Skip to Content
author's profile photo Former Member
Former Member

CRS2008 V1 Vintela SSO - ALMOST There!

What little hair I had left after implementing AD with Tomcat 5.5 is now gone as I try to get Vintela SSO to work.

I'm at the point that Tomcat's STD.OUT indicates "credentials obtained." I can SSO with the Windows Fat Client tools (e.g. BVM). But, when attempting to connect to InfoView, I'm still presented with logon prompts and the following appears in Tomcat logs:

[/InfoViewApp].[action] Thread [http-8080-Processor25]; Servlet.service() for servlet action threw exception

java.lang.IllegalStateException

at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)

at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)

at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)

at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge(AbstractAuthenticator.java:1936)

at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:147)

at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)

at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)

at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)

at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:148)

at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Thread.java:595)

KERBTRAY is showing two tickets... the two krbtgt, but NOT the http.

Even the propeller on my head won't spin fast enough to figure all this weird Java stuff out... I'm a Microsoft guy!

Any ideas? THANK YOU!!!

- George -

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Oct 20, 2011 at 08:04 AM

    Hi George,

    Sorry for your hair... 😊

    Regarding your sso issue, are you able to connect manually to infoview as it's the first step before doing sso.

    Check the following points:

    - You have 3 SPNs as

    HTTP/Tomcat_server.DOMAIN

    HTTP/Tomcat_server

    HTTP/IP_of_Tomcat_server

    - In AD, for the service account, in delegation tab, you have set the option "Trust this computer for delegation to any service (Kerberos only)".

    - Are you using DES or RC4 encryption? (I recommend RC4)

    - Try to run the kinit command to check that your krb5.ini file is configured properly

    I hope this will help you

    Regards,

    Philippe

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Philippe,

      Thanks for the reply.

      I think SPNs are OK:

      C:\Users\HansenSup>setspn -l HansenCR

      Registered ServicePrincipalNames for CN=HansenCR,OU=ServiceAccounts,OU=Departmen

      ts,DC=BOISE,DC=LOCAL:

      http/10.215.1.138

      http/ch-hansen

      BOSSO/HansenCR.boise.local

      BOBJCentralIMS/CH-HANSEN.BOISE.LOCAL

      (there's no fully-qualified one... should there be a ch-hansen.boise.local--that's now how users will be accessing InfoView, though... they'll just be using ch-hansen:8080/InfoViewApp)?

      Can connect manually to InfoView with AD credentials.

      Can also SSO to client tools (e.g. Launch BVM, leave ID/PW blank and click OK, logs in fine).

      And, KINIT appears to work OK:

      D:\Program Files\Business Objects\javasdk\bin>kinit BOSSO/HansenCR.boise.local

      Password for BOSSO/HansenCR.boise.local-at-BOISE.LOCAL:**********

      New ticket is stored in cache file C:\Users\HansenSup\krb5cc_HansenSup

      (had to change the at sign in the domain or this moderately-dumb message board thought it was an e-mail address).

      ??????

      - George -

  • author's profile photo Former Member
    Former Member
    Posted on Dec 09, 2011 at 05:41 PM

    Turns out that the web server is adding a full-domain to the machine-name-only URL (according to Wireshark capture). Creating an SPN that includes the full domain resolves this issue.

    - George -

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.