cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Business Objects 4.2 SP5 Update 2 Authenticaion(SSO and Manual) Error

Go to solution
sunderbpop
Explorer

on ‎08-09-2018 3:50 PM

0 Kudos

Hi Team,

I have installed SP 4.2 SP5 standalone server with Tomcat and CMS on SQL Server. Configured Windows AD Authentication in CMC to enable the SSO, I am getting the following error. Need your expertise to resolve this error as I was got stuck here. The Enterprise Authentication is working fine.

Authentication Error:

Also I tried log into the Manage Server in CCM getting the following error:


Server and Software Details:

Server OS: Windows 2012 R2

CMS: SQL Server 2012

BOES: SAP 4.2 SP5 Update 2

I have done the setspn command in the Windows AD server and followed the SAP NOTE 2629070.

Please help me to crack this issue, appreciate your help.


Thanks

Sunder

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎08-09-2018 7:53 PM
0 Kudos

Are you using the latest KBA to configure this? https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070

The error on the CCM tells us that the service account running the SIA is not working properly. In the CMC > authentication > AD if you switch the kerberos to NTLM does it work (only test the CCM this setting won't work with tomcat)?


If not then the server is likely out of communication with AD (not joined to the domain, experiencing a DNS or network issue, etc).


If NTLM works then the account is not setup properly for kerberos (SPN's created, entered in the CMC, etc) Use sections 1 and 2 of the KBA above to setup and verify the settings and perform the tests. Let us know the results.


-Tim


Show replies
Show replies

Answers (2)

Answers (2)

sunderbpop
Explorer
‎08-14-2018 3:30 PM
0 Kudos

Hi Tim,

I am able to log into the CCM and Windows AD authentication using GroupA AD group. Also I have one more AD Group GroupB added into the CMC, getting error while any user from the GroupB access AD authentication. Any help on this issue will be greatly appreciated.

GroupA AD users are working fine on AD Authentication.

GroupB AD users are getting the same error.

"Account information not recognized: An error has occurred propagating the security context between the security server and the client. Please contact your system administrator"


Thanks

Sunder

Show replies
Show replies
BasicTek
Advisor
Advisor
‎09-06-2018 8:13 PM
0 Kudos

sorry for the delay my notifications stopped working. if a group works and another fails this is typically indicative of an AD trust or permissions issue. If the proper 2 way forest trust doesn't exist then the DNS will not be able to resolve the kerberos requests, mapping doesn't use kerberos (it uses LDAP) so that can still appear ok. The rules for trusts are all referenced here https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391


-Tim

sunderbpop
Explorer
‎08-10-2018 4:56 PM
0 Kudos

Hi Tim,

I have modified to NTLM in the CMC Windows AD Configuration and getting the following error. I am the member of the same domain except for server login we use different account. Following the same KBA 2629070.


In Kerbiros configuration able to see the Windows AD group with all users listed.


Thanks

Sunder

Show replies
Show replies
BasicTek
Advisor
Advisor
‎08-13-2018 1:02 PM
0 Kudos

RE: "I am the member of the same domain except for server login we use different account"


In the CMC when you mapped in your group did you see your user details as well as username? The error isn't signifying that there is anything wrong, but it does clearly state your username was not found.


If the CMC > Authentication > default domain is = to your user

You should be able to look up your mapped in user under CMC > users and groups > users > click to see properties

In your user properties the username is your logon name and at the bottom where it shows the alias of the account it should have dc=, dc= those dc='s should be the same as the default domain we checked in the 1st step, if not then the user must be logged in via domain\user


-Tim

Ask a Question