on 04-18-2012 12:43 PM
Hi, we have recently installed BO XI 3.1 with tomcat as app server and configured infoview with WinAD authentication with Kerbros. Now trying to enable Single Sign On, requirement is to end user login into their machines with domain account should not prompt for user/pwd, we are trying to enable Vintela for sso but its not working, getting tomcat 404 error and tomcat log shows. Appreciate your response.
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: Available KDC found: /IPADDRESS:88
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: Sending message to KDC: /IPADDRESS:88
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: Sending TCP request: /IPADDRESS:88
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: connected; sending length and request...
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: sent request; reading response length...
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: read length; reading 100-byte response...
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: --- got 100-byte response, initial byte = 0x7e
[DEBUG] Wed Apr 18 12:21:14 BST 2012 jcsi.kerberos: Message sent sucessfully to KDC: /IPADDRESS:88
18-04-12 12:21:14:558 - {ERROR} [localhost].[/InfoViewApp] Thread [Thread-1]; Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: Configured service principal name could not be found [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Client not found in Kerberos database
KrbError:
Error code: 6
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: krbtgt/UK.CORPORG.NET
Server realm: UK.CORPORG.NET
Server time: Wed Apr 18 12:21:14 BST 2012)]
at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:176)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Client not found in Kerberos database
Hi Sebastian, Many thanks for your quick response, i checked the SAP note, i tried to figure out the problem, as per sap note to test princ value.
the service account i created on AD is z-service-boadmin and executed SPN using
setspn -A BOBJCENTRAL/HostFQDN
setspn -A HTTP/hostname@REALM (eg. uk.corporg.net)
in Web.xml file i i tried both spn for princ parameter and infoview page was simply giving me tomcat 404 error.
As note says to test princ use command kinit.exe BOBJCENTRAL/HostFQDN it was not working, then i tried kinit z-service-boadmin it worked, so the same i tried to use in web.xml as princ, atleast i get the infoview page on the page i see error that generated ticket unable to decrypt there could be different spn name.
Any suggestion on SPN or principle name for service account should be.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
check SAP Note - 1292886
Regards
-Seb.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
9 | |
8 | |
6 | |
6 | |
6 | |
5 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.