cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring Windows AD using kerberos authentication -- XI 3.0

Go to solution
Former Member

on ‎10-31-2008 12:52 AM

0 Kudos

Hi,

Trying to configure windows AD authentication XI 3.0

When logging to CMC or Infoview it errors out with the message:

"Account information not recognised:Active directory authentication failed you to logon.Please contact your system administrator to make sure you are a member of a valid mapped group and try again.If you are not a member of a default domain,enter your username as UserName@DNS_DomainName and try again".

Please advise.

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎10-31-2008 10:33 AM
0 Kudos

setting up AD is a bit complicated and that error could be for anything.

We have to break things out into steps, I always recommend to open a message with support for these issues.

To set up java AD you must

Create a service accoujnt and SPN in AD

then add permissions to the account so it can run the CMS

after it's running the CMS you should enter the SPN (created earlier in the CMC)

Once this is done you should eb able to login with AD via client tools like deski, designer, crystal, or business views, etc.

Then it's off to get java working

you will need 2 files bsclogin and krb5.ini

puth them in c:\winnt

test the krb5.ini by performing kinit (boinstall\javasdk\bin\kinit username

When kinit works, you must then specify the file to tomcat in the java options

and then you can test infoview/cmc

I will be releasing a shorter white paper in a few weeks on setting just java AD up.

In the meantime the 3.0 Admin guide should get you there as well.

Regards,

Tim

Show replies
Show replies
Former Member
‎12-17-2008 5:11 PM
0 Kudos

Hi Tim,

Please add a link to the white paper you mentioned. Is it available?

--David

BasicTek
Advisor
Advisor
‎12-17-2008 7:55 PM
0 Kudos

[Here's one|]

there are 4 total so far if you look up SAP note 1261835

Regards,

Tim

Former Member
‎12-18-2008 3:32 PM
0 Kudos

We have successfully set up Windows AD with Kerberos with BOE XI 3.0, Tomcat, and a Windows 2003 domain controller. We've added some AD Groups and these users can log on to InfoView and CMC using Windows AD authentication. We are not using Vintela.

The user name format in AD is: 

username at domain.com

The pre-Windows 2000 log on name format in AD is ABC\username.

The only user name formats that work are: 

username at DOMAIN.COM and USERNAME at DOMAIN.COM

The shorter formats 

ABC\username and ABC\USERNAME

do not work to log on to BOE. The following formats do not work: 

USERNAME at DOMAIN.COM and username at domain.com

The default domain is set to domain.com (lower case) in the CMC.

Is there some way to adjust the BOE Windows AD configuration to enable the shorter format ABC\username? Is there some change that can be made on the domain controller to enable this?

Better yet is there a way to integrate to Windows AD so groups are imported and users are created but users could log on using Enterprise authentication? Users would only have to provide a username and password. Said another way, can BOE be set up to automatically create an Enterprise account using the username and password from the Windows AD domain?

--

David

BasicTek
Advisor
Advisor
‎12-18-2008 3:45 PM
0 Kudos

Hi David,

The problem is not one that can be configured in BO. the java SDK is responsible for submitting ticket requests when using a java application server (in .net ther is no issue like this).

So in XIR2 SP2 or later we support 2 java SDK's 1.4 (installed by default) and 1.5 (needs to be added)

XI 3.x starts with 1.5. Currently 1.6 has not been added to the supported JDK's and that's the one we need to submit users in sam account format (aka pre 2000 username). So all that to say no...

Oh and the 2nd question.

Any user that's been imported into BO can have up to 4 aliases, so you can create an enterprise alias for anyone. you can use the import wizard to create a bunch of enterprise aliases based on a file which could be generated by exporting AD info using a tool like ldifde. You can also ask for a script from the [SDK forums|/community [original link is broken]; to create enterprise aliases for existing AD ones. I've seen a few of them floating around there.

One more thing. If using SSO (previous post) then users don't have to worry about how the username is entered. This is the most common solution.

Regards,

Tim

Edited by: Tim Ziemba on Dec 18, 2008 10:46 AM

Answers (0)

Ask a Question