Skip to Content
author's profile photo Former Member
Former Member

Can't log in to CMC with Windows AD credentials

We're trying to set up Windows AD authentication but after doing everything we're getting this error:

"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

Also, the kinit command is unsuccessful. It is refusing the connection.

Our environment has an applications server (where the SIA is) called "Reports", and a separate web server (called "Webs").

We have done the following:

  • set up a Windows AD service account with non-expiring password

  • created service principal names as follows and verified that they were successfully created

setspn -a BICMS/OurServiceAccount.corp.int ;

setspn -a HTTP/Webs OurServiceAccount

setspn -a HTTP/Webs.corp.int OurService Account

  • set the properties of the service account to "Trust this user for delegation to any service (Kerberos only) under Delegation.

  • logged into the CMC and entered the service account and domain name and service principal name according to the documentation.

  • Added the service account to the local administrator's group on the server. Also granted local policy "Act as part of the operating system".

  • stopped the SIA, added the service account to the local administrator's group and restarted the SIA

  • in the CCM, put the service account and its password on the properties tab as "log on as".

  • set up krb5.ini and bsclogin.conf files with the proper extensions and saved them to c/windows.

What are we missing or doing wrong?

Add a comment
10|10000 characters needed characters exceeded

Related questions

1 Answer

  • author's profile photo Former Member
    Former Member
    Posted on Dec 02, 2011 at 09:07 PM

    Hello!

    So With what error is kinit unsuccessful.

    And I believe you are placing the krb5.ini and bscLogin.conf in Tomcat machinne(Web)..

    Well did you add the group in the CMC page.

    And also please check are you able to login to client tools - CCM (manage servers ) using Windows AD credentials.

    Please follow the SAP note [https://bosap-support.wdf.sap.corp/sap/support/notes/1631734] which will possibly help you in resolving the issue.

    - Praveen Gali

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Dana,

      authentication issues are very tricky, and it appears you've never had it configured completely in the first place, so it's not broken, it's just that it was never configured properly. I recommend at this point that you open a message with SAP support, and let someone with deep authentication skills remote connect and take a look.

      If you want to keep this thread open, at the minimum you need to post the last (bottom, newest) 1 or 2 pages of the stdout.log file under \tomcat55\logs. It normally helps us out a lot. If it's an 'obvious' error, then maybe we have an instant fix for you.

      Regards,

      Alex

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.