Skip to Content
0
Former Member
Dec 02, 2011 at 07:53 PM

Can't log in to CMC with Windows AD credentials

261 Views

We're trying to set up Windows AD authentication but after doing everything we're getting this error:

"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

Also, the kinit command is unsuccessful. It is refusing the connection.

Our environment has an applications server (where the SIA is) called "Reports", and a separate web server (called "Webs").

We have done the following:

  • set up a Windows AD service account with non-expiring password

  • created service principal names as follows and verified that they were successfully created

setspn -a BICMS/OurServiceAccount.corp.int ;

setspn -a HTTP/Webs OurServiceAccount

setspn -a HTTP/Webs.corp.int OurService Account

  • set the properties of the service account to "Trust this user for delegation to any service (Kerberos only) under Delegation.

  • logged into the CMC and entered the service account and domain name and service principal name according to the documentation.

  • Added the service account to the local administrator's group on the server. Also granted local policy "Act as part of the operating system".

  • stopped the SIA, added the service account to the local administrator's group and restarted the SIA

  • in the CCM, put the service account and its password on the properties tab as "log on as".

  • set up krb5.ini and bsclogin.conf files with the proper extensions and saved them to c/windows.

What are we missing or doing wrong?