We're trying to set up Windows AD authentication but after doing everything we're getting this error:
"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"
Also, the kinit command is unsuccessful. It is refusing the connection.
Our environment has an applications server (where the SIA is) called "Reports", and a separate web server (called "Webs").
We have done the following:
set up a Windows AD service account with non-expiring password
created service principal names as follows and verified that they were successfully created
setspn -a BICMS/OurServiceAccount.corp.int ;
setspn -a HTTP/Webs OurServiceAccount
setspn -a HTTP/Webs.corp.int OurService Account
set the properties of the service account to "Trust this user for delegation to any service (Kerberos only) under Delegation.
logged into the CMC and entered the service account and domain name and service principal name according to the documentation.
Added the service account to the local administrator's group on the server. Also granted local policy "Act as part of the operating system".
stopped the SIA, added the service account to the local administrator's group and restarted the SIA
in the CCM, put the service account and its password on the properties tab as "log on as".
set up krb5.ini and bsclogin.conf files with the proper extensions and saved them to c/windows.
What are we missing or doing wrong?