on 10-26-2011 7:52 AM
Hi,
We are trying to troubleshoting failure of Silent SSO Mode after deploying Vintella on BO XI 3.1 SP4 (Tomcat as App server) following Tim Ziemba guide (TN-1483762) . I have carefully reading previous post on same topic (mark as anwered).
My situation is practically the same:
(1) Silent SSO (this is, logon into InfoView withou having to type manually AD credentials) fails.
25-10-11 17:03:36:903 - {ERROR} [/InfoViewApp].[action] Thread [http-80-Processor25]; Servlet.service() for servlet action threw exception
java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge(AbstractAuthenticator.java:1936)
at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:147)
at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)
at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:148)
(2) Manual AD logon in InfoView works properly
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: gonzaal @ F4E.ORG
Acquire TGT using AS Exchange
Principal is gonzaal @ F4E.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: BA 55 0B 99 A1 4A A1 8F 48 68 F5 0D F7 86 54 FD .U...J..Hh....T.
Commit Succeeded
(3) Following previous posts recommendations we have engaged a kerbtray & packet scanning in the client machine (TN-1370926) with the following results
1554 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:AS Request Cname: gonzaal Realm: F4E Sname: krbtgt/F4E {UDP:333, IPv4:16}
1555 16:17:48 25/10/2011 239.8711155 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:AS Response Ticket[Realm: F4E.ORG, Sname: krbtgt/F4E.ORG] {UDP:333, IPv4:16}
1556 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/es-w08-bobapp1.f4e.org {UDP:334, IPv4:16}
1557 16:17:48 25/10/2011 239.8711155 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:KRB_ERROR - KRB_ERR_RESPONSE_TOO_BIG (52) {UDP:334, IPv4:16}
1561 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/es-w08-bobapp1.f4e.org {TCP:335, IPv4:16}
1564 16:17:48 25/10/2011 239.8867405 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:TGS Response Cname: gonzaal {TCP:335, IPv4:16}
In the aforementioned thread it was mentioned that "3 ticket requests should occur (as request for the user, tgs for the user, and tgs for the http/fqdnurl.
Microsoft kerbtray alone will usually verify this but the packet scan will allow us to view the errors
if it's failing. If you need help open a case with support - authentication team". In agreement with packet scanning I'm not sure if this is really ocurring.
Any idea?
Hi,
I would recommend you to keep it as simple as possible.
So as manual AD works but not SSO, then you should try to bypass the keytab file and specify the password for the service account in tomcat (mentioned in the guide).
Check also your SPNs. For SSO, you need 3 SPNs with the format
HTTP/TOMCAT_SERVERNAME
HTTP/TOMCAT_SERVERNAME.DOMAIN
HTTP/IP_ADDRESS_OF_TOMCAT_SERVERNAME
Check also that you are using Internet Explorer as Firefox needs extra steps to configure.
I hope this will help you
Regards,
Philippe
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.