Skip to Content
author's profile photo Former Member
Former Member

Configuring Windows AD using kerberos authentication -- XI 3.0

Hi,

Trying to configure windows AD authentication XI 3.0

When logging to CMC or Infoview it errors out with the message:

"Account information not recognised:Active directory authentication failed you to logon.Please contact your system administrator to make sure you are a member of a valid mapped group and try again.If you are not a member of a default domain,enter your username as UserName@DNS_DomainName and try again".

Please advise.

Thanks.

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • Best Answer
    Posted on Oct 31, 2008 at 10:33 AM

    setting up AD is a bit complicated and that error could be for anything.

    We have to break things out into steps, I always recommend to open a message with support for these issues.

    To set up java AD you must

    Create a service accoujnt and SPN in AD

    then add permissions to the account so it can run the CMS

    after it's running the CMS you should enter the SPN (created earlier in the CMC)

    Once this is done you should eb able to login with AD via client tools like deski, designer, crystal, or business views, etc.

    Then it's off to get java working

    you will need 2 files bsclogin and krb5.ini

    puth them in c:\winnt

    test the krb5.ini by performing kinit (boinstall\javasdk\bin\kinit username

    When kinit works, you must then specify the file to tomcat in the java options

    and then you can test infoview/cmc

    I will be releasing a shorter white paper in a few weeks on setting just java AD up.

    In the meantime the 3.0 Admin guide should get you there as well.

    Regards,

    Tim

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi David,

      The problem is not one that can be configured in BO. the java SDK is responsible for submitting ticket requests when using a java application server (in .net ther is no issue like this).

      So in XIR2 SP2 or later we support 2 java SDK's 1.4 (installed by default) and 1.5 (needs to be added)

      XI 3.x starts with 1.5. Currently 1.6 has not been added to the supported JDK's and that's the one we need to submit users in sam account format (aka pre 2000 username). So all that to say no...

      Oh and the 2nd question.

      Any user that's been imported into BO can have up to 4 aliases, so you can create an enterprise alias for anyone. you can use the import wizard to create a bunch of enterprise aliases based on a file which could be generated by exporting AD info using a tool like ldifde. You can also ask for a script from the [SDK forums|/community [original link is broken]; to create enterprise aliases for existing AD ones. I've seen a few of them floating around there.

      One more thing. If using SSO (previous post) then users don't have to worry about how the username is entered. This is the most common solution.

      Regards,

      Tim

      Edited by: Tim Ziemba on Dec 18, 2008 10:46 AM

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.