on 2011 Jul 28 6:39 PM
I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.
Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"
The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:
com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.
java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)
at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)
at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)
Tomcat log shows:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: @XX.YY.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
There is no username passed.
I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.
global.properties:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=XX.YY.COM
idm.princ=BOSSO/bodservice.XX.YY.com
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:\winnt\BODvintela.keytab
BIlaunchpad.properties
authentication.default=secWinAD
cms.default=XXXX:6400
authentication.visible=true
bscLogin.conf
com.businessobjects.security.jgss.initiate
{com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Krb5.ini
[libdefaults]
default_realm = XX.YY.COM
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
XX.YY.COM = {
kdc =XXXX.XX.YY.COM
default_domain = XX.YY.COM
}
We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.
Edited by: Dong Li on Jul 28, 2011 11:16 PM
Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.
Request clarification before answering.
The problem is likely with the vintela account setup,
idm.princ=BOSSO/bodservice.XX.YY.com
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:\winnt\BODvintela.keytab
We haven't completed the 4.x white paper yet so the steps followed should be like the XI 3.1 SP3 guide (adjusting for the global.properties instead of web.xml) KB 1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 **Best Practice**
Setting things up with the keytab initially adds another point of failure as well. In that guide there is a logging function, password option, and way to test the idmprinc @IDM.REALM via kinit which is also helpful.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for your reply and excellent documents, Tim.
After I review your document, we delete/create domain user and run ktpass again. We only use one domain user "bodserivce" for all configurations. Ktpass command is as follows:
ktpass -out bosso.keytab -princ bodservice[@]XX.YY.COM -pass ?????? -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
I have to change authorization princ to "bodservice" at CMC Windows AD authentication so that I can log in manually by Windows AD. I remove password java option from Tomcat configuration and change global.properties as follows:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=XX.YY.COM
idm.princ=bodservice
idm.keytab=C:\winnt\bosso.keytab
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
BIlaunchpad.properties
authentication.visible=true
authentication.default=secWinAD
cms.default=hostname:6400
I tried BI launch pad SSO; SSO is still not working with the same error. I also run
D:\Program Files (x86)\SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\kinit -k -t bosso.keytab bodservice[@]XX.YY.COM. new ticket is stored.
Please advice. Thanks.
Hi guys, we had the exact same issue with BI 4.0 and SSO, and after much frustration got it to work the following way:
(remember to replace <at> with @)
Our setup:
-
Windows Domain Functional Level: 2003
Windows 2008 R2 SAP servers
Windows Domain: MYDOMAIN.COM
DNS Suffix (for FQDN): MYDOMAIN.COM (Note: your AD and DNS might have different names)
Windows Domain Controller: MYDC.MYDOMAIN.COM
BI Server FQDN: bi4dev.mydomain.com
BI Service User (UPN): SAPServiceBI4<at>MYDOMAIN.COM
BI Service User (SAM): MYDOMAIN\SAPServiceBI4
Cleanup for previous attempts:
-
In case you have already tried to configure SSO, cleanup all you have done:
- List current SPN's assigned to the Service User (setspn -l SAPServiceBI4) and delete all SPN's (setspn -D <SPN> SAPServiceBI4)
- Check for duplicate SPN's assigned to the Service User and delete them too: setspn -X
- Delete or rename current keytab file
- On AD ensure the UPN of the Service User is back to normal (usually when you run KTPASS it changes the Ad User name to the SPN you specified, ie. change HOST/server.com<at>MYDOMAIN.COM back to SAPServiceBI4<at>MYDOMAIN.COM)
- In the global.properties file, remove the SPN entry for idm.princ= and the keytab entry for idm.keytab=
- In the BI CMC > Authentication > Windows AD, uncheck/disable "Enable Windows Active Directory"
- Reboot the whole server to clear the cache etc for a clean start
SSO Config:
-
- Create new Service User or use previous one as per guide:
UPN=SAPServiceBI4<at>MYDOMAIN.COM, SAM=MYDOMAIN\SAPServiceBI4
- Add user to Local Administrators group and update Local Security Policy as per guide (Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a Process Level Token)
- On Domain Controller run the KTPASS to create SPN and Keytab file (this is VERY important: for the SPN you need to specify the URL that users will be using in their webbrowser to access the BI Launchpad. (For example, if your server URL to BI Launchpad is http://server.domain.com:8080/BOE/BI, then use server.domain.com<at>DOMAIN.COM):
ktpass -princ HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM -mapuser SAPServiceBI4<at>MYDOMAIN.COM -pass passw123 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out SAPServiceBI4.keytab
- Now, on the AD goto Domain Users and check your Service Account. The UPN should now have changed to HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM, whilst the SAM is still MYDOMAIN\SAPServiceBI4. Also, RESET THE PASSWORD to the SAME password you had for the Service User (right-click user > Reset Password) - this prevents any funny Kerberos credential issues between AD and the keytab.
- Next, goto the Delegation tab and select "Trust this user for delegation to any service (Kerberos only)". If the Delegation tab is not visible, run the setspn commands below and retry.
- Run "setspn -l SAPServiceBI4". There should now already be an SPN registered (which is the FQDN), namely HTTP/bi4dev.mydomain.com. Register additional SPN's (shortname and IP):
setspn -a HTTP/bi4dev SAPServiceBI4
setspn -a HTTP/10.10.20.30 SAPServiceBI4
- Create folder C:\WINNT and copy the keytab file to it (you can use C:\Windows itself I guess, but I played it safe)
- Assign the Service User to the SIA service in the CCM as MYDOMAIN\SAPServiceBI4
- Create/edit the "global.properties" file under ..\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom\:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=MYDOMAIN.COM
idm.princ=HTTP/bi4dev.mydomain.com (!! Use the SPN defined in the KTPASS command above)
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:/WINNT/SAPServiceBI4.keytab (!! VERY IMPORTANT !! Don't use backslashes (example C:\WINNT\SAPServiceBI4.keytab), use the forwardslash as it should be in Java format)
- Create the "BIlaunchpad.properties" file in the same location:
authentication.visible=true
authentication.default=secWinAD
cms.default=bi4dev:6400
- Increase the Tomcat header size limit in the "server.xml" file as per guide
- Create file "C:\WINNT\krb5.ini":
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com = MYDOMAIN.COM
domain.com = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
default_domain = MYDOMAIN.COM
kdc = MYDC.MYDOMAIN.COM
}
- Create file "C:\WINNT\bscLogin.conf":
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:39 AM
- Modify the Tomcat JAVA options:
-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf
-Djava.security.krb5.conf=C:\WINNT\krb5.ini
Now you can restart the server again. Once it is up and running, go into the BI CMC > Authentication > Windows AD and configure it as follows:
- Enable Windows AD
- Ad Admin Name = MYDOMAIN\SAPServiceBI4 (or any other user that can read the AD)
- Default Domain = MYDOMAIN.COM
- Add AD Group = MYDOMAIN\Domain Users
- Use Kerberos Authentication + Cache Security Context
- Service Principal Name = HTTP/bi4dev.mydomain.com
.. and set the rest as per the guide or your preferences. I opted for "Create new alias only when user logs on" so as not to import all the Domain Users at once. Restart the SIA and/or Tomcat services in CCM. Now you can test SSO via your AD login to the BI launchpad.
But alas, it still didn't work for us!? So I found a Java error in this logfile:
..\Program Files (x86)\SAP BusinessObjects\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt
bundle=/admin
Registering config info for bundle=/admin
Starting bundle=com.businessobjects.webpath.InfoView
Registering web.xml for bundle=/InfoView
Registering config info for bundle=/InfoView
Error with config registration for bundle=/InfoView
com.wedgetail.idm.sso.ConfigException: Could not validate keytab [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Clock skew too greatKrbError:
Error code: 37
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: krbtgt/MYDOMAIN.COM
Server realm: MYDOMAIN.COM
Server time: Mon Aug 01 21:14:04 CAT 2011)]
at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:181)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at com.businessobjects.http.servlet.internal.FilterRegistration.init(FilterRegistration.java:42)
at com.businessobjects.http.servlet.internal.FilterRegistrationManager.registerFilter(FilterRegistrationManager.java:260)
Take note this error: "Clock skew too greatKrbError"
Our Domain Controller and SAP Server time was over 4 minutes out of sync. So as a test I increased my local time on the SAP server to about the same time as the DC and VOILA! SSO works!
By the way, at first we had another error in this file, which was something like "keytab not found, could not find or read CWINNTSAPServiceBI4.keytab". This is when we used backslashes in the "global.properties" for the entry "idm.keytab=C:\WINNT\SAPServiceBI4.keytab". After changing it to forwardslahes it could find/read the keytab file "idm.keytab=C:/WINNT/SAPServiceBI4.keytab"
I hope this solves everyone's SSO problems!
GREAT THANKS FOR YOU, Bernardt Nel, for the symbols "/" in the path of keytab file in the global properties file.
Only this advice helped us to solve the same problem.
Too bad that SAP writes guides with such serious mistakes and SUPPORT cannot solve the high message with all details about our settings already 2 weeks. Only this forum was usefull.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The same problem happened after applying SP02 on BO 4.0 SP01.
I had double backslashes instead of single \. It worked. Another way of having keytab path.
--Srikar
Edited by: Srikar Garisa on Sep 8, 2011 7:13 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
80 | |
30 | |
9 | |
9 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.