Skip to Content
0
Former Member
Jul 28, 2011 at 05:39 PM

Kerberos SSO problem with windows AD authentication at BI 4.0

3012 Views

I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.

Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:

com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.

java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!

at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)

Tomcat log shows:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @XX.YY.COM

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

There is no username passed.

I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=XX.YY.COM

idm.princ=BOSSO/bodservice.XX.YY.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\winnt\BODvintela.keytab

BIlaunchpad.properties

authentication.default=secWinAD

cms.default=XXXX:6400

authentication.visible=true

bscLogin.conf

com.businessobjects.security.jgss.initiate

{com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Krb5.ini

[libdefaults]

default_realm = XX.YY.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

XX.YY.COM = {

kdc =XXXX.XX.YY.COM

default_domain = XX.YY.COM

}

We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.

Edited by: Dong Li on Jul 28, 2011 11:16 PM

Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.