on 08-05-2010 10:39 PM
Hello gurus,
I have performed all the steps required for vintella SSO (kerberos) . I have performed the mapping of the users of windows AD in BO and the update of the users works.
My BO XI 3.1 is on windows 2003 64 bit . I'm still not able to connect with a of nymy windows AD users. the kinti works and the ticket is created .
this is the log of jce_default
<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1281017659431" level="ERROR" thread="http-8080-Processor24">
<log4j:message><![CDATA[LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)]]></log4j:message>
</log4j:event>
<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication" timestamp="1281017661321" level="ERROR" thread="http-8080-Processor25">
<log4j:message><![CDATA[Authentication failed. java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction" timestamp="1281019616726" level="ERROR" thread="http-8080-Processor24">
<log4j:message><![CDATA[LoginContext failed. No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]></log4j:message>
</log4j:event>
any suggestion on what can be wrong?
regards
server not found means an SPN is missing or duplicated typically. What doc are you using to set this up?
Can you login to client tools? Can you login to infoview manually?
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Tim,
I have followed all the steps required by your .pdf file . But I'm not able to logon to any tools or infoview or CMC with the AD user. Despite I see them in the users and groups of CMC .
I used the application kinit BOSSO user to check if the logon ticket is created and this works. I have checked on the AD with setspn -l BOSSO useer and it shows me all the right entry . but still not able to logon.
do you have any additional check to suggest?
regards
If using my sso in distributed environments you need to make each section work prior to moving to the next section. If you cannot login via client tools that indicates a problem with the service account running the SIA/CMS
Either the wrong value is entered in the CMC, or the SPN has been duplicated on 2 or more AD accounts. To verify this go to the CMC > auth > AD> and change kerberos to NTLM. then try logging into client tools again. Use KB 1476374 to troubleshoot through the issues as well.
Regards,
Tim
Hi,
Just to give an update we never figured out why the command would not run. We used ADSIEdit on the servicePrincipalName attribute to overcome the issue. Everything working fine now.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
We are also using the guide (Configuring Vintela SSO in Distributed Environments u2013 Complete Guide 10 December 2008 by Tim Ziemba). Thank you for publishing this!
But have the following problem.
We have a single service account which we are using for the setup and have completed the KTPass step successfully but are stuck with the Running setspn to create access points for SSO we get the following error when trying to run any of the three commands listed;
C:\Users\Administrator>Setspn -a http/VDV-JHB-BO003 Svc.dev.boe
Unknown parameter http/VDV-JHB-BO003. Please check your usage
With;
VDV-JHB-BO003 being our BO server (Single server running on windows 2008)
Svc.dev.boe being our service account
Any help would be greatly appreciated.
Michael
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.