on 07-24-2008 9:32 AM
Hello,
We try to configure the Windows AD SSO with Kerberos but we encounter some problems.
We already followed these steps:
1) Creation of a service account in the domain controller named BO_ADmin_XIR3.
2) Creation of the group of users to use BO.
3) Execution of the SETSPN command as follow:
setspn -a BOE120SIA(name of the computer)/(name of the computer) BO_Admin_XIR3
Problem -> the registration is OK but the part "Delegation" in BO_Admin_XIR3 properties is not visible.
Anyway we continued configuring the CMC with the SPN for Kerberos, ading the group etc. but of course the Windows AD did not work.
Anyone knows how to do? Is the command wrong (what should be the command then)?
Thanks in advance
Nicolas
Edited by: Nicolas Vigouroux on Jul 24, 2008 10:32 AM
Thanks to Tim Ziemba and Simon Ravindar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nicolas,
Make sure if IIS service is stopped on your Tomcat machine. Also I have prepared the document for your scenario. Please verify if you have missed out any step.
Regards,
Simon
STEPS TO DO ON ACTIVE DIRECTORY MACHINE (S-00001)
-
1.setspn -A BOBJCentralMS/S-98072.XM.TEST.INTRA bo_admin_xir3
2.Go to AD users and Computers and right click on user bo_admin_xir3
3.Select the check box u201CAccount is trust for delegationu201D and u201CUse DES encrytption types for this accountu201D
STEPS TO DO ON BO MACHINE (S-98072)
-
4.Stop BO Servers and Tomcat Application Server
5.Add the user bo_admin_xir3 as a member of Administrators group
6.Assign the right u201CAct as Part of Operating Systemu201D to user bo_admin_xir3
7.Create krb5.ini in c:\winnt\ directory and paste the below content.
[libdefaults]
default_realm = XM.TEST.INTRA
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
XM.TEST.INTRA = {
kdc = S-00001.XM.TEST.INTRA
default_domain = XM.TEST.INTRA
}
8.Create the file bscLogin.conf in c:\winnt directory and paste the below content
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
};
9.Go to Start->Programs->Tomcat->Tomcat Configuration and go to java tab and enter the below content
-Djava.security.auth.login.config=c:\winnt\bscLogin.conf
-Djava.security.krb5.conf=c:\winnt\krb5.ini
10.Start BO Servers
11.Launch CMC and go Windows AD tab and enter bo_admin_xir3 as Service Principal name
12.Log into Infoview and Deski , by selecting Windows AD . It should be successful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Simon,
Thanks a lot for your help, the Windows AD authentication is now working well.
The only remaining thing is the automatic SSO.
So, here are the steps I have already done:
1) Creation of an account named "VintelaSSO" on the domain controller.
2) Execution of the command: *ktpass -princ HTTP/S-98072.XM.DOMAIN.INTRA @ XM.DOMAIN.INTRA -mapuser
VintellaSSO*
3)Execution of the command ktpass -out host.keytab -princ HTTP/SV-98072 @ XM.DOMAIN.INTRA -pass xxxxx -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
4)Copy of the file host.ketab in the WINNT folder of S-98072
5)Modification of the Web.xml of InfoView as follow:
<!-- You can specify the siteminder Authentication type here -->
<!-- secLDAP, secWinAD -->
<context-param>
<param-name>siteminder.authentication</param-name>
<param-value>secWinAD</param-value>
</context-param>
<!-- Set to true to enable Vintela single sign on. -->
<context-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</context-param>
<!-- Set to true to enable other single sign on. -->
<context-param>
<param-name>sso.enabled</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to false to disable logon with token. -->
<context-param>
<param-name>logontoken.enabled</param-name>
<param-value>true</param-value>
</context-param>
.
.
.
<!-- For Vintela SSO the following filter needs to be uncommented.
There is also a filter mapping which needs to be uncommented.
Set idm.realm to the Active Directory realm where the server is in
and idm.princ to the service principal name.
-->
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>*XM.TEST.INTRA*</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>*HTTP/S-98072 @ XM.TEST.INTRA*</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>/jsp/logon/vintelaError.jsp</param-value>
<description>
The URL of the page to show if an error occurs during authentication.
</description>
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\WINNT\host.keytab</param-value>
</init-param>
</init-param>
</filter>
But after these modifications are done, the Infoview web page displays errors
If I comment the 2nd part of the code (Vintella filter part), the page is ok.
That doc I sent earlier also has the SSO config instructions. You will need another service account in AD, similar steps but with ktpass instead of setspn,
You will need to modify several parts in the web.xml and 1 in the server.xml all documented
oh and the original path is correct you just need to copy it to the second path. If you only edit the file under the webapps\infoviewapp directory and you install a patch it will get over written. The directions ask you to edit the war file so this won't happen
Edited by: Tim Ziemba on Jul 24, 2008 11:05 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you want true Active Directory SSO then you will need to get vintela enabled. To note above the principal (princ) used in ktpass -mapuser MUST = the principal used for ktpass -keytab It appears that you used the FQDN for the -mapuser and the hostname for the keytab. I wrote a command that does these both at once for XI 3.0.
ktpass -out myname.keytab -princ HTTP/TOMCATFQDN@ REALM.COM -mapuser user -pass yourpw -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
replace myname with any name for your keytab (also must be specified in web.xml)
replace TOMCATFQDN with the value in your web.xml idm.princ
replace REALM.COM with the value in your web.xml idm.realm
replace user with the vintelaccount@ REALM.COM (again the REALM used in the web.xml)
replace yourpw with your vintela account password (also specified in the tomcat java options) -mapuser user
ktpass -out test.keytab -princ HTTP/r3-rtm3-tz.winauthtz.com@ WINAUTHTZ.COM -mapuser r3ker3@ WINAUTHTZ.COM -pass maxima -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
here is the output and everything looks ok in AD
Targeting domain controller: bobj-w2k3-db-tz.winauthtz.com
Successfully mapped HTTP/r3-rtm3-tz.winauthtz.com to r3ker3.
Key created.
Output keytab to test3.keytab:
Keytab version: 0x502
keysize 78 HTTP/r3-rtm3-tz.winauthtz.com@ WINAUTHTZ.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16
(0x91c0c7b367db3f2d6684b6690a5ff6e2)
You would then need to follow the normal steps in the doc (reset password, enable delegation, etc). The above simply combines the keytab step and the mapuser step.
Also to note I was receiving errors when creating the keytab separately that didnu2019t seem to cause problems but also occurred for customers. When combining the 2 commands those errors were resolved. I know one was caused by running the mapuser separately the other may have been related to that as well.
This could be followed by creating 2 more SPNu2019s
Setspn u2013a HTTP/hostname user to preemptively solve client issues
Setspn u2013a HTTP/ip.ip.ip.ip to allow vintela to work on the server
To note the directions will work on XIR2 but you should upgrade your java SDK to 1.5 (not JRE or JVM) so that there will be no issues with RC4 encryption. and I had to add spaces to all the principals (anything with an @) in order to post on the forum. remove the spaces if using this command.
some people either log in manually or enable trusted auth for a pseudo SSO that doesn't require kerberos/vintela. If you got java AD working then it shouldn't be much more trouble to do the same with vintela
Regards,
Tim
Can you please explain me what do you mean by :
"some people either log in manually or enable trusted auth for a pseudo SSO that doesn't require kerberos/vintela. If you got java AD working then it shouldn't be much more trouble to do the same with vintela"?
Is it possible not to use vintela to log automatically? If yes, I'm ok for this solution.
yes with trusted auth, but SSO or single sign on in our product is the ability to actually logon with your OS credentials.
trusted auth is actually logon with usernames (only) from a trusted source. If you wanted to do that with AD you can make IIS your trusted source and tomcat your client. This is also documented in the XI 3.0 admin guide, but at this point you are almost finished.
The situation has changed, I rebuilt the keytab file and now I get the Log On to Infoview page without 404 error BUT it says:
"Unable to logon to InfoView. Please contact your system administrator for assistance. Please close your browser before continuing."
Do you have an idea?
Have a nice week-end
Regards,
Nicolas
1 vintela will not work by default on the server so all testing must be from the client (this is meantioned in the docs).
2 that's a pretty generic error so we will likely need to trace
3 If possible perform testing on 2003 server and not XP (for several reasons)
When using a keytab vintela does not show any tracing info so the steps beloe are how to trace. I realize that you can't add attachments to these forums so a message with support is the way to go for setting up vintela.
1) comment out the keytab in the web.xml
2) remove verbose tracing from the java options
3) add -Djcsi.kerberos.debug=true in the java options
4) define your vintela service account password in the java options
use the following
-Dcom.wedgetail.idm.sso.password=password where password = the password of the tomcat service account
5) also add the maxpacket size to the java options to reduce UDP errors.
-Djcsi.kerberos.maxpacketsize=0
6) stop tomcat and delete or move the tomcat\logs
7) restart tomcat, wait 20 seconds or so and then check the std.out and localhost logs
Also on the account you created you may want to add a couple SPN the hostname and IP that I mentioned above.
regards,
Tim
Hi Tim,
I have done all the steps you mentioned and here are the traces obtained.
the company domain name has been replaced by "TEST".
What should I do now?
Thanks
28 juil. 2008 16:36:36 org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:
C:WINDOWSsystem32;C:Program FilesBusiness ObjectsBusinessObjects Enterprise 12.0win32_x86
28 juil. 2008 16:36:36 org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initialisation de Coyote HTTP/1.1 sur http-8080
28 juil. 2008 16:36:36 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 906 ms
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardService start
INFO: Démarrage du service Catalina
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.20
28 juil. 2008 16:36:37 org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).
log4j:WARN Please initialize the log4j system properly.
2008-07-28 16:36:52,643 [Thread-1] ERROR com.businessobjects.qaaws.internal.ServiceProvider () 2344 - initInstance()
org.apache.axis2.AxisFault: Your Web Intelligence session is invalid or has reached timeout. Log out and log in again to Query as a Web Service.
at com.businessobjects.dsws.DSWSExceptionFactory.CreateAxisFault(Unknown Source)
at com.businessobjects.qaaws.internal.BOEHelper.logon(Unknown Source)
at com.businessobjects.qaaws.internal.ServiceProvider.initInstance(Unknown Source)
at com.businessobjects.qaaws.internal.transport.QaaWSServlet.initServiceProvider(Unknown Source)
at com.businessobjects.qaaws.internal.transport.QaaWSServlet.init(Unknown Source)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1105)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:932)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3951)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4225)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Found name servers using JNDI
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: sv-99003.TEST.intra (192.168.4.20)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: sv-99004.TEST.intra (192.168.4.21)
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** requesting initial ticket .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** creating AS request .. **
for client: HTTP/SV-98072.MC.TEST.INTRA
at realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Sending request to KDC .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
UDP attempt #0 to DNS server sv-99003.TEST.intra/192.168.4.20
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Data sent:
1e 44 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
6f 73
04 5f 75 64 70 02 4d 43 09 44 49 45 54 53 4d 41 4e 4e
05 49 4e 54 52 41 00 00 21 00 01
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Data received:
1e 44 85 80 00 01 00 04 00 00 00 04 09 5f 6b 65 72 62 65 72
6f
73 04 5f 75 64 70 02 4d 43 09 44 49 45 54 53 4d 41 4e 4e
05 49 4e 54 52 41 00 00 21 00 01 c0 0c 00 21 00 01 00 00 02
58 00 23 00 00
00 64 00 58 08 73 76 2d 39 38 30 34 35 02 6d
63 09 64 69 65 74 73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0 0c
00 21 00 01 00 00 02 58 00
23 00 00 00 64 00 58 08 73 76 2d
39 38 30 35 39 02 6d 63 09 64 69 65 74 73 6d 61 6e 6e 05 69
6e 74 72 61 00 c0 0c 00 21 00 01 00 00
02 58 00 23 00 00 00
64 00 58 08 73 76 2d 39 38 30 31 34 02 6d 63 09 64 69 65 74
73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0 0c 00 21 00
01 00 00
02 58 00 23 00 00 00 64 00 58 08 73 76 2d 30 30 30 31 33 02
6d 63 09 64 69 65 74 73 6d 61 6e 6e 05 69 6e 74 72 61 00 c0
45 00 01 00 01 00 00 04 b0 00 04 c0 a8 03 16 c0 74 00 01 00
01 00 00 04 b0 00 04 c0 a8 32 05 c0 a3 00 01 00 01 00 00 04
b0 00 04 c0 a8 04 06 c0 d2 00 01 00 01 00 00 04 b0 00 04 c0
a8 04 01
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: params: 1000010110000000
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Query sent:
Qname: _kerberos._udp.MC.TEST.INTRA
Qtype: 33
Qclass: 1
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: _kerberos._udp.MC.TEST.INTRA
Class: 1
TTL: 600
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: sv-98045.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: _kerberos._udp.MC.TEST.INTRA
Class: 1
TTL: 600
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: sv-98059.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: _kerberos._udp.MC.TEST.INTRA
Class: 1
TTL: 600
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: sv-98014.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: _kerberos._udp.MC.TEST.INTRA
Class: 1
TTL: 600
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: sv-00013.mc.TEST.intra
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: sv-98045.mc.TEST.intra
Class: 1
TTL: 1200
Type: A
IP
Address: 192.168.3.22
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: sv-98059.mc.TEST.intra
Class: 1
TTL: 1200
Type: A
IP
Address: 192.168.50.5
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: sv-98014.mc.TEST.intra
Class: 1
TTL: 1200
Type: A
IP
Address: 192.168.4.6
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos:
Record
Name: sv-00013.mc.TEST.intra
Class: 1
TTL: 1200
Type: A
IP
Address: 192.168.4.1
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: connected; sending length and request...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: sent request; reading response length...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: read length; reading 298-byte response...
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: --- got 298-byte response, initial byte = 0x7e
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Message sent sucessfully to KDC: /192.168.4.1:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** KDC requires pre-authentication **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 11
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 2
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Acceptable PA type: 15
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ETypeInfo:
EtypeInfoEntry:
etype: 23
salt:
EtypeInfoEntry:
etype: 3
salt:
MC.TEST.INTRAHTTPSV-98072.MC.TEST.INTRA
EtypeInfoEntry:
etype: 1
salt: MC.TEST.INTRAHTTPSV-98072.MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Adding encrypted timestamp pre-auth **
encryption type: 23
salt:
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: ** Sending request to KDC .. **
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:36:58 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Message send unsuccessful to KDC: /192.168.3.22:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Resolving KDC for realm: MC.TEST.INTRA
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Available KDC found: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Sending message to KDC: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Sending TCP request: /192.168.4.6:88
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: connected; sending length and request...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: sent request; reading response length...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: read length; reading 144-byte response...
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: --- got 144-byte response, initial byte = 0x7e
[DEBUG] Mon Jul 28 16:37:19 CEST 2008 jcsi.kerberos: Message sent sucessfully to KDC: /192.168.4.6:88
28-07-08 16:37:19:628 - *{ERROR} [localhost].[/InfoViewApp] Thread [Thread-1]; Exception au démarrage du filtre authFilter*
*com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not*
*found in Kerberos database]*
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
... 31 more
Caused by:
com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
15 [Thread-1] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/InfoViewApp] - Exception au démarrage du filtre authFilter
com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not
found in Kerberos database]
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
... 31 more
Caused by:
com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database
at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:1165)
at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.java:914)
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:83)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
28 juil. 2008 16:37:19 org.apache.catalina.core.StandardContext start
GRAVE: Error filterStart
28 juil. 2008 16:37:19 org.apache.catalina.core.StandardContext start
GRAVE: Erreur de démarrage du contexte [/InfoViewApp] suite aux erreurs précédentes
Initializing Performance Management
done (2640)
Initializing Performance Manager
done (2047)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Initializing configuration from resource path /WEB-INF/struts-config.xml
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'
resolveEntity('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN', 'http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd')
Resolving to alternate DTD
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
New org.apache.struts.action.ActionForward
Set org.apache.struts.action.ActionForward properties
Call org.apache.struts.action.ActionMapping.addForward(ActionForward[default])
Pop org.apache.struts.action.ActionForward
Call org.apache.struts.action.ActionServlet.addMapping(ActionMapping[path=/Flash_FlashVars/flashvarsEdit,
type=com.businessobjects.clientaction.flash.flashvars.FlashVarsEditAction])
Pop org.apache.struts.action.ActionMapping
register('-//Apache Software Foundation//DTD Struts Configuration 1.0//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/C:/Program%20Files/Business%20Objects/Tomcat55/webapps/Xcelsius/WEB-INF/lib/struts.jar!/org/apache/struts/resources/web-app_2_3.dtd'
Call org.apache.struts.action.ActionServlet.addServletMapping(DocumentDownload/java.lang.String,/opendoc/documentDownload/java.lang.String)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Process servletName=DocumentDownload, urlPattern=/opendoc/documentDownload
Call org.apache.struts.action.ActionServlet.addServletMapping(action/java.lang.String,*.do/java.lang.String)
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Process servletName=action, urlPattern=*.do
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: action: Mapping for servlet 'action' = '*.do'
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain:
[org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com],
[org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com],
[org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]]
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
28 juil. 2008 16:37:32 org.apache.coyote.http11.Http11BaseProtocol start
INFO: Démarrage de Coyote HTTP/1.1 sur http-8080
28 juil. 2008 16:37:33 org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
28 juil. 2008 16:37:33 org.apache.catalina.startup.Catalina start
INFO: Server startup in 56486 ms
A) It's usually a good idea to edit the logs removing customer specific info in the above logs
B) I see this KerberosError: Server not found in Kerberos database. This typically means that there is either a duplicated or missing SPN. The problem is it could be other things. At this point we would usually webex to check overall system config, and download several utitilies for troubleshooting.
Since I can't do that the above is my best guess.
Regards,
Tim
The spn should be http/FQDN and using ktpass would appear like http/FQDN@realm
where the FQDN is host.prefix.domain.com and realm is prefix.domain.com. It looks like you set this up with the hostname. and example of the princ would be http/myservername.child.domain.com@ CHILD.DOMAIN.COM anything after the @ must be in all caps for java AD.
Well this is where it would be best to have a support rep,
In some cases we may need to packet scan with wireshark or netmon (http://www.wireshark.org/download.html) in other cases we may need to search out duplicate SPN with a tool such as AD explorer (http://technet.microsoft.com/en-us/sysinternals/bb963907)
regards,
Tim
Hi Tim,
Maybe the problem comes from the krbrealm.con file.
Currently the file is as follow:
MC.TEST.INTRA MC.TEST.INTRA
.MC.TEST.INTRA .MC.TEST.INTRA
.MIT.EDU ATHENA.MIT.EDU
.MIT.EDU. ATHENA.MIT.EDU
MIT.EDU ATHENA.MIT.EDU
.WHOI.EDU ATHENA.MIT.EDU
.WHOI.EDU. ATHENA.MIT.EDU
.PFC.MIT.EDU ATHENA.MIT.EDU
.PFC.MIT.EDU. ATHENA.MIT.EDU
.PSFC.MIT.EDU ATHENA.MIT.EDU
.PSFC.MIT.EDU. ATHENA.MIT.EDU
.MEDIA.MIT.EDU MEDIA-LAB.MIT.EDU
MEDIA.MIT.EDU. MEDIA-LAB.MIT.EDU
.UCSC.EDU CATS.UCSC.EDU
.UCSC.EDU. CATS.UCSC.EDU
CYGNUS.COM CYGNUS.COM
CYGNUS.COM. CYGNUS.COM
PANIX.COM PANIX.COM
NETGEN.COM NETGEN.COM
.FS.ANDREW.CMU.EDU ANDREW.CMU.EDU
.FS.ANDREW.CMU.EDU. ANDREW.CMU.EDU
.SRV.CS.CMU.EDU CS.CMU.EDU
.SRV.CS.CMU.EDU. CS.CMU.EDU
Can you please check the 2 first rows and let me know if it's ok?
Thanks
Nicolas
Well the client tools don't use java so something is still wrong. If kinit works we will need the verbose tracing turned on to see what
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Now, it works on both Infoview and CMC!
I didn't modify the appropriate Web.xml, the correct path was:
C:\Program Files\Business Objects\*Tomcat55*\webapps\InfoViewApp\WEB-INF
The only remaining wish is to auto-connect users with their Windows AD auth.
I guess all operations must be done in the web.xml file?
Am I right?
So when logging in anything entered after an @ symbol must be in all CAPS. user@ DOMAIN.COM
if the DOMAIN is not in all CAPS in the Krb5 and CMC then you will get cannot find KDC for realm.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ok, now I have a ticket generated for the user BO_Admin_XIR3:
C:\Program Files\Business Objects\javasdk\bin>kinit BO_Admin_xir3/at\XM.TEST.INTRA
Password for BO_Admin_xir3/at\XM.TEST.INTRA: xxxxx
New ticket is stored in cache file C:\Documents and Settings\BO_Admin_XIR3\krb5c
c_BO_Admin_XIR3
When I connect to Deski with windows AD auth. and a user belonging to the group authorized to use BO, it works.
But when I try to connect to Infoview via IE, I don't see the authentication type, even if I have modified the file:
C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF\web.xml
It works now for the CMC but not in Infoview, there is no authentication option bellow the password field.
Also, we would like to auto-log in the CMC & Infoview (without typing any password, just using the Windows AD).
I have modified the web.xml located in the folder:
C:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF
In this way:
<!-- ==================== -->
<!-- Customizable options -->
<!-- ==================== -->
<!-- You can specify the default CMS machine name here -->
<!-- Put your CMS name inside <param-value> </param-value> -->
<!-- eg. <context-param> -->
<!-- <param-name>cms.default</param-name> -->
<!-- <param-value>CrystalMS</param-value> -->
<!-- eg. </context-param> -->
<context-param>
<param-name>cms.default</param-name>
<param-value>SV-98072:6400</param-value>
</context-param>
<!-- Choose whether to let the user change the CMS name -->
<!-- If it isn't shown the default System from above will be used -->
<context-param>
<param-name>cms.visible</param-name>
<param-value>false</param-value>
</context-param>
<!-- You can specify the default Authentication types here -->
<!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
<context-param>
<param-name>authentication.default</param-name>
<param-value>secWinAD</param-value>
</context-param>
<!-- Choose whether to let the user change the authentication type -->
<!-- If it isn't shown the default authentication type from above will be used -->
<context-param>
<param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>
<!-- The default home page -->
<context-param>
<param-name>homepage.default</param-name>
<param-value>/jsp/listing/home.jsp</param-value>
</context-param>
<!-- If the locale preference is disabled (only english languages will be used/allowed) -->
<context-param>
<param-name>disable.locale.preference</param-name>
<param-value>false</param-value>
</context-param>
But it still does not allow me to log in with AD...
"but of course the Windows AD did not work"
That doc includes tracing information for tomcat, can you give us the error message.
Also have you created the bsclogin and krb5?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have created on the S-98072 machine the file bscLogin.conf and the folder WINNT (created too) with the following:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
};
I have also created the krb5.ini file with the following:
[libdefaults]
default_realm = XM.TEST.INTRA
dns_lookup_kdc = true
dns_lookup_realm = true
krb4_config = /usr/kerberos/lib/krb.conf
krb4_realms = /usr/kerberos/lib/krb.realms
[realms]
XM.TEST.INTRA = {
kdc = S-00001.XM.TEST.INTRA
kdc = S-98072.XM.TEST.INTRA
default_domain = XM.TEST.INTRA
}
ATHENA.MIT.EDU = {
admin_server = KERBEROS.MIT.EDU
default_domain = MIT.EDU
v4_instance_convert = {
mit = mit.edu
lithium = lithium.lcs.mit.edu
}
}
ANDREW.CMU.EDU = {
admin_server = vice28.fs.andrew.cmu.edu
}
use "kdc =" if realm admins haven't put SRV records into DNS
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
admin_server = kerberos.gnu.org
}
[domain_realm]
xm.test.intra = XM.TEST.INTRA
.test.intra = TEST.INTRA
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.ucsc.edu = CATS.UCSC.EDU
[logging]
# kdc = CONSOLE
You may want to simplify that Krb5.ini
libdefaults
default_realm = XM.TEST.INTRA
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
realms
XM.TEST.INTRA = {
kdc = S-00001.XM.TEST.INTRA
kdc = S-98072.XM.TEST.INTRA
default_domain = XM.TEST.INTRA
}
Make sure the default domain in the CMC is XM.TEST.INTRA too and that the service account and server are in that domain.
Use the doc above to trace tomcat and test the krb5-bsclogin with kinit
Also after required; in the bsclogin change to required debug=true; I don't believe this tracing option is in the admin guide
Regards,
Tim
I have checked on the CMC the CMC Name is :
S98072.CentralManagementServer (S-98072.xm.test.intra:6400)
I have checked with the kinit command and I obtain an error:
C:\Program Files\Business Objects\javasdk\bin>kinit BO_Admin_XIR3/at\xm.test.intra
Password for *BO_Admin_XIR3/at\xm.test.intra*: *xxxxx*
Exception: krb_error 0 Cannot get kdc for realm xm.test.intra No error
KrbException: Cannot get kdc for realm xm.test.intra
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
"Delegation in BO_Admin_XIR3 properties is not visible"
this could mean that your AD is 2000 in that case the doc should have shown you the checkbox option which is always available. If it's 2003 then the account likely doesn't have an SPN yet
Are you using this doc?
http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf
regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim,
The domain controller OS is Windows 2003, so the AD should be 2003.
I am using the doc you mention, but for this part it seems it's just a copy/paste of the R2 doc.
You can see the command is:
SETSPN.exe u2013A BOBJCentralMS/NAME serviceaccount
But in BO 3.0, the service name is different...
Thanks
Regards,
Nicolas
Here are the tabs available for the account BO_Admin_XIR3:
From the upper left to the bottom right:
"Published Certificates", "Member Of", "Dial-in", "Object", "Security",
"Environment", "Sessions", "Remote Control", "Terminal Services Profile", "COM+",
"General", "Address", "Account", "Profile", "Telephones", "Organization"
Hope it will help
Regards,
Nicolas
Hi Nicolas,
I can help you if you can give me complete configuration details.
OS :
Web Server if any :
App Server :
DOMAIN NAME :
FQDN OF BO XI MACHINE :
Regards.
Simon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Simon,
Here are the details:
- OS: Windows 2003 server R2 on both domain controller and BO Server.
- Tomcat 5.5.20 (BO 3.0 doesn't have IIS)
- Domain controller name : S-00001
- Business Objects server name: S-98072
- Domain Name : xm.test.intra
- FQDN of BO machine : S-98072.xm.test.intra
Just for info the Server Intelligence Agent service name is : BOE120SIAS98072
I hope there are all the needed details.
Thanks for you help!
Regards,
Nicolas
Edited by: Nicolas Vigouroux on Jul 24, 2008 2:22 PM
Edited by: Nicolas Vigouroux on Jul 24, 2008 2:26 PM
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.