cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

secwinad Server not found in Kerberos - problem with windows AD users in BO

Go to solution
Former Member

on ‎08-05-2010 10:39 PM

0 Kudos

Hello gurus,

I have performed all the steps required for vintella SSO (kerberos) . I have performed the mapping of the users of windows AD in BO and the update of the users works.

My BO XI 3.1 is on windows 2003 64 bit . I'm still not able to connect with a of nymy windows AD users. the kinti works and the ticket is created .

this is the log of jce_default

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1281017659431" level="ERROR" thread="http-8080-Processor24">

<log4j:message><![CDATA[LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)]]></log4j:message>

</log4j:event>

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication" timestamp="1281017661321" level="ERROR" thread="http-8080-Processor25">

<log4j:message><![CDATA[Authentication failed. java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1281019616726" level="ERROR" thread="http-8080-Processor24">

<log4j:message><![CDATA[LoginContext failed. No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]></log4j:message>

</log4j:event>

any suggestion on what can be wrong?

regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎08-09-2010 12:38 PM

server not found means an SPN is missing or duplicated typically. What doc are you using to set this up?

Can you login to client tools? Can you login to infoview manually?

Regards,

Tim

Show replies
Show replies
Former Member
‎08-17-2010 1:08 PM
0 Kudos

Hello Tim,

I have followed all the steps required by your .pdf file . But I'm not able to logon to any tools or infoview or CMC with the AD user. Despite I see them in the users and groups of CMC .

I used the application kinit BOSSO user to check if the logon ticket is created and this works. I have checked on the AD with setspn -l BOSSO useer and it shows me all the right entry . but still not able to logon.

do you have any additional check to suggest?

regards

BasicTek
Advisor
Advisor
‎08-17-2010 2:50 PM
0 Kudos

If using my sso in distributed environments you need to make each section work prior to moving to the next section. If you cannot login via client tools that indicates a problem with the service account running the SIA/CMS

Either the wrong value is entered in the CMC, or the SPN has been duplicated on 2 or more AD accounts. To verify this go to the CMC > auth > AD> and change kerberos to NTLM. then try logging into client tools again. Use KB 1476374 to troubleshoot through the issues as well.

Regards,

Tim

Former Member
‎08-24-2010 3:49 PM
0 Kudos

Hello Tim,

thanks the problem was solved. with the help of the note given

regards

Answers (2)

Answers (2)

Former Member
‎09-14-2010 10:50 AM
0 Kudos

Hi,

Just to give an update we never figured out why the command would not run. We used ADSIEdit on the servicePrincipalName attribute to overcome the issue. Everything working fine now.

Show replies
Show replies
Former Member
‎09-01-2010 8:28 AM
0 Kudos

Hi,

We are also using the guide (Configuring Vintela SSO in Distributed Environments u2013 Complete Guide 10 December 2008 by Tim Ziemba). Thank you for publishing this!

But have the following problem.

We have a single service account which we are using for the setup and have completed the KTPass step successfully but are stuck with the Running setspn to create access points for SSO we get the following error when trying to run any of the three commands listed;

C:\Users\Administrator>Setspn -a http/VDV-JHB-BO003 Svc.dev.boe

Unknown parameter http/VDV-JHB-BO003. Please check your usage

With;

VDV-JHB-BO003 being our BO server (Single server running on windows 2008)

Svc.dev.boe being our service account

Any help would be greatly appreciated.

Michael

Show replies
Show replies
BasicTek
Advisor
Advisor
‎09-01-2010 12:14 PM
0 Kudos

out of curiousity try something simplier like setspn -a bobj/svc Svc.dev.boe

You can remove it with setspn -d bobj/svc Svc.dev.boe if it works

If it does work then you may need to escalate the issue with Microsoft, there could be bugs with the commands that I'm not aware of yet.

Regards,

Tim

Former Member
‎09-02-2010 6:55 AM
0 Kudos

Hi

Thanks for the prompt reply.

Yes the setspn -a VDV-JHB-BO003 /svc Svc.dev.boe works. It seems like it has something to do with the http. Will need to see if I can find anything.

BasicTek
Advisor
Advisor
‎09-02-2010 4:59 PM
0 Kudos

I have 2008 SP2 and didn't run into this issue, can't see anything on Microsoft site either.

Former Member
‎09-03-2010 7:29 AM
0 Kudos

Hello,

I do not know if this can be the solution. Did you try to use HTTP (capital letters) and not http ?

Maybe it's only this the problem.

In my configuration I used the one with capital letters.

Former Member
‎09-03-2010 7:41 AM
0 Kudos

Hi,

Yes we have tried that. But it would seem as we may have some other issues with certificate authorities on the server that the server team is currently investigating.

I will give an update once they get back to me.

Ask a Question