Skip to Content
0

Can you give any clues to crystal exception during kerberos sso attempt into cms on linux?

Apr 05 at 03:25 PM

51

avatar image

Credential
client: boeuser2@WAR.COM
session key: [23, 23 db 9d ba bd 47 c3 ad d6 9d 87 a5 95 60 ca 7a ]
service principal: krbtgt/WAR.COM@WAR.COM
valid from: Thu Apr 05 11:28:45 UTC 2018
valid till: Thu Apr 05 21:28:45 UTC 2018
renewable till: Thu Apr 12 11:28:45 UTC 2018
Ticket:
encryption type: 23
key version num: 2
service principal: krbtgt/WAR.COM@WAR.COM
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: ** creating application response .. **
with key
[23, ab c1 a9 e3 e8 73 45 d6 a4 3b d2 9a 53 27 2d ce ]
[DEBUG] Thu Apr 05 14:05:50 UTC 2018 jcsi.kerberos: created application response:

++++ KRB-AP-REP Message ++++
encryption type: 23
sequence number: 69992197
sub session key: null
client time: Thu Apr 05 14:05:49 UTC 2018
cusec: 3291
++++++++++++++++++++++++++++
com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.decodeSerializedSession(SecuritySession.java:931)

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Tim Ziemba
Apr 09 at 11:37 AM
1

If the CMS is on Linux is cannot support kerberos SSO, what method are you using? You can still use the Microsoft spnego to capture the username, trusted auth remote user to use it to logon, and map groups in LDAP to provide account synchronization. That error seems to indicate that the user attempting SSO is not able to delegate, however more information would need to be known for full context, such as current configuration.

Below is the standard AD SSO config for non Windows BI servers. Also to note you should edit your post to remove specific usernames and info about your organization

https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433

-Tim

Share
10 |10000 characters needed characters left characters exceeded
Daniel Boquist Apr 11 at 02:16 PM
0

Thank you Tim. I forgot that I had submitted this question. The answer was a setting in one of the properties files (I don't remember which one).

Sso into CMC/BI via kerberos is working now. I'm documenting the entire process. I'd be more than happy to send you the doc when I am finished.

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member May 08 at 04:18 PM
0

Hi Daniel

I am having exactly the same issue on AIX, did you manage to document the change that proved sucessful?

Thanks

Matt

Show 3 Share
10 |10000 characters needed characters left characters exceeded

There is no successful kerberos logon on non windows OS. The AD plugin that integrated with Microsoft kerberos is not available in the product. If you want to logon with AD / Kerberso then you must run your CMS's on windows.

There are other methods such as explained here to allow AD SSO into the product but it is not kerberos it's cvalled trusted authentication https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433

-Tim

0

Matt,

I don't remember exactly but it was one of the settings in one of the webapps properties files (global.properties?). There aren't that many, I had a duplicate setting at the bottom of the file that had no value. I have the entire setup documented and would be more than happy to send it to you if I could figure out how to do so without making it public.

0

These are the settings that I have for the properties file(s)

Vintela BOE

sso.types.and.order=trustedVintela bilaunchpad.properties

siteminder.enabled=false global.properties

sso.enabled=true global.properties

vintela.enabled=true global.properties

idm.realm=WAR.COM global.properties

idm.princ=bosso_svc_acct global.properties

idm.allowS4U=true global.properties

idm.password=War1 global.properties

idm.allow.Unsecured=true global.properties

idm.allowNTLM=false global.properties

idm.logger.name=simple global.properties

idm.logger.props=error-log.properties global.properties

idm.keytab=/etc/krb5.keytab global.properties

- another issue I had with kerberos was when i removed the idm.password setting (to allow it to use kerberos password) it wouldnt work. If I remember correctly it was an encryption error. I believe that the windows generated krb5.keytab might be incompatible with Linux. I had the server generate the keytab for me and then it worked without the embedded password.

1) list principals and encryption types in current key tab:

[root@BOEHOST etc]# klist -e -k krb5.keytab

Keytab name: FILE:krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

11 bosso_svc_acct@WAR.COM (des-cbc-crc)

11 bosso_svc_acct@WAR.COM (des-cbc-md5)

11 bosso_svc_acct@WAR.COM (arcfour-hmac)

11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)

11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)

2) get credentials from domain server:

[root@BOEHOST etc]# kinit bosso_svc_acct

Password for bosso_svc_acct@WAR.COM:

3) list obtained credential and encryption type:

[root@BOEHOST etc]# klist -e

Ticket cache: KEYRING:persistent:0:0

Default principal: bosso_svc_acct@WAR.COM

Valid starting Expires Service principal

04/12/2018 00:57:24 04/12/2018 10:57:24 krbtgt/WAR.COM@WAR.COM

renew until 04/19/2018 00:57:19, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

4) have server create me a keytab (rename current keytab as backup)

net ads keytab create -k

5) list principals and encryption types in current key tab: (BIG DIFFERENCE!)

--- worked with unembedded service name password with this new keytab file!

[root@BOEHOST etc]# klist -ke krb5.keytab

Keytab name: FILE:krb5.keytab

KVNO Principal

---- --------------------------------------------------------------------------

11 bosso_svc_acct@WAR.COM (des-cbc-crc)

11 bosso_svc_acct@WAR.COM (des-cbc-md5)

11 bosso_svc_acct@WAR.COM (arcfour-hmac)

11 bosso_svc_acct@WAR.COM (aes256-cts-hmac-sha1-96)

11 bosso_svc_acct@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (des-cbc-crc)

2 host/boehost@WAR.COM (des-cbc-crc)

2 host/boehost.war.com@WAR.COM (des-cbc-md5)

2 host/boehost@WAR.COM (des-cbc-md5)

2 host/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost@WAR.COM (aes128-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)

2 host/boehost@WAR.COM (aes256-cts-hmac-sha1-96)

2 host/boehost.war.com@WAR.COM (arcfour-hmac)

2 host/boehost@WAR.COM (arcfour-hmac)

2 BOEHOST$@WAR.COM (des-cbc-crc)

2 BOEHOST$@WAR.COM (des-cbc-md5)

2 BOEHOST$@WAR.COM (aes128-cts-hmac-sha1-96)

2 BOEHOST$@WAR.COM (aes256-cts-hmac-sha1-96)

2 BOEHOST$@WAR.COM (arcfour-hmac)

2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-crc)

2 bosso_svc_acct/boehost@WAR.COM (des-cbc-crc)

2 bosso_svc_acct/boehost.war.com@WAR.COM (des-cbc-md5)

2 bosso_svc_acct/boehost@WAR.COM (des-cbc-md5)

2 bosso_svc_acct/boehost.war.com@WAR.COM (aes128-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost@WAR.COM (aes128-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost.war.com@WAR.COM (aes256-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost@WAR.COM (aes256-cts-hmac-sha1-96)

2 bosso_svc_acct/boehost.war.com@WAR.COM (arcfour-hmac)

2 bosso_svc_acct/boehost@WAR.COM (arcfour-hmac)

0