cancel
Showing results for 
Search instead for 
Did you mean: 

Service Account for Manual AD Auth & AD SSO

Former Member
0 Kudos

In BOXI 3.1 environment, configured manual Windows AD authentication "with Kerberos" & it is working well with IIS & TOMCAT.

I created service account namely "bouser" to configure manual Windows AD Auth.

Question:

Can i use same service account "bouser" to configure AD single sign on ?

Do i need to create new ervice account to configure AD single sign on for JAVA & .NET Infoview ?

Please advice

Accepted Solutions (0)

Answers (7)

Answers (7)

Former Member
0 Kudos

Thanks for the help

Former Member
0 Kudos

Environment:

all AD domians are in Windows 2003 AD

All domains are in the same forests.

Few domins users are using Windows 2000 Desktop Client

Few domains users are using VISTA Desktop Client

Tested SSO for all domains within VISTA Desktop Client through RDC. It works well.

If we tested SSO in Windows 2000 client machine then it cause an error

HTTP Status 401 Error

Type Status Error

Message

Description The request requires HTTP authentication()

Apache Tomcat/5.5.20

How to trouble shoot this issue ?

BOXI 3.1 TOMCAT KERBEROS SSO support Windows 2000 client machine with IE6 or not?

Thanks

BasicTek
Active Contributor
0 Kudos

2000 should work fine, it's the browser settings that generally cause the 401. It means the web site gave your a401 (normal) and then your browser failed to supply the proper credentails. Are you joined to the domain? is the browser IE a supported version? Are the settings rigtht? If the site has a . in the URL has it been added to the local intranet sites (not trusted sites).

There are SAP KB's with more details if you search for 410 sso and browser type

Regards,

Tim

Former Member
0 Kudos

I created keytab file with the following command

ktpass -out TORBO2D1_Keytab -princ HTTP/TORBO2D1.DOMAIN.COM at DOMAIN.COM -mapuser boserver at DOMAIN.COM -pass boserver -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Here TORBO2D1_Keytab I didn't type the period like TORBO2D1.Keytab Its my fault.

AD Admin created keytab file without extension.

Do i need to request the AD admin to rerun the above KTPASS command ?

Thanks for your advise.

BasicTek
Active Contributor
0 Kudos

You should follow the steps in KB 1261835 and verify each one with the tests included in the white paper. If a step fails then you can post here or open a ticket with support - authentication team for assistance. If you miss or fail to verify any steps then troubleshooting can be extremely difficult without knowing which one.

Regards,

Tim

Former Member
0 Kudos

created service account namely "bouser" to configure manual Windows AD Auth for TOMCAT.

Question:

1) Can i use same service account "bouser" to configure AD SSO for TOMCAT or Do i need to create new service account ?

2) Can i run KTPASS command from local VM which has BO installed or Do i need to run it from AD server machine ?

BOE Admin Guide 3.1 page 523 shows the following ktpass syntax

ktpass -princ HTTP/TORBO2D1 at DEFAULTDOMAIN.CA -mapuser boserver

If i run the above KTPASS from local VM with BO installed. It cause an error

Failed to set property 'ServicePrincipalName' to 'HTTP/TORBO2D1.DEFAULTDOMAIN.CA'

BasicTek
Active Contributor
0 Kudos

all of your questions are answered in SAP KB 1261835 (also linked to in the forum sticky)

1) yes

2) only if you install 2003 SP2 version or later on your local server

Do not mix the admin guide steps with my white paper, they are not compatible and that error indicates you do not have permission to modify an AD account.

Regards,

Tim

Former Member
0 Kudos

Hi Tim,

I've configured SSO for BOXI 3.1 successfully in our Development environment. Now, I have a new requirement to allow users from another domain, different forest, to be authenticated using AD. Currently, these external users get authenticated using secEnterprise in BOXIR2 environment.

But I was told last year that this can be done in BOXI 3.1.

Is there a guide for this scenario?

Our main domain: ROCKETENGINES.COM - (FORREST1.COM) SSO configured successfully

AIRPLANES.COM - (FORREST2.COM) New users

HELICOPTERS.COM - (FORREST3.COM) New Users

Help please!

Thanks,

Ferdie

Former Member
0 Kudos

Thanks for your time & support.

Manual AD authenticaiton with kerberos for TOMCAT is working fine for the few domains like (D1Canada, D2Florida)

IIS is working with all their domain like D1Canada, D2Florida, D3India, D4UK.

Note: ALL domains are in the same forests & all are under Windows AD 2003

Manual AD authenticaiton with kerberos for TOMCAT is not working with D1India, D4UK

With NO SSO Java Infoview URL cause an error. The error says

"Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005) "

I used KINIT to test the test account. It works fine.

How to trouble shoot this scenario ? Thanks for your advice.

_Antony

BasicTek
Active Contributor
0 Kudos

Try this utility to create your krb5.ini or verify it. http://www.maplesail.com/

You can download a sample program to test and if wanted the full version will create.

krb5.ini files can be complicated for various multiple domain environments. I have an SAP note/KB on it if you search for krb5.ini or yuo can try that utility.

Ferdi, I responded on the other thread too search for multiple forest requirements.

Regards,

Tim

BasicTek
Active Contributor
0 Kudos

In the forum sticky (top of this forum) there is a document for setting up vintela. In the 1st section it explains the rules for service accounts. Only 1 account is needed for an entire organization. That being said running IIS and tomcat SSO on the same server is not supported per the XIR2 and 3.1 admin guides. That's not to say it doesn't work but it is not documented. In reality it will work fine if the same configuration and service account is used for both.

To get support you need to disable 1(like tomcat) and open a case for the other (like IIS).

Regards,

Tim