cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Problem on the configuration about creating an SPN for your CMS on a Window

Go to solution
Former Member

on ‎10-15-2008 10:53 AM

0 Kudos

I have some problem on the configuration about creating an SPN for your CMS on a Windows 2003 domain

My Environment:

Domain Controller and AD Server :SV01

Crystal Report Server: SV07

Domain Name: SVG.NTT.LOCAL

I created a domain user "BOUSER" in SV01

When type the following command in the SV01, it have not any response.

"SETSPN.exe u2013A BOBJCentralMS/SV07.SVG.NTT.LOCAL BOUSER"

And i cannot find the "Delagation" tab in the domain user property window.

Have any wrong in the command ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎10-15-2008 11:36 AM
0 Kudos

It's possible your "2003 domain" is in fact a 2000/2003 "mixed mode" domain/forest.

Look in the account options for a checkbox for delegation instead if that is the case.

Regards,

Tim

Show replies
Show replies
Former Member
‎10-15-2008 6:04 PM
0 Kudos

Hi Tim,

Thank you for your reply.

Am i need to check the box "Account is trusted for delegation" in the Account option ?

BasicTek
Advisor
Advisor
‎10-15-2008 6:12 PM
0 Kudos

That would depend on how you are authenticating...

If you are using the service account for SSO or SSO to the DB then yes we will need to delegate the credentials. If you are only integrating with AD and requiring manual logon then no delegation is not needed.

-Tim

Former Member
‎10-16-2008 5:25 AM
0 Kudos

Hi Tim,

Thank you for your reply.

We used Tomcat and MySQL database.

I have only integrating with AD and requiring manual logon.

I had created a bscLogin.conf file and krb5.ini file

krb5.ini file:

[libdefaults]

default_realm = DNS.COM

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

DNS.COM = {

kdc = SV01.SVG.NTT.LOCAL

default_domain = SVG.NTT.LOCAL

}

bscLogin.conf file

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required;

};

And insert the following two lines in Tomcat's Java Tab

-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf

-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini

I also set Serivice Principal Name "bouser FQDN" in Crystal Report Server.

We can login in Central Management Console with our domain user.

But When we logon in InfoView with our domain user account.

It display the following error:

"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again."

Any step i missed ?

BasicTek
Advisor
Advisor
‎10-17-2008 3:52 AM
0 Kudos

krb5.ini looks ok but add udp_prefernece_limit = 1

under libdefaults to be safe.

change the bsclogin to this

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

to add kerberos tracing in the std.out

I'd always use winnt instead of windows for tomcat as that is the directory that we would test with kinit (in the docs)

change

-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf

-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini

to

-Djava.security.auth.login.config=C:\winnt\bscLogin.conf

-Djava.security.krb5.conf=C:\winnt\krb5.ini

and move the files to there

then run kinit to verify the krb5.ini is working

if it is login to infoview with AD again and look in the tomcat\logs\std.out for errors and let us know.

Regards,

Tim

Former Member
‎10-17-2008 5:24 AM
0 Kudos

Hi Tim,

Thank you for your replay.

We type the following command to run kinit to verify the krb5.ini

"kinit bouser FQDN password"

But it display error:

Exception: krb_error 0 Cannot get kdc for realm svg.ntt.local No error

KrbException: Cannot get kdc for realm svg.ntt.local

at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)

at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)

at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:260)

at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)

And We login to InfoView with one of domain user "josdev", it display "An error has occurred: java.lang.NullPointerException"

Also we check the tomcat\logs\std.out file, it show following:

2469 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

2469 [http-8080-Processor25] WARN com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException is thrownNo valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

Any setting i missed ?

BasicTek
Advisor
Advisor
‎10-17-2008 9:06 AM
0 Kudos

Sorry I missed this but DNS.COM should be SVG.NTT.LOCAL in both locations. then test again

Former Member
‎10-17-2008 9:23 AM
0 Kudos

Hi Tim,

Thank you for your reply.

Is it mean that the file should be following ?

krb5.ini file:

libdefaults

default_realm = SVG.NTT.LOCAL

dns_lookup_kdc = true

dns_lookup_realm = true

realms

SVG.NTT.LOCAL = {

kdc = SV01.SVG.NTT.LOCAL

default_domain = SVG.NTT.LOCAL

}

After we used the above file and re-start the Tomcat, it also display the same error.

BasicTek
Advisor
Advisor
‎10-17-2008 1:36 PM
0 Kudos 
[libdefaults]
default_realm = SVG.NTT.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1 
[realms]
SVG.NTT.LOCAL = {
kdc = SV01.SVG.NTT.LOCAL
default_domain = SVG.NTT.LOCAL
}

This should do it, pasted in code so the brackets don't get removed

And don't even worry about tomcat, you need kinit to work before we even consider tomcat/infoview error messages

kinit tests just the krb5.ini

infoview also needs tomcat java options, CMC settings, and the service account.

Former Member
‎10-20-2008 4:43 AM
0 Kudos

Hi Tim,

Thank you for your reply.

The krb5.ini file located in Crystal Report Server(SV07)

When we test the krb5.ini file in Crystal Report Server(SV07)

"kinit bouser<lower case FQDN> password"

It display error:

Exception: krb_error 0 Cannot get kdc for realm svg.ntt.local No error

KrbException: Cannot get kdc for realm svg.ntt.local

at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)

at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)

at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:260)

at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)

When we use the "kinit bouser<upper case FQDN> password"

and press enter, it nothing message display and return to command prompt.

Is we need to use <upper case FQDN> ?

Former Member
‎10-21-2008 10:55 AM
0 Kudos

Hi Tim,

When we use the UPPER CASE FQDN, it is ok.

Now, we can login in Infoview with AD Users.

Thanks you very much

BasicTek
Advisor
Advisor
‎10-21-2008 11:41 AM
0 Kudos

yep uppercase is reguired in the krb5.ini, sorry if I missed that earlier.

congrats!

Answers (0)

Ask a Question