Skip to Content
0
Mar 03, 2009 at 03:17 PM

Java AD/Kerberos SSO with BOXI 3.1 Cluster

27 Views

Hello Folks,

i`m trying currently to connect a BOXI 3.1 Cluster to WinAD/Kerberso for SSO. The Cluster as itself runs fine but the AD makes trouble.

The Cluster has two Windows 2003 SP2 Servers with BOXI 3.1 and SAPITK 3.1 installed. Both without a FP. We are using only one Tomcat, so the second is disabled.

I`m first in the Step for manual AD Authentication without SSO. Thats how it looks like:

1. CMS User created as shown in the Guide

2. "SETSPN -A BOBJCentralMS/DOMAIN.COM cmsuser" ( as shown in the Guide )

3. Both SIA`s logon as "DOMAIN\cmsuser" ("cmsuser" is local Admin, so the Services start)

4. AD Admin Name in CMC is "cmsuser-AT-DOMAIN.COM"

Default AD Domain is: DOMAIN.COM

5. Principal in CMC is "BOBJCentralMS/DOMAIN.COM"

6. SSO not checked

7. A Group could be mapped

8. bscLogin and krb5 files are correct and mapped in the "Java" Tab on Tomcat

The Errormessage is that the user cant log on and amdin should check if the user is in a valid group. The User is in a valid group cause we already have a DEV Env. running on Signle BOXI3.0 Machine with AD/Kerberos SSO where the user is in that group and he can login successfully.

My Opinion is that point 2 isnt correct. On a single machine you put there in the full FQDN. If you use a clustered Environment you have to put in the Domain (as described in the 3.1 admin guide). But under the Domain Name the CMS`s cant query AD, they do via the FQDN i guess.

So any ideas ? Should it be work if i create two SPN Accounts for both nodes in the Cluster and run each SIA under a different Account ?!

I also tried on step 2 instead of using the Domain using the Clustername, but that also didnt the Trick.

Thanks for any Help !

Regards

-Seb.

Edited by: Sebastian Wiefett on Mar 3, 2009 4:29 PM