Skip to Content
author's profile photo
Former Member

Kerberos SSO problem with windows AD authentication at BI 4.0

I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.

Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:

com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.

java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!

at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)

Tomcat log shows:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @XX.YY.COM

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

There is no username passed.

I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=XX.YY.COM

idm.princ=BOSSO/bodservice.XX.YY.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\winnt\BODvintela.keytab

BIlaunchpad.properties

authentication.default=secWinAD

cms.default=XXXX:6400

authentication.visible=true

bscLogin.conf

com.businessobjects.security.jgss.initiate

{com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Krb5.ini

[libdefaults]

default_realm = XX.YY.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

XX.YY.COM = {

kdc =XXXX.XX.YY.COM

default_domain = XX.YY.COM

}

We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.

Edited by: Dong Li on Jul 28, 2011 11:16 PM

Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

3 Answers

  • Best Answer
    Jul 29, 2011 at 01:34 AM

    The problem is likely with the vintela account setup,

    idm.princ=BOSSO/bodservice.XX.YY.com

    idm.allowUnsecured=true

    idm.allowNTLM=false

    idm.logger.name=simple

    idm.logger.props=error-log.properties

    idm.keytab=C:\winnt\BODvintela.keytab

    We haven't completed the 4.x white paper yet so the steps followed should be like the XI 3.1 SP3 guide (adjusting for the global.properties instead of web.xml) KB 1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 **Best Practice**

    Setting things up with the keytab initially adds another point of failure as well. In that guide there is a logging function, password option, and way to test the idmprinc @IDM.REALM via kinit which is also helpful.

    Regards,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      GREAT THANKS FOR YOU, Bernardt Nel, for the symbols "/" in the path of keytab file in the global properties file.

      Only this advice helped us to solve the same problem.

      Too bad that SAP writes guides with such serious mistakes and SUPPORT cannot solve the high message with all details about our settings already 2 weeks. Only this forum was usefull.

  • author's profile photo
    Former Member
    Sep 08, 2011 at 05:12 AM

    The same problem happened after applying SP02 on BO 4.0 SP01.

    I had double backslashes instead of single \. It worked. Another way of having keytab path.

    --Srikar

    Edited by: Srikar Garisa on Sep 8, 2011 7:13 AM

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo
    Former Member
    Dec 29, 2015 at 11:45 AM

    Hello,

    For today's reader, in 2015 (soon 2016), don't use RC4 as Kerberos encryption algorithm !

    See:

    Regards,

    Stéphane;

    Add comment
    10|10000 characters needed characters exceeded