- SAP Community
- Questions about SAP Websites
- BO XI R2 WIN AD Authentication probem
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
BO XI R2 WIN AD Authentication probem
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 2013 Apr 26 11:03 AM
- SAP Managed Tags:
- Support Services
Hi,
We are not able to implement WIN AD on BO xir2 installed on Win Server 2003.
The steps included in Win AD authentication on BO production server are successfully implemented where:
· SPN is responding successfully.
· AD group and users have been imported successfully.
· All BO services are running successfully using SPN logon.
· Kerberos is responding successfully.
Still when AD user tries to login in Deski, it's not successful. It throws error "Account information not recognized".
In the same environment on BO UAT server we have successfully implemented AD but issue exist in Production. UAT and PRODUCTION has same infrastructure. No firewall exist, all ports are also open,
We also tried assigning admin rights to user but still not able to login via AD account. On the other hand, Enterprise user can successfully login. This happens with all BO tolls like Infoview, Designer , Deski etc, We also applied trace log on CMS which are as follows:
[Thu Apr 25 12:18:37 2013] 7872 9648 trace message: CObjectSS::GetObjectInternal: Object was found in cache. obj ID=274
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: CObjectSS::GetObjectInternal: Object was found in cache. obj ID=274
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: SECWINAD: InitPackage() calling GetStaticADImplPtr()
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: GetStaticADImplPtr() allocate global object.
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: ssoplugin: SSOImpl::Initialize() -- Successfully initialized. Refcount is now 1
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: exit CErrorMgr::TerminateNoLock()
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::SetParasSeq() -----------------------------------------------------------
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::SetParamSeq() -----------------------------------------------------------
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_NAME = secWinAD
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_AVAIL = true
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_DEFAULT_DOMAIN = hbap.adroot.hsbc
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_MAPPED_GROUPS = S-1-5-21-3208199719-2002702367-2867066461-1214162
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_APS_ADMIN_DN = HBAP\43403722-850 (HBAP, 43403722-850)
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- Admin password extracted, not traced.
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_SSO_ENABLED = 0
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_KERBEROS_ENABLED = true
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_CACHE_SECCONTEXT = 0
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SI_SERVER_SSPI_SPN = 43403722-850
[Thu Apr 25 12:18:38 2013] 7872 4092 trace message: WINAD: CADImpl::ExtractParasFromParasSeq() -- SSOProviderType = SSPI
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CAccountEntity::ValidateDomain() -- Binding to WinNT://hbap.adroot.hsbc,domain
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADCredentialManager::ValidateSPN() -- Checking an SPN of 43403722-850
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADCredentialManager::ValidateSPN() -- SPN 43403722-850 does not parse with DsCrackSpn(), might still be a user account.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CAccountEntity::ConvertDomainToNTFormat() -- Looking up hbap.adroot.hsbc
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CAccountEntity::ConvertDomainToNTFormat() -- NT form of hbap.adroot.hsbc is HBAP.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: SSOHandlerFactory::GetHandler() -- Looking for a handler for SSPI
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: SequenceParser::Pop() -- key=SI_CACHE_SECCONTEXT, value=0, type=3
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: SequenceParser::Pop() -- key=SI_SERVER_SSPI_SPN, value=43403722-850, type=1
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: Parameters::CheckParameters() -- Nothing to check!
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: Parameters::GetParameter(long) -- SSPI_CTXT_CACHE_EXPIRY not found
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: Parameters::GetParameter(bool) -- CONTEXT_RENEWALS_ALLOWED not found
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: KerberosSSPIHandler::InitHandler() -- Turning off caching of contexts.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: ssoplugin: SSOImpl::InitSSOProvider() -- Not starting the cache cleanup thread; may start later if needed.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADAggregationManager::Refresh() -- Initializing all data.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADAggregationManager::Refresh() -- Reading registry keys:
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ReadKeys() -- Key secWinAD/GraphTimeOut not set; using default value of 15
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseGraph
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ToBoolean() -- Empty input. Returning default of true
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseOldGraphWhileBuildingNew
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ToBoolean() -- Empty input. Returning default of true
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ReadKeys() -- Reading secWinAD/UseFQDNForDirectoryServers
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADRegistry::ToBoolean() -- Empty input. Returning default of false
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADAggregationManager::Refresh() -- Setting graph timeout:
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADGraphKeeper::SetUpdateInterval() -- Update interval is 900000 ms
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADAggregationManager::Refresh() -- Expiring current graph:
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADGraphKeeper::ExpireGraph() -- No graph to expire.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADGraphKeeper::ExpireGraph() -- Graph expired.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: ADAccountFactory::InvalidateCache() -- Clearing the cache.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CGroupMgr::UpdateMappedGroups() -- Mapped groups set to S-1-5-21-3208199719-2002702367-2867066461-1214162
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADGraphKeeper::ExpireGraph() -- No graph to expire.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADGraphKeeper::ExpireGraph() -- Graph expired.
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADImpl::AcceptLogin() -----------------------------------------------------------
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: WINAD: CADImpl::AcceptKerbLogin() -----------------------------------------------------------
[Thu Apr 25 12:18:39 2013] 7872 4092 trace message: UnPackBuffer: ssIdBuffer=SSPI
25448240
NOKEY
hbap.adroot.hsbc\43403722-850
Can anybody help us?
Need more details?
Request clarification before answering.
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello experts,
The Win AD authentication problem resolved.
Below is the occurrence:-
1. When we create a SPN i.e. AD id, there is a property of DES encryption to be checked as per SAP's standard recommendations. In fact it is required and we have successfully implemented AD in one case.
2. But in existing case it didn't work. The moment we unchecked this property, Authentication worked fine.
3. Due to some security group policies, it was not authentication AD ids while logging in.
So the question still exist that when to check this check box and when not. Is it differs from case to case, we might require to follow multiple permutations and combinations which is not practical.
So any advice about what is the standard to be followed while doing third party authentication?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Authentication Unsuccessful in Questions about SAP Websites
- Where can I find support or report SAP Me bugs? in Questions about SAP Websites
- Log in option of Multi-Factor authentication for "SAP for Me" in Questions about SAP Websites
- Check MFA status for S-Users in Questions about SAP Websites
- Authentication Required to Access Application Help at help.sap.com in Questions about SAP Websites
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.