on 10-15-2008 10:53 AM
I have some problem on the configuration about creating an SPN for your CMS on a Windows 2003 domain
My Environment:
Domain Controller and AD Server :SV01
Crystal Report Server: SV07
Domain Name: SVG.NTT.LOCAL
I created a domain user "BOUSER" in SV01
When type the following command in the SV01, it have not any response.
"SETSPN.exe u2013A BOBJCentralMS/SV07.SVG.NTT.LOCAL BOUSER"
And i cannot find the "Delagation" tab in the domain user property window.
Have any wrong in the command ?
It's possible your "2003 domain" is in fact a 2000/2003 "mixed mode" domain/forest.
Look in the account options for a checkbox for delegation instead if that is the case.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim,
Thank you for your reply.
We used Tomcat and MySQL database.
I have only integrating with AD and requiring manual logon.
I had created a bscLogin.conf file and krb5.ini file
krb5.ini file:
[libdefaults]
default_realm = DNS.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DNS.COM = {
kdc = SV01.SVG.NTT.LOCAL
default_domain = SVG.NTT.LOCAL
}
bscLogin.conf file
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
};
And insert the following two lines in Tomcat's Java Tab
-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf
-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini
I also set Serivice Principal Name "bouser FQDN" in Crystal Report Server.
We can login in Central Management Console with our domain user.
But When we logon in InfoView with our domain user account.
It display the following error:
"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again."
Any step i missed ?
krb5.ini looks ok but add udp_prefernece_limit = 1
under libdefaults to be safe.
change the bsclogin to this
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
to add kerberos tracing in the std.out
I'd always use winnt instead of windows for tomcat as that is the directory that we would test with kinit (in the docs)
change
-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf
-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini
to
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\krb5.ini
and move the files to there
then run kinit to verify the krb5.ini is working
if it is login to infoview with AD again and look in the tomcat\logs\std.out for errors and let us know.
Regards,
Tim
Hi Tim,
Thank you for your replay.
We type the following command to run kinit to verify the krb5.ini
"kinit bouser FQDN password"
But it display error:
Exception: krb_error 0 Cannot get kdc for realm svg.ntt.local No error
KrbException: Cannot get kdc for realm svg.ntt.local
at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:260)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
And We login to InfoView with one of domain user "josdev", it display "An error has occurred: java.lang.NullPointerException"
Also we check the tomcat\logs\std.out file, it show following:
2469 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
2469 [http-8080-Processor25] WARN com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - GSSException is thrownNo valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
Any setting i missed ?
Hi Tim,
Thank you for your reply.
Is it mean that the file should be following ?
krb5.ini file:
libdefaults
default_realm = SVG.NTT.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
realms
SVG.NTT.LOCAL = {
kdc = SV01.SVG.NTT.LOCAL
default_domain = SVG.NTT.LOCAL
}
After we used the above file and re-start the Tomcat, it also display the same error.
[libdefaults]
default_realm = SVG.NTT.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
SVG.NTT.LOCAL = {
kdc = SV01.SVG.NTT.LOCAL
default_domain = SVG.NTT.LOCAL
}
This should do it, pasted in code so the brackets don't get removed
And don't even worry about tomcat, you need kinit to work before we even consider tomcat/infoview error messages
kinit tests just the krb5.ini
infoview also needs tomcat java options, CMC settings, and the service account.
Hi Tim,
Thank you for your reply.
The krb5.ini file located in Crystal Report Server(SV07)
When we test the krb5.ini file in Crystal Report Server(SV07)
"kinit bouser<lower case FQDN> password"
It display error:
Exception: krb_error 0 Cannot get kdc for realm svg.ntt.local No error
KrbException: Cannot get kdc for realm svg.ntt.local
at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:260)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
When we use the "kinit bouser<upper case FQDN> password"
and press enter, it nothing message display and return to command prompt.
Is we need to use <upper case FQDN> ?
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.