Skip to Content

Issues with Windows AD integration 4.2.5


I've run into an issue trying to get AD integration working with a fresh Business objects 4.5sp5 installation. I've been using this SAP blog as a reference point: https://blogs.sap.com/2016/09/02/sso-configuration-with-active-directory-sap-business-objects-42-aes-encryption/

I'm at a point where I don't even care if SSO works as long as users can log in using AD credentials. I'm getting the following error when I try to access either BI or CMC from the web.

Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

I can login to Web intelligence, universe design tool, server manager using Windows credentials.

I've verified the SPN records are correct

Registered ServicePrincipalNames for CN=bo_admin,OU=Vendor,DC=AD,DC=domain,DC=edu:
        HTTP/reporting2
        HTTP/reporting2.ad.domain.edu
        BOCMS/bo_admin.ad.domain.edu

Kinit seems to be working for both BO_admin account as well as standard users

c:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>kinit user
Password for user@AD.DOMAIN.EDU:
New ticket is stored in cache file C:\Users\bo_admin\krb5cc_bo_admin

c:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>kinit bo_admin
Password for bo_admin@AD.DOMAIN.EDU:
New ticket is stored in cache file C:\Users\bo_admin\krb5cc_bo_admin

The only error I can find outside of FWM 00006 is a tomcat std_out error

2018-11-14 10:17:12 Commons Daemon procrun stdout initialized
osgi> com.businessobjects.webpath.rebean3ws.Activator
Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
		[Krb5LoginModule] user entered username: user@ad.domain.edu


		[Krb5LoginModule] authentication failed 
Message stream modified (41)

Some googling indicates this is usually an issue with the krb5.ini file or the reference there too in the java tomcat preferences: Now I've double and triple checked this and am pretty confident I'm doing it right.

[libdefaults]
default_realm=AD.DOMAIN.EDU
dns_lookup_kdc=true
dns_lookup_realm=true
default_tgs_enctypes=rc4-hmac
default_tkt_enctypes=rc4-hmac
udp_preference_limit=1
[realms]
AD.DOMAIN.EDU={
kdc=DC-1.AD.DOMAIN.EDU
default_domain=AD.DOMAIN.EDU
}

Configuration is exactly the same as the documentation.

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini

I'm pretty stumped with this problem and would appreciate any advice.

Add a comment
10|10000 characters needed characters exceeded

Related questions

7 Answers

  • Best Answer
    Posted on Nov 16, 2018 at 02:36 PM

    just try with updating below in CMC AD configuration. "AD configration summary" section

    AD Administration Name :First part should be in CAPS

    Default AD Domain: Put in CAPS

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 14, 2018 at 04:57 PM

    What does the configuration look like under WinAD Authentication in the CMC? Is the domain set the same as the default domain in krb5.ini?

    -Dell

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 14, 2018 at 05:10 PM

    Hello Peter Sharp,

    Can you replace krb5.ini as below? No need to specify Domain controller just go with domain.com

    ----------------------

    [libdefaults]
    default_realm = DOMAIN.COM
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    udp_preference_limit = 1
    forwardable = true
    [realms]
    DOMAIN.COM = {
    kdc = DOMAIN.COM
    default_domain = DOMAIN.COM
    }

    ----------------------

    Let me know how it works.. Don't forget to restart Tomcat and SIA

    Thank you
    Yogesh Patel

    PS: DO NOT COPY and PASTE this in your file. Please type it in..

    Add a comment
    10|10000 characters needed characters exceeded

    • Yogesh,

      I made the changes you suggested and am still receiving the error both on BI/CMC login and tomcat stdout:

      Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      		[Krb5LoginModule] user entered username: user@ad.domain.edu
      
      
      		[Krb5LoginModule] authentication failed 
      Message stream modified (41)
      
  • Posted on Nov 14, 2018 at 05:21 PM

    Hi Dell here are semi redacted screenshot from the CMC configuration.


    bo-issue1.png (33.8 kB)
    bo-issue2.png (48.8 kB)
    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 14, 2018 at 06:05 PM

    Yogesh,

    I've run them in the last without an issue here is another one with the updated krb5.ini file

    c:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>kinit bo_admin Password for bo_admin@AD.DOMAIN.EDU: New ticket is stored in cache file C:\Users\bo_admin\krb5cc_bo_admin

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Nov 16, 2018 at 02:22 PM

    Anyone else have ideas about this? I'm still 100% stumped as to why it isn't working.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jun 04, 2019 at 03:41 AM

    Put your domain name as upper case. That should work then.


    windows.png (6.4 kB)
    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.