cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WACS AD Kerberos SSO

Go to solution
Former Member

on ‎04-21-2009 10:33 PM

0 Kudos

Has anyone been able to get this working? I am using WACS, and was successful in setting up AD authentication. I then setup SSO according to the Admin Guide and WACS supplement, but the SSO still does not work. I am using BO Edge 3.1 in Windows Server 2003 SP2. When I try to open InfoView, it puts the username in, but no password. There is no error message provided. I can then enter the password without any problems and log in, but of course this defeats the purpose. I have searched both here and the BOB forum, but can't seem to find anyone that is actually using WACS (i did NOT install Tomcat).

After getting AD setup, I then setup another user for SSO. So "businessobjects" was the name of the AD user, and "businessobjectssso" was the name of the SSO user (this is how I had it running in XI R2 using Java, and it is still working). Almost everything was done exactly how I had it setup in XI R2 with Java

1. businessobjectssso was setup using all the correct properties (delegation, never expires, etc)

2. Ktpass /princ HTTP/COMPUTER.DOMAIN.COM<AT>DOMAIN.COM /mapuser businessobjectssso

3. Reset account pw

4. aKtpass u2013princ HTTP/COMPUTER.DOMAIN.COM<AT>DOMAIN.COM /mapuser businessobjectssso /crypto DES-CBC-MD5 /pass <PASSWORD> /ptype KRB5_NT_PRINCIPAL /out COMPUTERNAME.Keytab kvno 255

Note: "/" was used instead of "-" because "-" wasn't working (perhaps a copy/paste issue, but it did go through with "/". also note that <AT> is "@"

5. Moved the keytab to the BO computer, and setup the WACS, entering the domain and all that. I've restarted everything (SIA, WACS, Server), to no avail. Has ANYONE been successful with this?

Thanks.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎04-22-2009 1:16 AM
0 Kudos

For SSO to work with WACS vintela must be configured. WACS is just a self contained java server so the same rules apply. Only 2 variables I'm not familiar with. The WACS web.xml and server.xml (or equivalent) and the java options. I don't have edge installed on WACS at the moment but are the settings for idm.princ, idm.realm idm.keytab anywhere(web.xml file, CMC>servers>WACS)?

The DES setting you used for ktpass will be problematic causing case sensitivity and forcing you to have to reset your servie account password. It also usually generates encryption errors in Microsoft logs when used with 2003 or newer DC's

I was kinda surprised when infoview was added to WACS, we typically add java options for tracing and I'm not sure where that will get added on WACS.

Regards,

Tim

Show replies
Show replies
Former Member
‎04-22-2009 2:32 PM
0 Kudos

I did configure the WACS server by specifying those parameters by going to the CMC-> Servers-> (next page) WACS properties. There were two separate areas to specify the domain, principal, and location of keytab (one for web services sdk/QaaWS, one for InfoView). I'm fairly certain the settings are correct because if I change the principal to something incorrect, I get an error 404 from infoview. As it is now, it simply doesn't work for SSO.

I would prefer to use the DES setting, simply because it worked last time, but of course I'm willing to change if you think it's the cause.

I found the documentation, as you mentioned, totally lacking for WACS infoview. I was using "Web Application Container Server (WACS): Supported and Unsupported Features for BusinessObjects Enterprise XI 3.1" for much of my guidance.

Edited by: Morgan Blake on Apr 22, 2009 3:34 PM

BasicTek
Advisor
Advisor
‎04-22-2009 5:21 PM
0 Kudos

well DES is old and should have been removed from our docs as soon as we supported java SDK 1.5 and 2003, there is no benefit but soem engineers have reported that in certain 2000 DC's that only DES works and not RC4 other than that DES is a very old and weak encryption algorithim.

Are you testing from a client? have you tried from 2003(there is an XP bug out there that can mess with testing)?

install [microsoft kerbtray|http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en] on the client and verify which tickets it's getting

My [vintela doc|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/002b818d-3db2-2b10-9895-c7b5fd4cbc71] has a section showing what to look for when getting a successful login.

To note DES will cause the whole thing to fail depending on Microsoft patch level and policy so even if it worked it will eventually fail if your AD admins are patching regularly, this will eventually effect your working system as well.

To be safe I'd recommend redoing the ktpass with RC4 per my doc.

EDIT: try replacing your WACS command line with the following but replace the $$$$$ with password

"-server" "-Dbobj.javaserver.home=C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server" "-Dcom.businessobjects.pjs.common.dir=C:/Program Files/Business Objects/common/4.0/java/lib/" "-Dcom.businessobjects.pjs.conf.file=C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server/conf/config.xml" "-Dorg.apache.geronimo.base.dir=C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server/platform" "-Djava.io.tmpdir=C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server/platform/var/temp" "-Dbusinessobjects.logs.home=C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0/Logging/" "-Xms32m" "-Xmx1g" "-XX:MaxPermSize=256m" "-Dcom.wedgetail.idm.sso.password=$$$$$" "-Djcsi.kerberos.debug=true" "-Djcsi.kerberos.maxpacketsize=0" "-DXorg.apache.geronimo.gbean.NoProxy=true" "-Djava.net.preferIPv4Stack=false" -jar "C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server/bin/boeserver.jar" "-workdir" "C:/Program Files/Business Objects/BusinessObjects Enterprise 12.0//java/server/work"

then remove the keytab file and save the configuration

this will enable tracing for the server and we should see what's wrong

This assumes a default installation directory

Regards,

Tim

Former Member
‎05-01-2009 7:23 PM
0 Kudos

Hi Tim,

Thank you very much for your help. Unfortunately i couldn't get very far because the pdc rejected the ktpass command, and gave the following error message:

crypto: enum value 'RC4-HMAC-NT' is not known.

Error: argument for option "crypto" must be one of the following values:

DES-CBC-CRC : default

DES-CBC-MD5 : more MIT-ish

I used your document as the guide, and used this as the syntax (generalized, obviously):

ktpass -out myname.keytab -princ BOSSO/bossosvcacct.mydomain.com<AT>REALM.COM -mapuser bossosvcacct<AT>REALM.COM -pass yourpw -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

BasicTek
Advisor
Advisor
‎05-01-2009 8:44 PM
0 Kudos

you need a newer version of ktpass, for some reason Microsoft patches don't update that command

It's part of the [2003 SP2 support tools|http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en]

Regards,

Tim

Former Member
‎05-05-2009 4:50 PM
0 Kudos

OK, I've followed your directions, changing the encryption and the server command line. I have confirmed, after running setspn -l, that the BOSSO/user.domain.com is listed, and I have that in the box for SPN (in WACS, where I specified AD Kerberos SSO. The SSO is still not working.

I then removed the keytab file from c:\windows, and restarted WACS. I'm not sure what the next steps are, and to be honest, despite your generous help, I'm contemplating uninstalling and installing tomcat.

NOTE: I have been testing FROM the BO server, which is WS 2003. I can try from another 2003 machine if you think it's necessary.

BasicTek
Advisor
Advisor
‎05-05-2009 10:45 PM
0 Kudos

The steps to troubleshoot it are a bit different and I don't have it documented fully yet. You can open a case with support and I'm pretty sure the authentication team will be able to resolve the issue or escalate it to me. The functionality offered in tomcat and WACS is the same in XI3.x but some of the more complex workflows such as setting up kerberos SSO need additional troubleshooting info so we can get proper logs. The tomcat config is documented pretty well now in my vintela docs as well as how to trace the problem. So either way you should be able to get this working...

Regards,

Tim

Answers (1)

Answers (1)

craig_wilson2
Explorer
‎12-03-2014 10:56 PM
0 Kudos

I struggled mightily with this, but I finally got it working!  I documented everything here

Show replies
Show replies
Ask a Question