I try with a blog, but, when i configure the group, appear an error:
The secWinAD plugin failed to look up the account for the group "sap". Please enter non-local groups as DomainName\GroupName and local groups as ServerName\GroupName.
This problem occurs when distribution groups do not incorporate the feature of security. The main purpose of this group type is for use with email-applications. Adding this group for authentication in Business Objects will always fail.
Do the following to get issue resolved...
1. Login to the Active Directory Server
2. Go to Active Directory Users and Computers
3. Go to the properties of the target group
4. Change the #Group type# from #Distribution# to #Security#
[try this doc|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_bip/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233363331333833333335%7D.do]
The complete guide will show you everything from mapping groups, creating service accounts to setting up SSO. It's done modularly with troubleshooting per section to ensure the proper steps were followed.
I configure it, but, when i try to log on to the Webi or to the Cmc, don´t work, i have to put the user and pass of the user in the domain, why? Can i avoid to put the user and pass?
In other hand, when i try to go to InfoViewApp, appear an error of Apache, tell don´t exist... Why? I can see an error in the logs of apache:
com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm
The doc had pretty specific steps, if you are trying SSO they you already verified SPN's? mapped groups?, logged into client tools? logged in manually from infoview/cmc? found credentials obtained in the std.out with the vintela tracing enabled? All those tests should have preceeded your 1st SSO attempt... Also there is no SSO for CMC and no steps to follow so why are you trying to use it there?
b) a service account running the SIA and SPN or UPN entered in the CMC
You can remove requirement b temporarily and verify the username/pw by switching the AD plugin to NTLM (this won't fix anything just verifies point a is working)
The reason for the modular approach in the docs is because each subsequent section will not work if the last one did not pass the test. If you jump to the end then there could be 20 different problems. I'd advise following the (complete guide) step by step and posting if you have any questions /problems
You haven't even gotten the most basic part of the configuration working, there is no point looking in the java logs. It means you didn't follow the configuration steps.
I can log in (with user and password of Windows AD), in the client tools, in the InfoView i can not loggin with sso and i can not loggin with windows AD. Where can see logs or anything? I do the same steps than in the tutorial..
again you are way ahead of yourself, every step is in the doc, you need should only testing manual logon ininfoview nothing about SSO should have been considered until manual logon works, all the steps to trace and troubleshoot as well as examples are in that complete guide. If client tools work and kinit works then you should be testing infoview. Just follow the steps. What happened with kinit?
ok so per the do you should be looking in the std.out (which by the way should not have the SSO logging enabled yet). The only tracing at this point should be the debug=true on the bsclogin.conf which will trace the AS requests from infoview logon attempts.
If you are not going to follow the doc we have nothing more to discuss. I have directed you to the doc for over 5 posts in a row and you keep disregarding it. The answer to you last 5 questions were all in the doc as well as any new ones.
Because all the tracing and troubleshooting steps are in the document. You should be asking why the troubleshooting is failing and you keep trying to SSO which is not tested until the very last step.
A) you couldn't logon to client tools but attempted SSO
B) you could not logon to infoview with AD but attempted SSO
C) you do not see logging information but attempted SSO
These are just a few. If you follow the doc then you will not be attempting SSO you will be kiniting the service account idm.princ @IDM.REALM
you will be viewing commit succeeded for manual logon
you will see credentials obtained for SSO tracing PRIOR to attempting SSO
You would have logged in with client tools long before even mentioning infoview
If you don't follow the steps and troubleshooting in the document then it's a complete waste of time to troubleshoot SSO as the issue could be 100's of things. You may want to consider open a ticket with support - authentication team but they too are going to expect that you follow the doc.
I do understand and prior to SSO you should have verified credentials obtained in the std.out per the doc. If you didn't find that then you should not skip to the end and try SSO. Of course it will not work. I keep trying to explain each step in the previous section must be completed before the end result will work. Every post I have in this thread is verbatim from the doc.
So in the doc under section 7 you should have enabled 3 java options including -Djcsi.kerberos.debug=true
After starting tomcat you should have credentials obtained for BOSSO/youraccount.yourdomain @REALM.COM
If not then you should have tested via kinit the idm.princ @REALM.COM
You mentioned SSO didn't work but did not tell the results of these steps
Refer to page 508 of Business Objects Enterprise 3.1 Administrator's Guide available from help.sap.com. The content around this page and on this page should be able to assist you with the configuration.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.