on 03-11-2010 12:01 AM
In BOXI 3.1 environment, configured manual Windows AD authentication "with Kerberos" & it is working well with IIS & TOMCAT.
I created service account namely "bouser" to configure manual Windows AD Auth.
Question:
Can i use same service account "bouser" to configure AD single sign on ?
Do i need to create new ervice account to configure AD single sign on for JAVA & .NET Infoview ?
Please advice
Thanks for the help
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Environment:
all AD domians are in Windows 2003 AD
All domains are in the same forests.
Few domins users are using Windows 2000 Desktop Client
Few domains users are using VISTA Desktop Client
Tested SSO for all domains within VISTA Desktop Client through RDC. It works well.
If we tested SSO in Windows 2000 client machine then it cause an error
HTTP Status 401 Error
Type Status Error
Message
Description The request requires HTTP authentication()
Apache Tomcat/5.5.20
How to trouble shoot this issue ?
BOXI 3.1 TOMCAT KERBEROS SSO support Windows 2000 client machine with IE6 or not?
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
2000 should work fine, it's the browser settings that generally cause the 401. It means the web site gave your a401 (normal) and then your browser failed to supply the proper credentails. Are you joined to the domain? is the browser IE a supported version? Are the settings rigtht? If the site has a . in the URL has it been added to the local intranet sites (not trusted sites).
There are SAP KB's with more details if you search for 410 sso and browser type
Regards,
Tim
I created keytab file with the following command
ktpass -out TORBO2D1_Keytab -princ HTTP/TORBO2D1.DOMAIN.COM at DOMAIN.COM -mapuser boserver at DOMAIN.COM -pass boserver -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Here TORBO2D1_Keytab I didn't type the period like TORBO2D1.Keytab Its my fault.
AD Admin created keytab file without extension.
Do i need to request the AD admin to rerun the above KTPASS command ?
Thanks for your advise.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You should follow the steps in KB 1261835 and verify each one with the tests included in the white paper. If a step fails then you can post here or open a ticket with support - authentication team for assistance. If you miss or fail to verify any steps then troubleshooting can be extremely difficult without knowing which one.
Regards,
Tim
created service account namely "bouser" to configure manual Windows AD Auth for TOMCAT.
Question:
1) Can i use same service account "bouser" to configure AD SSO for TOMCAT or Do i need to create new service account ?
2) Can i run KTPASS command from local VM which has BO installed or Do i need to run it from AD server machine ?
BOE Admin Guide 3.1 page 523 shows the following ktpass syntax
ktpass -princ HTTP/TORBO2D1 at DEFAULTDOMAIN.CA -mapuser boserver
If i run the above KTPASS from local VM with BO installed. It cause an error
Failed to set property 'ServicePrincipalName' to 'HTTP/TORBO2D1.DEFAULTDOMAIN.CA'
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
all of your questions are answered in SAP KB 1261835 (also linked to in the forum sticky)
1) yes
2) only if you install 2003 SP2 version or later on your local server
Do not mix the admin guide steps with my white paper, they are not compatible and that error indicates you do not have permission to modify an AD account.
Regards,
Tim
Hi Tim,
I've configured SSO for BOXI 3.1 successfully in our Development environment. Now, I have a new requirement to allow users from another domain, different forest, to be authenticated using AD. Currently, these external users get authenticated using secEnterprise in BOXIR2 environment.
But I was told last year that this can be done in BOXI 3.1.
Is there a guide for this scenario?
Our main domain: ROCKETENGINES.COM - (FORREST1.COM) SSO configured successfully
AIRPLANES.COM - (FORREST2.COM) New users
HELICOPTERS.COM - (FORREST3.COM) New Users
Help please!
Thanks,
Ferdie
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your time & support.
Manual AD authenticaiton with kerberos for TOMCAT is working fine for the few domains like (D1Canada, D2Florida)
IIS is working with all their domain like D1Canada, D2Florida, D3India, D4UK.
Note: ALL domains are in the same forests & all are under Windows AD 2003
Manual AD authenticaiton with kerberos for TOMCAT is not working with D1India, D4UK
With NO SSO Java Infoview URL cause an error. The error says
"Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005) "
I used KINIT to test the test account. It works fine.
How to trouble shoot this scenario ? Thanks for your advice.
_Antony
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try this utility to create your krb5.ini or verify it. http://www.maplesail.com/
You can download a sample program to test and if wanted the full version will create.
krb5.ini files can be complicated for various multiple domain environments. I have an SAP note/KB on it if you search for krb5.ini or yuo can try that utility.
Ferdi, I responded on the other thread too search for multiple forest requirements.
Regards,
Tim
In the forum sticky (top of this forum) there is a document for setting up vintela. In the 1st section it explains the rules for service accounts. Only 1 account is needed for an entire organization. That being said running IIS and tomcat SSO on the same server is not supported per the XIR2 and 3.1 admin guides. That's not to say it doesn't work but it is not documented. In reality it will work fine if the same configuration and service account is used for both.
To get support you need to disable 1(like tomcat) and open a case for the other (like IIS).
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.