on 04-05-2018 4:25 PM
Credential
client: boeuser2@WAR.COM
session key: [23, 23 db 9d ba bd 47 c3 ad d6 9d 87 a5 95 60 ca 7a ]
service principal: krbtgt/WAR.COM@WAR.COM
valid from: Thu Apr 05 11:28:45 UTC 2018
valid till: Thu Apr 05 21:28:45 UTC 2018
renewable till: Thu Apr 12 11:28:45 UTC 2018
Ticket:
encryption type: 23
key version num: 2
service principal: krbtgt/WAR.COM@WAR.COM
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: ** creating application response .. **
with key
[23, ab c1 a9 e3 e8 73 45 d6 a4 3b d2 9a 53 27 2d ce ]
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: created application response:
++++ KRB-AP-REP Message ++++
encryption type: 23
sequence number: 69992197
sub session key: null
client time: Thu Apr 05 14:05:49 UTC 2018
cusec: 3291
++++++++++++++++++++++++++++
com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.decodeSerializedSession(SecuritySession.java:931)
If the CMS is on Linux is cannot support kerberos SSO, what method are you using? You can still use the Microsoft spnego to capture the username, trusted auth remote user to use it to logon, and map groups in LDAP to provide account synchronization. That error seems to indicate that the user attempting SSO is not able to delegate, however more information would need to be known for full context, such as current configuration.
Below is the standard AD SSO config for non Windows BI servers. Also to note you should edit your post to remove specific usernames and info about your organization
https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433
-Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Daniel
I am having exactly the same issue on AIX, did you manage to document the change that proved sucessful?
Thanks
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
There is no successful kerberos logon on non windows OS. The AD plugin that integrated with Microsoft kerberos is not available in the product. If you want to logon with AD / Kerberso then you must run your CMS's on windows.
There are other methods such as explained here to allow AD SSO into the product but it is not kerberos it's cvalled trusted authentication https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433
-Tim
Matt,
I don't remember exactly but it was one of the settings in one of the webapps properties files (global.properties?). There aren't that many, I had a duplicate setting at the bottom of the file that had no value. I have the entire setup documented and would be more than happy to send it to you if I could figure out how to do so without making it public.
These are the settings that I have for the properties file(s)
Vintela BOE
sso.types.and.order=trustedVintela bilaunchpad.properties
siteminder.enabled=false global.properties
sso.enabled=true global.properties
vintela.enabled=true global.properties
idm.realm=WAR.COM global.properties
idm.princ=bosso_svc_acct global.properties
idm.allowS4U=true global.properties
idm.password=War1 global.properties
idm.allow.Unsecured=true global.properties
idm.allowNTLM=false global.properties
idm.logger.name=simple global.properties
idm.logger.props=error-log.properties global.properties
idm.keytab=/etc/krb5.keytab global.properties
- another issue I had with kerberos was when i removed the idm.password setting (to allow it to use kerberos password) it wouldnt work. If I remember correctly it was an encryption error. I believe that the windows generated krb5.keytab might be incompatible with Linux. I had the server generate the keytab for me and then it worked without the embedded password.
1) list principals and encryption types in current key tab:
[root@BOEHOST etc]# klist -e -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
11 bosso_svc_acct@WAR.COM (des-cbc-crc)
11 bosso_svc_acct@WAR.COM (des-cbc-md5)
11 bosso_svc_acct@WAR.COM (arcfour-hmac)
11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)
11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)
2) get credentials from domain server:
[root@BOEHOST etc]# kinit bosso_svc_acct
Password for bosso_svc_acct@WAR.COM:
3) list obtained credential and encryption type:
[root@BOEHOST etc]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: bosso_svc_acct@WAR.COM
Valid starting Expires Service principal
04/12/2018 00:57:24 04/12/2018 10:57:24 krbtgt/WAR.COM@WAR.COM
renew until 04/19/2018 00:57:19, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
4) have server create me a keytab (rename current keytab as backup)
net ads keytab create -k
5) list principals and encryption types in current key tab: (BIG DIFFERENCE!)
--- worked with unembedded service name password with this new keytab file!
[root@BOEHOST etc]# klist -ke krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
11 bosso_svc_acct@WAR.COM (des-cbc-crc)
11 bosso_svc_acct@WAR.COM (des-cbc-md5)
11 bosso_svc_acct@WAR.COM (arcfour-hmac)
11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)
11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)
2 host/boehost.war.com@WAR.COM (des-cbc-crc)
2 host/boehost@WAR.COM (des-cbc-crc)
2 host/boehost.war.com@WAR.COM (des-cbc-md5)
2 host/boehost@WAR.COM (des-cbc-md5)
2 host/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)
2 host/boehost@WAR.COM (aes128-cts-hmac-sha1-96)
2 host/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)
2 host/boehost@WAR.COM (aes256-cts-hmac-sha1-96)
2 host/boehost.war.com@WAR.COM (arcfour-hmac)
2 host/boehost@WAR.COM (arcfour-hmac)
2 BOEHOST$@WAR.COM (des-cbc-crc)
2 BOEHOST$@WAR.COM (des-cbc-md5)
2 BOEHOST$@WAR.COM (aes128-cts-hmac-sha1-96)
2 BOEHOST$@WAR.COM (aes256-cts-hmac-sha1-96)
2 BOEHOST$@WAR.COM (arcfour-hmac)
2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-crc)
2 bosso_svc_acct/boehost@WAR.COM (des-cbc-crc)
2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-md5)
2 bosso_svc_acct/boehost@WAR.COM (des-cbc-md5)
2 bosso_svc_acct/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)
2 bosso_svc_acct/boehost@WAR.COM (aes128-cts-hmac-sha1-96)
2 bosso_svc_acct/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)
2 bosso_svc_acct/boehost@WAR.COM (aes256-cts-hmac-sha1-96)
2 bosso_svc_acct/boehost.war.com@WAR.COM (arcfour-hmac)
2 bosso_svc_acct/boehost@WAR.COM (arcfour-hmac)
Thank you Tim. I forgot that I had submitted this question. The answer was a setting in one of the properties files (I don't remember which one).
Sso into CMC/BI via kerberos is working now. I'm documenting the entire process. I'd be more than happy to send you the doc when I am finished.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
24 | |
11 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.