cancel
Showing results for 
Search instead for 
Did you mean: 

Can you give any clues to crystal exception during kerberos sso attempt into cms on linux?

Former Member
0 Kudos

Credential
client: boeuser2@WAR.COM
session key: [23, 23 db 9d ba bd 47 c3 ad d6 9d 87 a5 95 60 ca 7a ]
service principal: krbtgt/WAR.COM@WAR.COM
valid from: Thu Apr 05 11:28:45 UTC 2018
valid till: Thu Apr 05 21:28:45 UTC 2018
renewable till: Thu Apr 12 11:28:45 UTC 2018
Ticket:
encryption type: 23
key version num: 2
service principal: krbtgt/WAR.COM@WAR.COM
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: ** creating application response .. **
with key
[23, ab c1 a9 e3 e8 73 45 d6 a4 3b d2 9a 53 27 2d ce ]
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: created application response:

++++ KRB-AP-REP Message ++++
encryption type: 23
sequence number: 69992197
sub session key: null
client time: Thu Apr 05 14:05:49 UTC 2018
cusec: 3291
++++++++++++++++++++++++++++
com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.decodeSerializedSession(SecuritySession.java:931)

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor

If the CMS is on Linux is cannot support kerberos SSO, what method are you using? You can still use the Microsoft spnego to capture the username, trusted auth remote user to use it to logon, and map groups in LDAP to provide account synchronization. That error seems to indicate that the user attempting SSO is not able to delegate, however more information would need to be known for full context, such as current configuration.

Below is the standard AD SSO config for non Windows BI servers. Also to note you should edit your post to remove specific usernames and info about your organization

https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433

-Tim

Answers (2)

Answers (2)

0 Kudos

Hi Daniel

I am having exactly the same issue on AIX, did you manage to document the change that proved sucessful?

Thanks

Matt

BasicTek
Active Contributor
0 Kudos

There is no successful kerberos logon on non windows OS. The AD plugin that integrated with Microsoft kerberos is not available in the product. If you want to logon with AD / Kerberso then you must run your CMS's on windows.

There are other methods such as explained here to allow AD SSO into the product but it is not kerberos it's cvalled trusted authentication https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433

-Tim

Former Member
0 Kudos

Matt,

I don't remember exactly but it was one of the settings in one of the webapps properties files (global.properties?). There aren't that many, I had a duplicate setting at the bottom of the file that had no value. I have the entire setup documented and would be more than happy to send it to you if I could figure out how to do so without making it public.

Former Member
0 Kudos

These are the settings that I have for the properties file(s)

Vintela BOE

sso.types.and.order=trustedVintela bilaunchpad.properties

siteminder.enabled=false global.properties

sso.enabled=true global.properties

vintela.enabled=true global.properties

idm.realm=WAR.COM global.properties

idm.princ=bosso_svc_acct global.properties

idm.allowS4U=true global.properties

idm.password=War1 global.properties

idm.allow.Unsecured=true global.properties

idm.allowNTLM=false global.properties

idm.logger.name=simple global.properties

idm.logger.props=error-log.properties global.properties

idm.keytab=/etc/krb5.keytab global.properties

- another issue I had with kerberos was when i removed the idm.password setting (to allow it to use kerberos password) it wouldnt work. If I remember correctly it was an encryption error. I believe that the windows generated krb5.keytab might be incompatible with Linux. I had the server generate the keytab for me and then it worked without the embedded password.

1) list principals and encryption types in current key tab:

[root@BOEHOST etc]# klist -e -k krb5.keytab

Keytab name: FILE:krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

11 bosso_svc_acct@WAR.COM (des-cbc-crc)

11 bosso_svc_acct@WAR.COM (des-cbc-md5)

11 bosso_svc_acct@WAR.COM (arcfour-hmac)

11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)

11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)

2) get credentials from domain server:

[root@BOEHOST etc]# kinit bosso_svc_acct

Password for bosso_svc_acct@WAR.COM:

3) list obtained credential and encryption type:

[root@BOEHOST etc]# klist -e

Ticket cache: KEYRING:persistent:0:0

Default principal: bosso_svc_acct@WAR.COM

Valid starting Expires Service principal

04/12/2018 00:57:24 04/12/2018 10:57:24 krbtgt/WAR.COM@WAR.COM

renew until 04/19/2018 00:57:19, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

4) have server create me a keytab (rename current keytab as backup)

net ads keytab create -k

5) list principals and encryption types in current key tab: (BIG DIFFERENCE!)

--- worked with unembedded service name password with this new keytab file!

[root@BOEHOST etc]# klist -ke krb5.keytab

Keytab name: FILE:krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

11 bosso_svc_acct@WAR.COM (des-cbc-crc)

11 bosso_svc_acct@WAR.COM (des-cbc-md5)

11 bosso_svc_acct@WAR.COM (arcfour-hmac)

11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)

11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (des-cbc-crc)

2 host/boehost@WAR.COM (des-cbc-crc)

2 host/boehost.war.com@WAR.COM (des-cbc-md5)

2 host/boehost@WAR.COM (des-cbc-md5)

2 host/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)

2 host/boehost@WAR.COM (aes256-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (arcfour-hmac)

2 host/boehost@WAR.COM (arcfour-hmac)

2 BOEHOST$@WAR.COM (des-cbc-crc)

2 BOEHOST$@WAR.COM (des-cbc-md5)

2 BOEHOST$@WAR.COM (aes128-cts-hmac-sha1-96)

2 BOEHOST$@WAR.COM (aes256-cts-hmac-sha1-96)

2 BOEHOST$@WAR.COM (arcfour-hmac)

2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-crc)

2 bosso_svc_acct/boehost@WAR.COM (des-cbc-crc)

2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-md5)

2 bosso_svc_acct/boehost@WAR.COM (des-cbc-md5)

2 bosso_svc_acct/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost@WAR.COM (aes128-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost@WAR.COM (aes256-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost.war.com@WAR.COM (arcfour-hmac)

2 bosso_svc_acct/boehost@WAR.COM (arcfour-hmac)

Former Member
0 Kudos

Thank you Tim. I forgot that I had submitted this question. The answer was a setting in one of the properties files (I don't remember which one).

Sso into CMC/BI via kerberos is working now. I'm documenting the entire process. I'd be more than happy to send you the doc when I am finished.