cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO XI 3.0 Windows AD authentication with Java Infoview

Former Member

on ‎01-29-2009 2:32 PM

0 Kudos

Hi All,

I have been searching through the forums to see if I can find a resolution to my problem with no luck.

I am trying to set up the Java Infoview windows active directory authentication, with a view to going to full SSO using vintela.

I have been following Business Object Enterprise XI 3.0 Java Info View - Active Directory SSO with Vintela guide and everything is fine until the configuring Kerberos for Java application. At this point I can log into Deski / Rich Client using Windows AD, but when I try to log into Java Infoview the following error is displayed:

'Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005) '

On testing the kinit, the message 'New ticket is stored in cache file...' is displayed.

In the error logs I can find the following errors:

jce_default.log

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1233231880107" level="ERROR" thread="http-8080-Processor23">

<log4j:message><![CDATA[LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]></log4j:message>

</log4j:event>

stdout.log :

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: michaelm

Acquire TGT using AS Exchange

principal is michaelm

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 76 6B 62 D3 DB 02 3F 90 44 34 69 D8 63 93 CA 66 vkb...?.D4i.c..f

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 43 67 BF 8A 46 DC 5D AB 3D 4C DF CE 2C 67 83 D9 Cg..F.].=L..,g..

0010: D0 32 43 97 5E 0D 9B 6E

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 9D 47 FF 40 2D ED F7 28 5C 1A E6 3C 12 C5 CB 3B .G.@-..(\..<...;

Commit Succeeded

The krb5.ini file is as follows:

krb5.ini - (note have tried the longer version with the libdefaults and retuns the same error)

[realms]

TEST.INTERNAL = {

kdc = ARWEN.test.internal

bscLogin.conf

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Thanks in advance

Mike

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

BasicTek
Advisor
Advisor
‎01-30-2009 4:04 AM
0 Kudos

That version of vintela doc has issues in XI 3.x. I suggest backing out the configuration and checking this [one|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] out.

Regards,

Tim

Show replies
Show replies
Former Member
‎01-30-2009 3:00 PM
0 Kudos

Hi Tim,

Thanks for the response. I have done as suggested, however, the error still occurrs. Do you have ny other suggestions?

Thanks

Mike

BasicTek
Advisor
Advisor
‎01-30-2009 3:15 PM
0 Kudos

the doc I sent was full of troubleshooting info. Which section failed? Which test failed?

Former Member
‎01-30-2009 3:21 PM
0 Kudos

Sorry Tim,

It is failing when we try to logon to the Java infoview. We see the commit succeeded in the stdout.log as below (the at and domain names have been removed to allow this to save on here)

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Krb5LoginModule user entered username: michaelm

Acquire TGT using AS Exchange

principal is michaelm

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 76 6B 62 D3 DB 02 3F 90 44 34 69 D8 63 93 CA 66 vkb...?.D4i.c..f

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 43 67 BF 8A 46 DC 5D AB 3D 4C DF CE 2C 67 83 D9 Cg..F.].=L..,g..

0010: D0 32 43 97 5E 0D 9B 6E

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 9D 47 FF 40 2D ED F7 28 5C 1A E6 3C 12 C5 CB 3B .G.@-..(\..<...;

Commit Succeeded

and the following error appears in the jce_default.log

jce_default.log

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1233231880107" level="ERROR" thread="http-8080-Processor23">

<log4j:message><![CDATALoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]></log4j:message>

</log4j:event>

On running the kinit with the username michaelm, the token message can be seen.

Thanks

Mike

BasicTek
Advisor
Advisor
‎01-30-2009 3:24 PM
0 Kudos

that message usually means the previous test (login with client tools) failed. Can you verify if you can login with client tools on the server (business views/deski/designer)

-Tim

Former Member
‎01-30-2009 3:57 PM
0 Kudos

Hi Tim,

Can log in to webi rich client, business views and designer as the user michaelm with no errors.

Thanks

Mike

BasicTek
Advisor
Advisor
‎01-30-2009 8:36 PM
0 Kudos 
LoginContext failed. No valid credentials provided

That error can have multiple causes

usually it's the SPN

If the client tools work and infoview doesn't then the other most common cause is krb5.ini problems with multiple domains. Is the user in the default domain? or another?

Also a couple other things, if you stopped using the original doc then DES should NOT be checked on the service account correct.

And UDP preference limit SHOULD be present in the krb5.ini

These are no longer common errors with my new doc but can occur if using older ones

-Tim

Former Member
‎02-02-2009 9:29 PM
0 Kudos

Hi Tim,

Thanks for your reply. I have a detailed document detailing all the domain configuration up to this point, can I attach this to this post?

DES is not ticked and we have the udp preference is set in the krb5.ini file ( see below)

Krb5.ini contains:

[libdefaults]

default_realm = TEST.INTERNAL

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

TEST.INTERNAL = {

kdc = ARWEN.test.internal

default_domain = TEST.INTERNAL

}

Thanks

Mike

BasicTek
Advisor
Advisor
‎02-03-2009 12:02 AM
0 Kudos

your KDC has a lower case domain, but that usually causes a different error. Unless NTLM is set in the AD plugin I'm not sure what would allow client tools to work and cause the no creds error.

-Tim

Former Member
‎02-03-2009 1:14 PM
0 Kudos

Hi Tim,

we have actually seen this error before (wiki), the summary is;

Symptom:

Null Pointer in InfoView - stdout states LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

Solution:

krb5.ini needs to have the DOMAIN.COM the same in all three places as it is on the AD tab

default_realm = DOMAIN.COM

DOMAIN.COM =

{ default_domain = DOMAIN.COM

Regards,

Miles

BasicTek
Advisor
Advisor
‎02-03-2009 3:18 PM
0 Kudos

Hi Miles,

thanks for helping. If you look at his sample krb5.ini above the 3 sections are already =, but the KDC has lower case letters in it, so might be a new reason for that error.

-Tim

Former Member
‎02-04-2009 9:55 AM
0 Kudos

Exactly Tim, I should have been more specific. As we know, a best practice with kerberos is to keep almost everything in uppercase, in fact it doesn't hurt to put everything in uppercase, all of the time and avoids cryptic error messages having to be decoded.

Former Member
‎02-04-2009 10:25 AM
0 Kudos

Hi Tim, Miles,

I have updated the krb5.ini to be uppercase stoped and started tomcat and the following errors are recored.

jce_default.log

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1233742938010" level="ERROR" thread="http-8080-Processor23">

<log4j:message><![CDATA[LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]></log4j:message>

</log4j:event>

stdout.log

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: michaelm

Acquire TGT using AS Exchange

principal is michaelm

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 16 9E D9 2A 3D 7F 16

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 76 6B 62 D3 DB 02 3F 90 44 34 69 D8 63 93 CA 66 vkb...?.D4i.c..f

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 43 67 BF 8A 46 DC 5D AB 3D 4C DF CE 2C 67 83 D9 Cg..F.].=L..,g..

0010: D0 32 43 97 5E 0D 9B 6E

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 9D 47 FF 40 2D ED F7 28 5C 1A E6 3C 12 C5 CB 3B .G.@-..(\..<...;

Commit Succeeded

BasicTek
Advisor
Advisor
‎02-04-2009 1:18 PM
0 Kudos

ok so the commit succeeded indicates that the java portion of the login succeeded, the no creds indicates we did not successfully pass the ticket to the CMS. this usually indicates that the service account is to blame or when using multiple domains the transitive trust relationship is not being specified in the krb5.ini.

From the looks of your krb5 you are only using 1 domain and you said client tools work(indicating the service account is fine). At this point you may need to open a case with support.

In the CMC kerberos is enabled correct? and what value did you put in the service principal name?

Regards,

Tim

Former Member
‎02-04-2009 3:06 PM
0 Kudos

Hi Tim,

The kerberos is enabled in the CMC and the service principal name is set as ilfcboservice at test.internal

We are in the process of double checking the entire configuration to see if we have missed any steps.

Thanks

Mike

Former Member
‎02-06-2009 9:09 AM
0 Kudos

Hi Tim,

We regenerated the SPN using the KTPASS and on using this SPN it is now working.

Thanks

Mike

Ask a Question