Skip to Content
0
Former Member
Jul 29, 2011 at 02:19 PM

Problem about SSO with Windows AD

432 Views

Hi,

We have a problem about SSO with Windows AD.We use BI 4.0 on windows server 2008 (64bit),domain controller server is also windows server 2008 (64bit).We did everything what "xi4_bip_admin_en" document says.We did these before SSO like in the document;

We created a new folder called "c:\WINNT" and created "krb5.ini" and "bsclogin.conf" in the folder.

İn krb5.ini we wrote these;

[libdefaults]
default_realm =DOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com =DOMAIN1.COM
domain.com =DOMAIN1.COM
.domain2.com =DOMAIN2.COM
domain2.com DOMAIN2.COM
[realms]
DOMAIN.COM = {
default_domain =DOMAIN2.COM
kdc =HOST.DOMAIN1.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}
[capaths]
DOMAIN2.COM = {
 DOMAIN1.COM =
}

AND

in bsclogin we wrote these;

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required

storeKey=true

keyTab=C:\Program Files\Java\jre6\bin\BOSSO.keytab

doNotPrompt=true

useKeyTab=true

realm=DOMAIN.COM

principal=SERVICENAME at DOMAIN.COM

debug=true;

};

AND THEN

We created new docs in "C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom"

calls;

bilaunchpad.properties;

"authentication.default=secWinAD

cms.default=<cmsservername>:<cms port>"

global.properties;

vintela.enabled=true

idm.realm=DOMAIN.COM

idm.princ=PRINCIPAL NAME

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\Program Files\Java\jre6\bin\BOSSO.keytab

idm.allowS4U=true

sso.enabled=true

siteminder.authentication=secWinAD

siteminder.enabled=false"

opendocument.properties

"app.name=BusinessObjects OpenDocument

app.name.short=OpenDocument

  1. You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3

authentication.default=secEnterprise

  1. Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used

authentication.visible=false

  1. You can specify the default CMS machine name here

cms.default=:

  1. Choose whether to let the user change the CMS name. If it isn't shown the default System from above will be used

cms.visible=false

  1. Set to false to disable logon with token.

logontoken.enabled=true

  1. Allow or disallow logoff on web session expiry for external logon.

  2. Has no effect if the global logoff.on.websession.expiry value is false

extlogon.allow.logoff=true"

AFTER THESE WE SET THESE;

"ktab -k BOSSO.keytab -a BOSSO/service.domain.com at domain.com"

"ktpass -princ HTTP/server.domain.com at domain.com -mapuser bi1 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass password -out BOSSO.keytab"

"setspn -a HTTP/servername servicename"

"setspn -a HTTP/servername.domainname servicename"

"setspn -a HTTP/<ip adress of server> servicename"

AND in BO server we set serviceaccount as administrator.and started SIA with this account.Than logged in to CMC,open the "Authentication".Enabled windows AD.Put domain group to map.Everything is ok.We can see the domain users.

But when we try to log in with these users we get this error;

"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName at DNS_DomainName, and then try again. (FWM 00006)"

And there is a log in tomcat6 s log folder "stdout",writes this;

"log4j:WARN No appenders could be found for logger (com.sun.faces.config.ConfigureListener).

log4j:WARN Please initialize the log4j system properly.

com.businessobjects.webpath.rebean3ws.Activator"

Please Help About This

Thank You