Target: sv-98059.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: _kerberos._udp.MC.TEST.INTRA
      Class: 1
      TTL: 600
      Type: SRV
     

 Priority: 0
      Weight: 100
      Port: 88
      Target: sv-98014.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: _kerberos._udp.MC.TEST.INTRA
      Class: 1
      TTL: 600
      Type: SRV
     

 Priority: 0
      Weight: 100
      Port: 88
      Target: sv-00013.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: sv-98045.mc.TEST.intra
      Class: 1
      TTL: 1200
      Type: A
      IP 

Address: 192.168.3.22
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: sv-98059.mc.TEST.intra
      Class: 1
      TTL: 1200
      Type: A
      IP 

Address: 192.168.50.5
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: sv-98014.mc.TEST.intra
      Class: 1
      TTL: 1200
      Type: A
      IP 

Address: 192.168.4.6
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: 
    Record

      Name: sv-00013.mc.TEST.intra
      Class: 1
      TTL: 1200
      Type: A
      IP 

Address: 192.168.4.1
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:     connected;  sending length and request...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:     sent request;  reading response length...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:     read length;  reading 298-byte response...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: --- got 298-byte response, initial byte = 0x7e
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Message sent sucessfully to KDC: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** KDC requires pre-authentication **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 11
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 2
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 15
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ETypeInfo:
    EtypeInfoEntry:
    etype: 23
    salt: 

    EtypeInfoEntry:
    etype: 3
    salt: 

MC.TEST.INTRAHTTPSV-98072.MC.TEST.INTRA

    EtypeInfoEntry:
    etype: 1
    salt: MC.TEST.INTRAHTTPSV-98072.MC.TEST.INTRA

[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Adding encrypted timestamp pre-auth **
  encryption type: 23
  salt: 
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Sending request to KDC .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Message send unsuccessful to KDC: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos:     connected;  sending length and request...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos:     sent request;  reading response length...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos:     read length;  reading 144-byte response...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: --- got 144-byte response, initial byte = 0x7e
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Message sent sucessfully to KDC: /192.168.4.6:88
28-07-08 16:37:19:628 - *{ERROR} [localhost].[/InfoViewApp] Thread [Thread-1];  Exception au démarrage du filtre authFilter*
*com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not* 

*found in Kerberos database]*
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)
	at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
	at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
	at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
	at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
	... 31 more
Caused by: 
com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
	at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
	at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
	at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
	at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
15 [Thread-1] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/InfoViewApp]  - Exception au démarrage du filtre authFilter
com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not 

found in Kerberos database]
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)
	at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
	at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
	at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
	at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
	... 31 more
Caused by: 
com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
	at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
	at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
	at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
	at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
	at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
28 juil. 2008 16:37:19 org.apache.catalina.core.StandardContext start
GRAVE: Error filterStart
28 juil. 2008 16:37:19 org.apache.catalina.core.StandardContext start
GRAVE: Erreur de démarrage du contexte [/InfoViewApp] suite aux erreurs précédentes
Initializing Performance Management
done (2640)
Initializing Performance Manager
done (2047)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Initializing configuration from resource path /WEB-INF/struts-config.xml
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'
resolveEntity('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 'http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd')
 Resolving to alternate DTD 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
New org.apache.struts.action.ActionForward
Set org.apache.struts.action.ActionForward properties
Call org.apache.struts.action.ActionMapping.addForward(ActionForward[default])
Pop org.apache.struts.action.ActionForward
Call org.apache.struts.action.ActionServlet.addMapping(ActionMapping[path=/Flash_FlashVars/flashvarsEdit, 

type=com.businessobjects.clientaction.flash.flashvars.FlashVarsEditAction])
Pop org.apache.struts.action.ActionMapping
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN', 

'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'
Call org.apache.struts.action.ActionServlet.addServletMapping(DocumentDownload/java.lang.String,/opendoc/documentDownload/java.lang.String)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Process servletName=DocumentDownload, urlPattern=/opendoc/documentDownload
Call org.apache.struts.action.ActionServlet.addServletMapping(action/java.lang.String,*.do/java.lang.String)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Process servletName=action, urlPattern=*.do
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Mapping for servlet 'action' = '*.do'
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: 

[org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], 

[org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], 

[org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]]
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.coyote.http11.Http11BaseProtocol start
INFO: Démarrage de Coyote HTTP/1.1 sur http-8080
28 juil. 2008 16:37:33 org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
28 juil. 2008 16:37:33 org.apache.catalina.startup.Catalina start
INFO: Server startup in 56486 ms

BasicTek
Advisor
Advisor
‎07-28-2008 4:42 PM
0 Kudos

A) It's usually a good idea to edit the logs removing customer specific info in the above logs

B) I see this KerberosError: Server not found in Kerberos database. This typically means that there is either a duplicated or missing SPN. The problem is it could be other things. At this point we would usually webex to check overall system config, and download several utitilies for troubleshooting.

Since I can't do that the above is my best guess.

Regards,

Tim

Former Member
‎07-28-2008 4:52 PM
0 Kudos

Ok, what do you advise me to do then?

Should I check the SPN?

Regards,

Nicolas

Former Member
‎07-28-2008 5:29 PM
0 Kudos

I have checked the SPN VintelaSSO created as HTTP/SV-98072 @ MC.TEST.INTRA:

kinit VintelaSSO @ MC.TEST.INTRA

Password for VintelaSSO @ MC.TEST.INTRA:xxxxxx

New ticket is stored in cache file................

So the SPN seems to be ok, what could be the problem then?

Regards,

Nicolas

BasicTek
Advisor
Advisor
‎07-28-2008 6:21 PM
0 Kudos

The spn should be http/FQDN and using ktpass would appear like http/FQDN@realm

where the FQDN is host.prefix.domain.com and realm is prefix.domain.com. It looks like you set this up with the hostname. and example of the princ would be http/myservername.child.domain.com@ CHILD.DOMAIN.COM anything after the @ must be in all caps for java AD.

Well this is where it would be best to have a support rep,

In some cases we may need to packet scan with wireshark or netmon (http://www.wireshark.org/download.html) in other cases we may need to search out duplicate SPN with a tool such as AD explorer (http://technet.microsoft.com/en-us/sysinternals/bb963907)

regards,

Tim

Former Member
‎07-29-2008 8:11 AM
0 Kudos

Ok Tim, I have downloaded and installed the tools, how should I use them now?

Thanks

Nicolas

Former Member
‎07-30-2008 8:36 AM
0 Kudos

Hi Tim,

Maybe the problem comes from the krbrealm.con file.

Currently the file is as follow:


MC.TEST.INTRA MC.TEST.INTRA
.MC.TEST.INTRA .MC.TEST.INTRA
.MIT.EDU ATHENA.MIT.EDU
.MIT.EDU. ATHENA.MIT.EDU
MIT.EDU ATHENA.MIT.EDU
.WHOI.EDU ATHENA.MIT.EDU
.WHOI.EDU. ATHENA.MIT.EDU
.PFC.MIT.EDU ATHENA.MIT.EDU
.PFC.MIT.EDU. ATHENA.MIT.EDU
.PSFC.MIT.EDU ATHENA.MIT.EDU
.PSFC.MIT.EDU. ATHENA.MIT.EDU
.MEDIA.MIT.EDU MEDIA-LAB.MIT.EDU
MEDIA.MIT.EDU. MEDIA-LAB.MIT.EDU
.UCSC.EDU CATS.UCSC.EDU
.UCSC.EDU. CATS.UCSC.EDU
CYGNUS.COM CYGNUS.COM
CYGNUS.COM. CYGNUS.COM
PANIX.COM PANIX.COM
NETGEN.COM NETGEN.COM
.FS.ANDREW.CMU.EDU ANDREW.CMU.EDU
.FS.ANDREW.CMU.EDU. ANDREW.CMU.EDU
.SRV.CS.CMU.EDU CS.CMU.EDU
.SRV.CS.CMU.EDU. CS.CMU.EDU

Can you please check the 2 first rows and let me know if it's ok?

Thanks

Nicolas

BasicTek
Advisor
Advisor
‎07-30-2008 11:41 AM
0 Kudos

I've got no such file on my system (krbrealm.con). Where does this file reside? How did you come to verify it? I'm not aware of any of our configurations requiring it?

Former Member
‎07-31-2008 2:34 PM
0 Kudos

Finally, SSO works.

I forgot to configure Tomcat service to use the VintelaSSO service account.

Thanks for all

Nicolas

Edited by: Nicolas Vigouroux on Jul 31, 2008 3:34 PM

BasicTek
Advisor
Advisor
‎07-24-2008 3:40 PM
0 Kudos

Well the client tools don't use java so something is still wrong. If kinit works we will need the verbose tracing turned on to see what

Show replies
Show replies
Former Member
‎07-24-2008 3:54 PM
0 Kudos

Now, it works on both Infoview and CMC!

I didn't modify the appropriate Web.xml, the correct path was:

C:\Program Files\Business Objects\*Tomcat55*\webapps\InfoViewApp\WEB-INF

The only remaining wish is to auto-connect users with their Windows AD auth.

I guess all operations must be done in the web.xml file?

Am I right?

BasicTek
Advisor
Advisor
‎07-24-2008 2:38 PM
0 Kudos

So when logging in anything entered after an @ symbol must be in all CAPS. user@ DOMAIN.COM

if the DOMAIN is not in all CAPS in the Krb5 and CMC then you will get cannot find KDC for realm.

Show replies
Show replies
Former Member
‎07-24-2008 2:49 PM
0 Kudos

Ok, now I have a ticket generated for the user BO_Admin_XIR3:


C:\Program Files\Business Objects\javasdk\bin>kinit BO_Admin_xir3/at\XM.TEST.INTRA

Password for BO_Admin_xir3/at\XM.TEST.INTRA: xxxxx

New ticket is stored in cache file C:\Documents and Settings\BO_Admin_XIR3\krb5c
c_BO_Admin_XIR3

When I connect to Deski with windows AD auth. and a user belonging to the group authorized to use BO, it works.

But when I try to connect to Infoview via IE, I don't see the authentication type, even if I have modified the file:

C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF\web.xml

Former Member
‎07-24-2008 2:55 PM
0 Kudos

Now, if I try to log in to CMC, it says:

"Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department."

Former Member
‎07-24-2008 3:33 PM
0 Kudos

It works now for the CMC but not in Infoview, there is no authentication option bellow the password field.

Also, we would like to auto-log in the CMC & Infoview (without typing any password, just using the Windows AD).

I have modified the web.xml located in the folder:

C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF

In this way:


 <!-- ==================== -->
    <!-- Customizable options -->
    <!-- ==================== -->

    <!--  You can specify the default CMS machine name here -->
    <!-- Put your CMS name inside <param-value> </param-value> -->
    <!-- eg. <context-param> -->
    <!--     <param-name>cms.default</param-name> -->
    <!--        <param-value>CrystalMS</param-value> -->
    <!-- eg. </context-param> -->
    <context-param>
        <param-name>cms.default</param-name>
        <param-value>SV-98072:6400</param-value>
    </context-param>

    <!-- Choose whether to let the user change the CMS name -->
    <!-- If it isn't shown the default System from above will be used -->
    <context-param>
        <param-name>cms.visible</param-name>
        <param-value>false</param-value>
    </context-param>

    <!-- You can specify the default Authentication types here -->
    <!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
    <context-param>
        <param-name>authentication.default</param-name>
        <param-value>secWinAD</param-value>
    </context-param>

    <!-- Choose whether to let the user change the authentication type -->
    <!-- If it isn't shown the default authentication type from above will be used -->
    <context-param>
        <param-name>authentication.visible</param-name>
        <param-value>true</param-value>
    </context-param>

    <!-- The default home page -->
    <context-param>
        <param-name>homepage.default</param-name>
        <param-value>/jsp/listing/home.jsp</param-value>
    </context-param>

    <!-- If the locale preference is disabled (only english languages will be used/allowed) -->
    <context-param>
        <param-name>disable.locale.preference</param-name>
        <param-value>false</param-value>
    </context-param>

But it still does not allow me to log in with AD...

BasicTek
Advisor
Advisor
‎07-24-2008 1:39 PM
0 Kudos

"but of course the Windows AD did not work"

That doc includes tracing information for tomcat, can you give us the error message.

Also have you created the bsclogin and krb5?

Show replies
Show replies
Former Member
‎07-24-2008 1:47 PM
0 Kudos

I have created on the S-98072 machine the file bscLogin.conf and the folder WINNT (created too) with the following:

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required;

};

I have also created the krb5.ini file with the following:

[libdefaults]

default_realm = XM.TEST.INTRA

dns_lookup_kdc = true

dns_lookup_realm = true

krb4_config = /usr/kerberos/lib/krb.conf

krb4_realms = /usr/kerberos/lib/krb.realms

[realms]

XM.TEST.INTRA = {

kdc = S-00001.XM.TEST.INTRA

kdc = S-98072.XM.TEST.INTRA

default_domain = XM.TEST.INTRA

}

ATHENA.MIT.EDU = {

admin_server = KERBEROS.MIT.EDU

default_domain = MIT.EDU

v4_instance_convert = {

mit = mit.edu

lithium = lithium.lcs.mit.edu

}

}

ANDREW.CMU.EDU = {

admin_server = vice28.fs.andrew.cmu.edu

}

  1. use "kdc =" if realm admins haven't put SRV records into DNS

GNU.ORG = {

kdc = kerberos.gnu.org

kdc = kerberos-2.gnu.org

admin_server = kerberos.gnu.org

}

[domain_realm]

xm.test.intra = XM.TEST.INTRA

.test.intra = TEST.INTRA

.mit.edu = ATHENA.MIT.EDU

mit.edu = ATHENA.MIT.EDU

.media.mit.edu = MEDIA-LAB.MIT.EDU

media.mit.edu = MEDIA-LAB.MIT.EDU

.ucsc.edu = CATS.UCSC.EDU

[logging]

# kdc = CONSOLE

BasicTek
Advisor
Advisor
‎07-24-2008 2:00 PM
0 Kudos

You may want to simplify that Krb5.ini

libdefaults

default_realm = XM.TEST.INTRA

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

realms

XM.TEST.INTRA = {

kdc = S-00001.XM.TEST.INTRA

kdc = S-98072.XM.TEST.INTRA

default_domain = XM.TEST.INTRA

}

Make sure the default domain in the CMC is XM.TEST.INTRA too and that the service account and server are in that domain.

Use the doc above to trace tomcat and test the krb5-bsclogin with kinit

Also after required; in the bsclogin change to required debug=true; I don't believe this tracing option is in the admin guide

Regards,

Tim

Former Member
‎07-24-2008 2:11 PM
0 Kudos

I have checked on the CMC the CMC Name is :

S98072.CentralManagementServer (S-98072.xm.test.intra:6400)

I have checked with the kinit command and I obtain an error:


C:\Program Files\Business Objects\javasdk\bin>kinit BO_Admin_XIR3/at\xm.test.intra

Password for *BO_Admin_XIR3/at\xm.test.intra*: *xxxxx*
Exception: krb_error 0 Cannot get kdc for realm xm.test.intra No error
KrbException: Cannot get kdc for realm xm.test.intra
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

BasicTek
Advisor
Advisor
‎07-24-2008 1:06 PM
0 Kudos

"Delegation in BO_Admin_XIR3 properties is not visible"

this could mean that your AD is 2000 in that case the doc should have shown you the checkbox option which is always available. If it's 2003 then the account likely doesn't have an SPN yet

Are you using this doc?

http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf

regards,

Tim

Show replies
Show replies
Former Member
‎07-24-2008 1:16 PM
0 Kudos

Hi Tim,

The domain controller OS is Windows 2003, so the AD should be 2003.

I am using the doc you mention, but for this part it seems it's just a copy/paste of the R2 doc.

You can see the command is:

SETSPN.exe u2013A BOBJCentralMS/NAME serviceaccount

But in BO 3.0, the service name is different...

Thanks

Regards,

Nicolas

BasicTek
Advisor
Advisor
‎07-24-2008 1:32 PM
0 Kudos

sorry I mispoke it's not the DC version but the AD functional level so 2003 native should have a delegation tab if the account has any SPN's but a 2003 mixed mode will only have a checkbox in the account options.

I'll review your other data in a bit

Former Member
‎07-24-2008 1:39 PM
0 Kudos

Here are the tabs available for the account BO_Admin_XIR3:

From the upper left to the bottom right:

"Published Certificates", "Member Of", "Dial-in", "Object", "Security",

"Environment", "Sessions", "Remote Control", "Terminal Services Profile", "COM+",

"General", "Address", "Account", "Profile", "Telephones", "Organization"

Hope it will help

Regards,

Nicolas

BasicTek
Advisor
Advisor
‎07-24-2008 1:41 PM
0 Kudos

ok click on the account tab and scroll through the account options, is there a delegation setting

Former Member
‎07-24-2008 1:42 PM
0 Kudos

Yes, I have already seen it, and enabled it : "Account is trust for delegation".

Former Member
‎03-24-2010 9:18 AM
0 Kudos

How do you type the command exactly ?

SETSPN.exe -A BOE120SIAS98072/S-98072.xm.test.intra BO_Admin_XIR3

That's right ?

Best Regard

simon_ravindar
Explorer
‎07-24-2008 12:45 PM
0 Kudos

Hi Nicolas,

I can help you if you can give me complete configuration details.

OS :

Web Server if any :

App Server :

DOMAIN NAME :

FQDN OF BO XI MACHINE :

Regards.

Simon

Show replies
Show replies
Former Member
‎07-24-2008 1:06 PM
0 Kudos

Hi Simon,

Here are the details:

- OS: Windows 2003 server R2 on both domain controller and BO Server.

- Tomcat 5.5.20 (BO 3.0 doesn't have IIS)

- Domain controller name : S-00001

- Business Objects server name: S-98072

- Domain Name : xm.test.intra

- FQDN of BO machine : S-98072.xm.test.intra

Just for info the Server Intelligence Agent service name is : BOE120SIAS98072

I hope there are all the needed details.

Thanks for you help!

Regards,

Nicolas

Edited by: Nicolas Vigouroux on Jul 24, 2008 2:22 PM

Edited by: Nicolas Vigouroux on Jul 24, 2008 2:26 PM

Ask a Question