Skip to Content
0
Former Member
Apr 21, 2009 at 08:34 AM

Windows AD multi-domains settings

148 Views

Hi,

We are using Crystal Report Server 2008 (BOE 3.1) with Tomcat installed on Windows Server 2003. We have configured Windows authentication and Vintela SSO with Kerberos, and it works fine...for 1 domain.

We have multiple AD domains, all in the same forest. For the moment I have declared only 2 of them in the Krb5.ini file, but only the one where CRS is installed works fine (domain1.com). I have been able to import a user from the other domain (domain2.com) in the database (via CMC, and using the "UseFQDNForDirectoryServers" registry thing - ), but this user cannot connect to the Java Apps (CMC or Infoview...). This fails with following log:

>>> KrbKdcReq send: kdc=+kdc.domain2.com+ TCP:88, timeout=30000, number of retries =3, #bytes=2719
>>>DEBUG: TCPClient reading 2682 bytes
>>> KrbKdcReq send: #bytes read=2682
>>> KrbKdcReq send: #bytes read=2682
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: got tgt
>>> Credentials acquireServiceCreds: continuing with main loop counter reset to 1
>>> Credentials acquireServiceCreds: main loop: [1] tempService=krbtgt/+domain1.com[AT]parentdomain.com+
default etypes for default_tgs_enctypes: 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Credentials acquireServiceCreds: no tgt; searching backwards
>>> Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:279)

While trying the kinit command it succeeds with the message: "New ticket is stored in cache file ...".

Where could this come from..?