Problem about SSO with Windows AD
Hi,
We have a problem about SSO with Windows AD.We use BI 4.0 on windows server 2008 (64bit),domain controller server is also windows server 2008 (64bit).We did everything what "xi4_bip_admin_en" document says.We did these before SSO like in the document;
We created a new folder called "c:\WINNT" and created "krb5.ini" and "bsclogin.conf" in the folder.
İn krb5.ini we wrote these;
[libdefaults]
default_realm =DOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com =DOMAIN1.COM
domain.com =DOMAIN1.COM
.domain2.com =DOMAIN2.COM
domain2.com DOMAIN2.COM
[realms]
DOMAIN.COM = {
default_domain =DOMAIN2.COM
kdc =HOST.DOMAIN1.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}
[capaths]
DOMAIN2.COM = {
DOMAIN1.COM =
}
AND
in bsclogin we wrote these;
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab=C:\Program Files\Java\jre6\bin\BOSSO.keytab
doNotPrompt=true
useKeyTab=true
realm=DOMAIN.COM
principal=SERVICENAME at DOMAIN.COM
debug=true;
};
AND THEN
We created new docs in "C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom"
calls;
bilaunchpad.properties;
"authentication.default=secWinAD
cms.default=<cmsservername>:<cms port>"
global.properties;
vintela.enabled=true
idm.realm=DOMAIN.COM
idm.princ=PRINCIPAL NAME
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:\Program Files\Java\jre6\bin\BOSSO.keytab
idm.allowS4U=true
sso.enabled=true
siteminder.authentication=secWinAD
siteminder.enabled=false"
opendocument.properties
"app.name=BusinessObjects OpenDocument
app.name.short=OpenDocument
You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secEnterprise
Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used
authentication.visible=false
You can specify the default CMS machine name here
cms.default=:
Choose whether to let the user change the CMS name. If it isn't shown the default System from above will be used
cms.visible=false
Set to false to disable logon with token.
logontoken.enabled=true
Allow or disallow logoff on web session expiry for external logon.
Has no effect if the global logoff.on.websession.expiry value is false
extlogon.allow.logoff=true"
AFTER THESE WE SET THESE;
"ktab -k BOSSO.keytab -a BOSSO/service.domain.com at domain.com"
"ktpass -princ HTTP/server.domain.com at domain.com -mapuser bi1 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass password -out BOSSO.keytab"
"setspn -a HTTP/servername servicename"
"setspn -a HTTP/servername.domainname servicename"
"setspn -a HTTP/<ip adress of server> servicename"
AND in BO server we set serviceaccount as administrator.and started SIA with this account.Than logged in to CMC,open the "Authentication".Enabled windows AD.Put domain group to map.Everything is ok.We can see the domain users.
But when we try to log in with these users we get this error;
"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName at DNS_DomainName, and then try again. (FWM 00006)"
And there is a log in tomcat6 s log folder "stdout",writes this;
"log4j:WARN No appenders could be found for logger (com.sun.faces.config.ConfigureListener).
log4j:WARN Please initialize the log4j system properly.
com.businessobjects.webpath.rebean3ws.Activator"
Please Help About This
Thank You