cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows AD Authentication with BusObj 4.0

Former Member

on ‎09-23-2011 12:00 AM

0 Kudos

Hi Guys.

I'm having some issues getting authentication within BusinessObjects 4.0 working for AD. I've set up the mapping between AD and BusinessObjects in the Central Management Console and it successfully retrieves and creates the users in the CMC but when I attempt to access the BI Launchpad or CMC using Active Directory authentication, it gives me an error immediately which seems to me like it isn't even attempting to authenticate with the server.

The Error Message;

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

Additional Details:

This happens both manually and also through SSO which I've configured. It does attempt to use SSO to sign into the BI Launchpad but because it can't authenticate, it's giving me the exact same error with the exact same timespan (i.e instantly returning, which leads me to believe there is no attempt to authenticate with the DC)

Is it likely to be something to do with my service principal account? Even though the ability to read AD from CMC is working to populate user accounts.

Any help is much appreciated.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎09-23-2011 12:16 AM
0 Kudos

Just giving additional configuration details

SETSPN Steps

setspn -A BOBJCentralMS/TRG-BOB13 s_BObj_dev_ad

setspn -A BOBJCentralMS/TRG-BOB13.fqndomainredacted.fqndomainredacted s_BOBj_dev_ad

setspn -A BOBJCentralMS/ipaddressredacted

setspn-l s_Bobj_dev_ad returns

Registered Service PrincipalNames for CN = s_Bobj_dev_AD,OU=Service Accounts, OU= Resources,

DC=redacted,dc=redacted:

BOBJCentralMS/TRG-BOB13.fqndomainredacted.fqndomainredacted

BOBJCentralMS/TRG-BOB13

BOBJCentralMS/ipaddressredacted

--- Maybe I need to redo this step and use http/TRGBOB13 as per admin guide? Was following a blog I've used before successfully to configure SSO but this may be causing an issue

Central Management Console configuration details

- AD Authentication Enabled

AD Administration Name: DOMAINREDACTED\s_BObj_dev_AD

Default AD Domain: DOMAINREDACTED

(Note that AD Administration domain is different to default AD Domain as we have one domain configured for system accounts and computers, and another domain configured for users)

Group Mapping is to BObj_Dev_group1 which is under the user domain.

Authentication Options

Use Kerberos Authentication Selected

Cache Security context selected

Service Principal Name: BOBJCentralMS/TRG-BOB13.FQNDOMAINREDACTED.FQNDOMAINREDACTED

Enable Single Sign On for selected authentication mode selected

Enable and update user data source credentials at logon time selected

As previously noted, update successfully returns users from the group and adds them to BusObj.

Server INtelligence Agent is configured to run under the s_Bobj_dev_AD account

s_Bobj_dev_ad account has Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a process level token and is a local administrator

I've tried logging in manually with a fully qualified domain name (i.e blochd at (not allowed email address) FQNDOMAIN.REDACTED.REDACTED) as well as using the default domain, but all return within a split second with the error message stated above, leading me to believe it's not even attempting to authenticate.

Any further details required, let me know.

Show replies
Show replies
Former Member
‎09-23-2011 10:17 AM
0 Kudos

Hello,

Be sure that your service account which is starting the SIA, has the following rights on the windows server, in local policies:

u201CAct as part of the Operating Systemu201D policy

Ensure also that he is part of the local Administrators group

In your AD, ensure that your service account properties that he has under the delegation tab, the option:

"Trust this user for delegation to any service (Kerberos only)"

For your SPNs, you should have one like

setspn u2013a BOBJCentralMS/service_account_name.domain.com service_account_name

and 3 others like (Tomcat6 is the server where is installed your Tomcat, so probably on the BO server)

HTTP/Tomcat6

HTTP/Tomcat6.domain.com

HTTP/IP_adress_Tomcat6.domain.com

The 3 last SPNs are only used for the SSO part

Then try to login to client tools (like designer or webi rich client)

When you mention that you have BOBJCentralMS/TRG-BOB13.FQNDOMAINREDACTED.FQNDOMAINREDACTED

do you mean that you have twice the domain specified? It should be only once.

I hope this will help you

Regards,

Philippe

Former Member
‎09-28-2011 2:04 AM
0 Kudos

Thanks for the response Philippe.

I'm going to step through the entire configuration of the service principal account again. When I use a client tool like Designer or WebI rich, it connects and there is no issue leading me to believe it has to be how the service account has been setup.

Former Member
‎01-04-2016 11:33 AM
0 Kudos

Hi,

I am getting the same issue, please let me know how you were able to solve it.

Regards

Arif

Ask a Question