cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BOXI R1, Tomcat, IIS, SSO issue

Go to solution
Former Member

on ‎07-30-2009 2:24 PM

0 Kudos

I've just finished migrating reports from my old BOXI server which used Enterprise logon only.

I've setup end to end SSO (using service account and not machine account for IIS) with the help of the documentation, but I'm not getting the desired results (i.e. it isn't working).

I used SETSPN to the DNS name I have created for the host and not its actual machine name. Looking at the AD account for the service account I can see HTTP being a

On the Crystal web server can see in the IIS logs that my logon is requesting the web pages, but I only get left with the normal logon prompt page.

Logging onto the web interface from the Crystal web server:

- If I then logon with my AD account, where the address specifies the machine name, then I can logon fine.

- If I then logon with my AD account, where the address specifies the DNS host name, then I get the error "An error has occurred propagating the security context between the security server and the client."

- If I then logon with my AD account, where the address specifies the DNS FQDN name, then I get the error "An error has occurred propagating the security context between the security server and the client."

Logging onto the web interface from my desktop:

- If I then logon with my AD account, where the address specifies the machine name, then I get the error "An error has occurred propagating the security context between the security server and the client."

- If I then logon with my AD account, where the address specifies the DNS host name, then I get the error "An error has occurred propagating the security context between the security server and the client."

- If I then logon with my AD account, where the address specifies the DNS FQDN name, then I get the error "An error has occurred propagating the security context between the security server and the client."

setspn -L WLONW18

Registered ServicePrincipalNames for CN=WLONW18,OU=Web,OU=Servers,DC=UK,DC=fcl,DC=internal:

BOBJWebiServer/crystalreports

BOBJCrystalReportApplicationServer/crystalreports.uk.fcl.internal

BOBJCrystalReportApplicationServer/crystalreports

BOBJWebiServer/crystalreports.uk.fcl.internal

BOBJCrystalReportspageserver/crystalreports.uk.fcl.internal

BOBJCentralMS/crystalreports

BOBJCentralMS/crystalreports.uk.fcl.internal

HTTP/crystalreports

HTTP/crystalreports.uk.fcl.internal

HOST/wlonw18.uk.fcl.internal

HOST/WLONW18

Geoff

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-30-2009 4:19 PM
0 Kudos

Hi Geoff!

I had something similar. You only need the SPNs

1.

HTTP/crystalreports

HTTP/crystalreports.uk.fcl.internal

The catch is that you take care of the writting here the correct one:

HTTP/CRYSTALREPORTS

HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL

2.

Your windows user wlonw18 should have "trusted for delegation" set. There is a bug if you are using Windows 2008 - you need the Port 88 and 389 to your DC (UK.FCL.INTERNAL).

3.

After you issue the kinit command (use HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL) you need to reset the password for your wlonw18 user back to the one you used.

4.

The service on the server (not tomcat, but SIA, whatever) needs to run under wlonw18. Tomcat can run under the local service account.

Within your authentication settings your need to use HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL.

I hope this helps, if not can you give me some more details about what you are going to test, and according to which document you have set everything up?

ciao Hakan

Show replies
Show replies
Former Member
‎07-30-2009 4:29 PM
0 Kudos

> 

> Hi Geoff!
> 
> I had something similar. You only need the SPNs
> 
> 1.
> 
> HTTP/crystalreports
> HTTP/crystalreports.uk.fcl.internal
> 
> The catch is that you take care of the writting here the correct one:
> 
> HTTP/CRYSTALREPORTS
> HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL
> 
> 2.
> Your windows user wlonw18 should have "trusted for delegation" set. There is a bug if you are using Windows 2008 - you need the Port 88 and 389 to your DC (UK.FCL.INTERNAL).
> 
> 3.
> After you issue the kinit command (use HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL) you need to reset the password for your wlonw18 user back to the one you used.
> 
> 4.
> The service on the server (not tomcat, but SIA, whatever) needs to run under wlonw18. Tomcat can run under the local service account.
> 
> Within your authentication settings your need to use HTTP/CRYSTALREPORTS.UK.FCL.INTERNAL. 
> 
> I hope this helps, if not can you give me some more details about what you are going to test, and according to which document you have set everything up?
> 
> ciao Hakan

Ciao Hakan,

Thanks for the reply.

1) Should I remove all other entries and leave only 1 entry?

2) WLONW18 is the machine name, and I already enabled the machine for delegation in AD. I also enabled the account MSSERVICE @ UK.FCL.INTERNAL for delegation too, and added the services in. Do I need to specifically add the services into the machine account too?

3) kinit command? I saw nothing about this in the documentation, where is this referenced?

4) Are you referring to the CMS service? I have set this, the Page Server service, Report Application Server service and Web Intelligence Report Server service to run under the MSService @ uk.fcl.internal account already, and set the account to "Act as part of the Operating System" under local security rights.

Geoff

Answers (2)

Answers (2)

BasicTek
Advisor
Advisor
‎07-31-2009 2:05 PM
0 Kudos

try SAP note 1356046 - Setting up .net Infoview for kerberos SSO with an AD service account in XI 3.1. It looks like you need to just look at the AD service account and maybe the IIS portion. It's written primarily for 3.1 but I did my best to make it backward compatible as well. To access the note you must login to SMP with your s-user account.

Regards,

Tim

Show replies
Show replies
Former Member
‎07-31-2009 3:40 PM
0 Kudos

That is a great doco Tim. I think I ahve over complicated things in my past attempts though.

There was no variable for SSOEnabled (web.config step 5), so I left this out (should I create it??)

I am getting different Kerberos errors now on the client (on web server and local desktop) and cannot SSO sign on. My SPN for the web host looks like the below.

setspn -L WLONW18

Registered ServicePrincipalNames for CN=WLONW18,OU=Web,OU=Servers,DC=UK,DC=fcl,DC=internal:

HOST/crystalreports

HOST/crystalreports.uk.fcl.internal

BOBJCrystalReportspageserver/wlonw18.uk.fcl.internal@ uk.fcl.internal

BOBJCentralMS/wlonw18.uk.fcl.internal@ uk.fcl.internal

BOBJCrystalReportApplicationServer/wlonw18.uk.fcl.internal@ uk.fcl.internal

BOBJWebiServer/wlonw18.uk.fcl.internal@ uk.fcl.internal

HTTP/wlonw18.uk.fcl.internal@ uk.fcl.internal

HTTP/wlonw18.uk.fcl.internal

BOBJWebiServer/crystalreports

BOBJCrystalReportApplicationServer/crystalreports.uk.fcl.internal

BOBJCrystalReportApplicationServer/crystalreports

BOBJWebiServer/crystalreports.uk.fcl.internal

BOBJCrystalReportspageserver/crystalreports.uk.fcl.internal

BOBJCentralMS/crystalreports

BOBJCentralMS/crystalreports.uk.fcl.internal

HTTP/crystalreports

HTTP/crystalreports.uk.fcl.internal

HOST/wlonw18.uk.fcl.internal

HOST/WLONW18

The Kerberos error which occurs first is Event ID 4

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/wlonw18.uk.fcl.internal. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (UK.FCL.INTERNAL), and the client realm. Please contact your system administrator.

It is probably due to too many SPN's being set above. Should I delete them all and just use the ones in your doco, or which ones should be kept?

Geoff

Former Member
‎07-31-2009 4:04 PM
0 Kudos

I added HOST/crystalreports and HOST/WLONW18 is the delegation of the MSService account, which allows the user authentication to the logon.aspx file, but it doesn't do the SSO logon (maybe I need the add key SSOEnabled = true adding to web.config).

I can authenticate manually, but cannot connect to any reports which use SSO DB logons (doesn't even come up with the parameters window). The kerberos error is

A Kerberos Error Message was received:
         on logon session 
 Client Time: 
 Server Time: 14:56:5.0000 7/31/2009 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc0000272 KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: UK.FCL.INTERNAL
 Server Name: msservice
 Target Name: msservice@ UK.FCL.INTERNAL
 Error Text: 
 File: 9
 Line: ae0
 Error Data is in record data.

With corresponding InfoView error

Unable to retrieve Object.
Report 106.rpt Single Sign-On Error: 'Internal error.'

Geoff

I've already added to MaxPacketSize = 1 to the registry of the web server, and to the SQL servers which are DB sources, so where to go?

BasicTek
Advisor
Advisor
‎07-31-2009 4:13 PM
0 Kudos

ssoenabled is needed to allow infoview to perform SSO

There is a white paper out there for using the host SPN's

if you use this method then you will not be able to use distributed environments (all calls 2 a 2nd app server or CMS will fail)

My note requires an AD service account let me know which method you want to use and I'll point you in the right direction.

PS: be careful when using the code parameter on these forums if the text does not have a carriage return then it warps the page severely

Regards,

Tim

Former Member
‎07-31-2009 4:19 PM
0 Kudos

I'm not sure which way is best for my situation.

My structure is

WLONW18: CMS + web interface - (CMC + Infoview)

ALONSQL01: BOE DB + other DBs (designated SQL logon for reports)

ALONW03: Source DBs which use SSO DB access would be used for.

All reports to ODBC as SQL 2005 is involved and XI R1 doesn't support OLEDB connectivity to SQL 2005.

What is your suggestion?

Geoff

BasicTek
Advisor
Advisor
‎07-31-2009 4:38 PM
0 Kudos

I would always recommend the service account since this is how almost all our customers are setup (much more tested)

this means creating a delegated service account, running the IIS app pool, CMs and reporting servers (since you mentioned SSO to the DB) all under this account.

you will need 3 SPN's (the FQDN and hostname refer to the IIS server)

HTTP/FQDN

HTTP/hostname

BOBJ/something

you will need to remove these SPN's from any other account (including your computer account)

you will need to grant the account local admin and IIS_WPG access.

It should all be detailed in my note above.

Regards,

Tim

Former Member
‎07-31-2009 5:44 PM
0 Kudos

> 

> I would always recommend the service account since this is how almost all our customers are setup (much more tested)
> 
> this means creating a delegated service account, running the IIS app pool, CMs and reporting servers (since you mentioned SSO to the DB) all under this account.
> 
> you will need 3 SPN's (the FQDN and hostname refer to the IIS server)
> HTTP/FQDN
> HTTP/hostname
> BOBJ/something
> you will need to remove these SPN's from any other account (including your computer account)
> you will need to grant the account local admin and IIS_WPG access.
> 
> It should all be detailed in my note above.
> 
> Regards,
> 
> 
> Tim

I am removing the SPN's from the machine (I think this was my overzealousness in action there). I had already granted the account local admin and IIS_WPG group access as per your note.

With the BOBJ/something, are you referring to all BOBJ* services, or will just using setspn -A BOBJ/FQDN <service account> be enough?

Have a good weekend, and thank you very much for this.

Geoff

BasicTek
Advisor
Advisor
‎07-31-2009 7:18 PM
0 Kudos

doesn't actually matter what "something" is as long as that is the value you enter in the CMC > authentication > windows AD > service principal name FQDN will be fine.

Regards,

Tim

Former Member
‎08-03-2009 10:06 AM
0 Kudos

grrrrr!

I've come in Monday morning and made the final changes to the SPN values for "MSService" my service account, and it still won't SSO my account, but I can logon manually fine. I also still get "internal error messages when I try to run SSO reports, so something is still wrong.

I've pasted the setspn -L for the machine (WLONW18) and the service account below just incase something is amiss. Crystalreports.uk.fcl.internal is the DNS A record I've assigned to the host.

Registered ServicePrincipalNames for CN=MSService,CN=Users,DC=UK,DC=fcl,DC=internal:

BOBJWebiServer/msservice

BOBJCrystalReportapplicationserver/msservice

BOBJCrystalReportspageserver/msservice

BOBJCentralMS/msservice

HTTP/crystalreports.uk.fcl.internal

HTTP/crystalreports

HTTP/wlonw18

HTTP/wlonw18.uk.fcl.internal

HOST/crystalreports

HOST/crystalreports.uk.fcl.internal

MSSQLSRV/crystalsql:1433

MSSQLSRV/crystalsql.uk.fcl.internal:1433

Mssqlsrv/alonw03:1433

Mssqlsrv/alonw03.uk.fcl.internal:1433

MSSQLSvc/alonw03.uk.fcl.internal:1394

MSSQLSvc/alonw03.uk.fcl.internal

MSSQLSvc/ALONSQLTEST.uk.fcl.internal:1433

MSSQLSvc/alonw03.uk.fcl.internal:1433

MSSQLSvc/alonw21.uk.fcl.internal:1433

MSSQLSvc/ALONSQL01.uk.fcl.internal:1433

MSSQLSvc/alonk07.uk.fcl.internal:1433

MSSQLSvc/ALONW04:1433

Registered ServicePrincipalNames for CN=WLONW18,OU=Web,OU=Servers,DC=UK,DC=fcl,DC=internal:

HOST/crystalreports.uk.fcl.internal

HOST/crystalreports

HOST/wlonw18.uk.fcl.internal

HOST/WLONW18

Yours in agony,

Geoff

Former Member
‎08-03-2009 10:10 AM
0 Kudos

I'm also receiving Kerberos errors in the event log, and think these may be related to the HOST SPN values.

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 9:7:10.0000 8/3/2009 Z

Error Code: 0x29 KRB_AP_ERR_MODIFIED

Extended Error:

Client Realm:

Client Name:

Server Realm: UK.FCL.INTERNAL

Server Name: host/wlonw18.uk.fcl.internal

Target Name: host/wlonw18.uk.fcl.internal@ UK.FCL.INTERNAL

Error Text:

File: 9

Line: ae0

Error Data is in record data.

and

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 9:9:51.0000 8/3/2009 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc0000272 KLIN(0)

Client Realm:

Client Name:

Server Realm: UK.FCL.INTERNAL

Server Name: msservice

Target Name: msservice@ UK.FCL.INTERNAL

Error Text:

File: 9

Line: ae0

Error Data is in record data.

Former Member
‎07-30-2009 2:27 PM
0 Kudos

Do I need to add the hostname into each of the crystal services as well as the DNS name that everyone should be using to reference the server?

I am getting some Kerberos errors too which might be contributing, even though I have forced TCP enabled on each of the SQL source servers BOXI talks to as well as the web host.

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 13:19:43.0000 7/30/2009 Z

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc0000272 KLIN(0)

Client Realm:

Client Name:

Server Realm: UK.FCL.INTERNAL

Server Name: host/wlonw18.uk.fcl.internal

Target Name: host/wlonw18.uk.fcl.internal @ UK.FCL.INTERNAL

Error Text:

File: 9

Line: ae0

Error Data is in record data.

Geoff

P.S. sorry for the double posting, but the forum has formatting errors.

Show replies
Show replies
Former Member
‎07-30-2009 4:05 PM
0 Kudos

I am sure it is all linked, but the same KDC_ERR_BADOPTION error pops up when I try to run a report where SSO is set as the report's "When viewing report" option. The corresponding CrystalReportViewer Infoview error is "Single Sign-On Error: 'Internal error.'"

There are no errors on the remote SQL servers, so this must be local to the web server.

I've even tried moving the IIS worker process to the machine (LocalSystem) running the processes and added the appropriate SPN but still get the same error.

Geoff

Ask a Question