Skip to Content
author's profile photo Former Member
Former Member

Vintela filter not getting loaded - for BOE 3.1 SSO

As per the guide - "Configuring the vintela sso in distributed environment - complete guide"

I am able to login to the JAVA info view with Active directory id/password .

for the SSO , I modified the web.xml as per documentation. I resrted the Tomcat . when I searched for the string "credentials obtained" I can't find . So it is not loading the filter correctlt .

( kinit command is working fine.)

1. How to I trouble shoot the vintela filter ?

2. my upn is - bosso/bossosvcacct.mydomain.com-at-MYDOMAIN.COM

I wonder it shouls be with uppercase for the initial part of the string .

( BOSSO/bossosvcacct.mydomain.com-at-MYDOMAIN.COM)

Thanks,

VB

Add a comment
10|10000 characters needed characters exceeded

Related questions

11 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Jun 09, 2009 at 05:45 PM

    I have to post the message as "-at-" , insted of "@" , due to forum email address filters.

    so you need to read with "@" before MYDOMAIN.COM

    Thanks in advance

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 09, 2009 at 10:28 PM

    You should have added a line to the tomcat java options that starts with -Djcsi.kerberos.debug=true or something like that. In the tomcat55\logs dirtectory any errors will be in the std.out (where you searched for credentials obtained, or the tomcat.log

    When you kinit the value for the idm.princ @IDM.REALM.COM (BOSSO/bossosvcacct.mydomain.com-at-MYDOMAIN.COM) it succeeds?

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 10, 2009 at 01:50 AM

    Tim,

    1. yes . I set the option - "-Djcsi.kerberos.debug=true" for tomcat.

    in the C:\Program Files (x86)\Business Objects\Tomcat55\logs directory

    the files stdout.log or tomcat.log don't have the "credentials obtained" string.

    2. Here is my kinit out put , which is sucessful.

    C:\Program Files (x86)\Business Objects\javasdk\bin>kinit bosso/bossosvcacct.mydomain.com

    Password for bosso/bossosvcacct.mydomain.com @ MYDOMAIN.COM:password

    New ticket is stored in cache file C:\Documents and Settings\vb\krb5cc_vb

    Also, when I created the SPN it was bosso/bossosvcacct.mydomain.com &

    not BOSSO/bossosvcacct.mydomain.com .

    I wonder I should create the SPN with uppercase for BOSSO ?

    Please advice.

    VB

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 10, 2009 at 02:20 PM

    Tim,

    No. I have the TOMCAT Java setting as

    -Dcom.wedgettail.idm.sso.password=password

    (I had the plan to use keytab , once SSO is working )

    VB

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hope you added the server name to the SPN command, below is the example.

      setspn -A HTTP/servername bossosvcacct

      setspn -A HTTP/<server with domain name> bossosvcacct

      setspn -A HTTP/<server ip> bossosvcacct

  • author's profile photo Former Member
    Former Member
    Posted on Jun 10, 2009 at 05:29 PM

    Yes . See the output of setspn

    C:\>setspn -l bossosvcacct

    Registered ServicePrincipalNames for CN=Business Objects SSO Service Account,CN=

    Users,DC=bobj,DC=lab,DC=mygroup,DC=co,DC=uk:

    HTTP/10.1.1.131

    HTTP/sapv-trng01.bobj.lab.mygroup.co.uk

    HTTP/sapv-trng01

    bosso/bossosvcacct.bobj.lab.mygroup.co.uk

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jun 10, 2009 at 06:44 PM

    Since the Vintela filter is not working , so do my SSO for the infoview .

    It is still promting me the login screen . (my manuval logging is working fine)

    Please guide me .

    Thanks

    Edited by: Vasu Bollepalli on Jun 10, 2009 10:25 PM

    Add a comment
    10|10000 characters needed characters exceeded

    • ok if you are sure you are using the password in tomcat, you have djcsi.kerberos.debug enabled as well, and the keytab is definitely commented out or doesn't exist. Then you should see errors in the tomcat log unless you haven't uncommented out the vintela filter and filter mapping.

      Regards,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Aug 06, 2009 at 01:16 PM

    Hi Tim,

    we are setting up BO XI R3.0 with java application Server and AD authentication ( Functional Level Windows 2000 native on windows 2003 server).

    I entirely followed your guide " Configuring Vintela SSO in Distributed Environmente - Vintela Configuration only", but I'm not be able opening Infoview

    This is the screen from infoview using my username ( HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 2, Principal &quot;HTTP/dretlbor3.POSTEVITA@POSTEVITA&quot; using key: Principal: BOSSO/bossosvacct.postevita@POSTEVITA Type: 1 TimeStamp: Thu Jan 01 01:00:00 CET 1970 KVNO: -1 Key: [23, 1 72 f5 fc 0 48 e1 1a f1 4a 31 78 1 82 aa 2b ] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] ).

    I used one time tomcat password ( Dcom.wedgetail.idm.sso.password= XXX ) in other time i used keytab file.

    In finally, my goal is to login in Infoview without logon screen.

    Where is my problem?

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 06, 2009 at 01:20 PM

    Sorry Tim,

    i tried logon Infoview, from another client using BOSSOSVACCT username and i received HHTP Status 404 - InfoviewApp/logon.jsp.

    If you want I can post you my log tomcat stdout.log ( it seems i haven't error )

    Add a comment
    10|10000 characters needed characters exceeded

    • CryptoException: Integrity check failure is the error we used to receive when using DES encryption? Is DES encryption selected on the service account? If so remove it (propogation of this could take some time in larger AD environments). You should launch the mmc from the BO server and using the users and computers snap-in lookup the service account. Onjce located the account properties has a DES checkbox that must be unchecked

      Regards,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Aug 07, 2009 at 09:26 AM

    Thanks for your response Tim,

    but I'm not using DES Encryption on my service account.

    The problem is the same.

    The only several thing is the SETSPN HTTP/FQDN tomcat server accountname, where I used:

    setspn HTTP/xxXXX:domain account

    but my web application respone to http://xxxxx:8080/InfoviewApp/Logon.jsp

    Where is my problem?

    Thanks

    Add a comment
    10|10000 characters needed characters exceeded

    • case of the SPN doesn't matter unless you have DES enabled, and unless you have another error message in the tomcat log the problem is with encryption based on your previous error.

      Verify the following...

      idm.princ @IDM.REALM = vintela service account SPN

      kinit idm.princ should return a ticket (if the service account is in the default domain).

      idm.princ @idm.realm must = the service account UPN aka 2003 logon name aka user logon name

      the only errors that are of any concern will show up in the tomcat.log

      Regards,

      Tim

  • author's profile photo Former Member
    Former Member
    Posted on Aug 10, 2009 at 08:34 AM

    Thank you Tim,

    but i'm not resolved my problem.

    You said me:

    "idm.princ @IDM.REALM = vintela service account SPN kinit idm.princ should return a ticket (if the service account is in the default domain)."

    I launched kinit BOSSO/bossosvacct.postevita ( my SPN service account ); the system required me service account's password; I insert the SPN service account password and i received a new ticket:

    C:\Documents and Settings\Administrator.DOMAIN>D:\Programmi\javasdk\bin\kinit

    .exe BOSSO/bossosvacct.postevita

    Password for BOSSO/bossosvacct.domain@DOMAIN:XXXXXXXXX

    New ticket is stored in cache file C:\Documents and Settings\Administrator.DOMAIN\krb5cc_Administrator

    I don't undesrtand what do you say with:

    idm.princ @idm.realm must = the service account UPN aka 2003 logon name aka user logon name

    Sorry for my stupid request.

    In finally, from my mmc of Active Directory i read:

    SPN service account: HHTP/172.31.X.XXX ( IP of tomcat Server )

    HHTP/DRETLBOR3.DOMAIN ( FQDN of myJava Server Application on windows2oo3 )

    HHTP/DRETLBOR3 ( The Tomcat Server )

    BOSSO/bossosvacct.postevita

    UPN service account: BOSSO/bossosvacct.postevita@POSTEVITA

    It's correct?

    Add a comment
    10|10000 characters needed characters exceeded

    • ok if this can kinit BOSSO/bossosvacct.postevita and pull a ticket then it should start the auth filter fine as well unless the idm.realm is wrong. Is the idm.realm = to the default domain in the krb5.ini? Is it in all caps?

      To start the auth filter all tomcat has to do is kinit the service account. You are saying this value causes a 404 which means tomcat cannot kinit the service account which is the reason for all my verification

      why are there 2 H's in all the HTTP SPN's typo on this post? The HTTP part is mandatory

      Regards,

      Tim

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.