Hello all,
If you are experiencing a 'null' value after login in InfoView while completely setup Vintela WinAD SSO, please have a look at the following.
Recently we where implementing an XI31 WinAD SSO on Win2008 environment.
We did everything according to the official documents from SAP/BO (reviewed the XI, XIr2 and XI3.x Vintela guides).
We used the following:
- BOXI31 on Win2008 single-server
- WinAD (2008) domain controllers (2 servers)
- Tomcat55
We configured:
- winad en winadsso service accounts with
- RC4 encryption
- trusted for delegation
- password never expires
- act as part of OS policy
- local admin rights
- setspn and ktpass (including keytab file)
- SIA startup with winad service account
- CMC for WinAD with SSO kerberos
- Tomcat Config parameters (also tried the wedgetail password instead of keytab)
- web.xml for InfoViewApp
- server.xml for MaxHttpHeadersize
But we still ended up with 'null' value when trying to use SSO login for InfoView.
After a WebEx session with SAP support, it appeared that there is a known bug for WinAD 2008 with Vintela.
See resolution below...
you must apply a hotfix to your domain controller(s) to fix this issue.
-
As per our conversation, there is a Microsoft bug related to configuring Vintela with Active Directory Domain Controller installed on Windows Server 2008. Please find below the details of the issue:
1292886 - Client not found in kerberos database when trying to set up vintela or other kerberos options with windows 2008 Domain controllers
Symptom
Kinit receives " client not found in kerberos database "
tomcat logs show " client not found in kerberos database "
unable to receive a ticket from AD
receive KERB5KDC_ERR_C_PRINICPAL_UNKNOWN in packet scan for failed TGS request
Reproducing the Issue
Issue could occur on all kerberos implementations of XIR1 XIR2 or XI3.x .net or java on any server when TGS requests are being sent to an active directory 2008 domain controler (KDC)
Cause
The cause is a microsoft bug on 2008 domain controllers.
To note there are other causes of this error. "client not found in kerberos database" means that the username requesrting a ticket from AD is not being found in AD
Resolution
The resolution is to apply the following Microsoft patch to all 2008 DC's that we may need to authenticate against.