on 10-31-2008 12:52 AM
Hi,
Trying to configure windows AD authentication XI 3.0
When logging to CMC or Infoview it errors out with the message:
"Account information not recognised:Active directory authentication failed you to logon.Please contact your system administrator to make sure you are a member of a valid mapped group and try again.If you are not a member of a default domain,enter your username as UserName@DNS_DomainName and try again".
Please advise.
Thanks.
setting up AD is a bit complicated and that error could be for anything.
We have to break things out into steps, I always recommend to open a message with support for these issues.
To set up java AD you must
Create a service accoujnt and SPN in AD
then add permissions to the account so it can run the CMS
after it's running the CMS you should enter the SPN (created earlier in the CMC)
Once this is done you should eb able to login with AD via client tools like deski, designer, crystal, or business views, etc.
Then it's off to get java working
you will need 2 files bsclogin and krb5.ini
puth them in c:\winnt
test the krb5.ini by performing kinit (boinstall\javasdk\bin\kinit username
When kinit works, you must then specify the file to tomcat in the java options
and then you can test infoview/cmc
I will be releasing a shorter white paper in a few weeks on setting just java AD up.
In the meantime the 3.0 Admin guide should get you there as well.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We have successfully set up Windows AD with Kerberos with BOE XI 3.0, Tomcat, and a Windows 2003 domain controller. We've added some AD Groups and these users can log on to InfoView and CMC using Windows AD authentication. We are not using Vintela.
The user name format in AD is:
username at domain.com
The pre-Windows 2000 log on name format in AD is ABC\username.
The only user name formats that work are:
username at DOMAIN.COM and USERNAME at DOMAIN.COM
The shorter formats
ABC\username and ABC\USERNAME
do not work to log on to BOE. The following formats do not work:
USERNAME at DOMAIN.COM and username at domain.com
The default domain is set to domain.com (lower case) in the CMC.
Is there some way to adjust the BOE Windows AD configuration to enable the shorter format ABC\username? Is there some change that can be made on the domain controller to enable this?
Better yet is there a way to integrate to Windows AD so groups are imported and users are created but users could log on using Enterprise authentication? Users would only have to provide a username and password. Said another way, can BOE be set up to automatically create an Enterprise account using the username and password from the Windows AD domain?
--
David
Hi David,
The problem is not one that can be configured in BO. the java SDK is responsible for submitting ticket requests when using a java application server (in .net ther is no issue like this).
So in XIR2 SP2 or later we support 2 java SDK's 1.4 (installed by default) and 1.5 (needs to be added)
XI 3.x starts with 1.5. Currently 1.6 has not been added to the supported JDK's and that's the one we need to submit users in sam account format (aka pre 2000 username). So all that to say no...
Oh and the 2nd question.
Any user that's been imported into BO can have up to 4 aliases, so you can create an enterprise alias for anyone. you can use the import wizard to create a bunch of enterprise aliases based on a file which could be generated by exporting AD info using a tool like ldifde. You can also ask for a script from the [SDK forums|/community [original link is broken]; to create enterprise aliases for existing AD ones. I've seen a few of them floating around there.
One more thing. If using SSO (previous post) then users don't have to worry about how the username is entered. This is the most common solution.
Regards,
Tim
Edited by: Tim Ziemba on Dec 18, 2008 10:46 AM
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.