cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to start the SIA/CMS under the service account

Former Member
0 Kudos

Getting the FWM 00003 error in both BI 4.0 and XI 3.1 systems. Service accounts and service principals are already set on Windows AD.

Following steps i performed:

1.Added the service account to the local administrator‘s group on BO server where the service account is running a SIA/CMS.

2. Granted the local policy Act as Part of the operating system.

3.  Server Intelligence Agent (SIA) is running via the service account after changing it from local admin.

However when i do Manage Servers then it's not allowing me to logon CMS with the Windows AD Service Account. Please see the attached error.

I tried with other combinations as well, but no help. Could you kindly advise. Thanks.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Make sure that a SPN is created for the service account which is running SIA and update the Win AD page in CMC

While logging into Manage servers you can just mention the account name and password domain\acct name format is not required

Former Member
0 Kudos

Rohit, i have tried all these options. With and without domain but no luck

Former Member
0 Kudos

Is the CMS available, If yes. login to CMC with enterprise and perform the steps as mentioned in note

1797236 - Error: "[repo_proxy 13]SessionFacade::OpenSessionLogon with user info has failed(Kerberos target  name BOSO/serviceaccount.domain.com is unknown. Please contact your
administrator(FWM 00003)(hr=#0x80042a01)"

Hope this helps.

Former Member
0 Kudos

Hi tilak and all,

I have been facing this same problem for days now, and I'm wondering if you had had it resolved and can help me.

Thanks,

Damien

0 Kudos

Hello,

please check that the SPN is valid via "setspn -l ACCOUNTNAME"

Also check via "setspn -x" that there are no duplicated in your Windows AD.

See also:

http://service.sap.com/sap/support/notes/1797236

Regards

-Seb.

Former Member
0 Kudos

Thanks Sebastian,

Running setspn -l, I get:

HTTP/##.###.##.##

HTTP/##.###.##.##.DOMAIN

HTTP/HOSTNAME.DOMAIN

HTTP/HOSTNAME

Running setspn -x,  I get 2 groups of duplicate SPNs (none of which are the SSO service account).

Does the service account needs to have read/write permissions to the CMS Database in order for it to run it?

I cannot access the page you provided the link for.

Regards,

Damien

0 Kudos

Hello,

looks good in the first place but please remove the following SPN via "setspn -d"

HTTP/###.###.###.###.DOMAIN

This one is not required. After deleten retry first, then proceed as shown here

No, the Service Account doesnt need to have priviliges on the CMS DB.

If you cant access the Link you propably dont have an S-User?! Please procced as follows:

1. Stop the Tomcat

2. Open the Tomcat Configuration

3. Go to the Java Tab

4. Add the following Paramter under Options

-Djcsi.kerberos.debug=true

5. Start the Tomcat

6. Check the std.out and std.err log File of the Tomcat that the Tomcat is started

7. Search the Files for "Credentials obtained"

8. Re- produce the issue

9. Check the Files again for any errors

Regards

-Seb.

Former Member
0 Kudos

Hi Sebastian,

Just fyi, I finally managed to have the SIA running under the service account and had manual AD authentication enabled. Highly appreciate your assistance.

Thanks a lot!

former_member182521
Active Contributor
0 Kudos

Have you performed Kinit test? Is that creating valid tickets?

Former Member
0 Kudos

No Mani i didn't configure that.

I follwowed Josh's below blog and my understanding was, we need to perform until step 6 for Windows AD to work

http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4

former_member182521
Active Contributor
0 Kudos

Refer this and check for kinit in it.

http://scn.sap.com/docs/DOC-26314