Thanks, I will review the document. I did mention SAP Authentication, but just to add that it is working!

I am first trying to just get Windows AD to authenticate to CMC. Am I correct is understanding that process is unrelated to authntication using Java apps, so using Kinit to troubleshoot would be premature at this point?

We followed the document through Section 4 and were we successful in authenticating using Windows AD for access to Desktop Intelligence, Designer, Business Views.

Then completed Java Apps configuration through Section 6 and can now authenticate using Windows AD to CMC and InfoView.

This so far is a test; we used accounts in the same domain as the BOE server, which is an SAP application domain, to simplify the setup. The user commmunity that will need SSO capabilities are in a separate domain and forest. Today we are going to configure the settings for the user domain and attempt to authenticate through the trust.

Thanks for your assistance, so far so good!

It is surprising that there are so many more details in this document, and in some cases direct conflicts with the steps in the installation and administrators guides.

We were successful in setting up multiple domain support by editing the KRB5.INI to add an additional Realm then updating the Windows AD Authentication settings to include additional groups from the user domain.

Now we can authenticate to all applications using Windows AD to multiple domains.

Section 6 of the document is straightforward, but we are experiencing issues with the Section 7. the server.xml edits are prettty clear, but we are having issues modifying web.xml.

1.) We are assuming that correct web.xml folder path is same as server.xml

D:\Program Files\Business Objects\Tomcat55\conf

2.) The default web.xml file has no existing lines consistent with your example:

<context-param>

<param-name>authentication.default</param-name>

So attempted to copy and and paste sample with edits for Realm into the file. Problem is that we are not sure where to locate that code. We put it near the bottom below the MIME settings.

3.) Removing the open and close comments for the authFilter.

There are no existing lines consistent with that example in the default web.xml. Once again, we just copied and pasted the example into the file.

<!u2014

<filter>

<filter-name>authFilter</filter-name>

<filter-class>com.businessobjects.sdk.credential...

4.) Removing the open and close comments for the filter mapping

Once again there are no existing lines of code in the default web.xml, so we copied your example minus open and close comments amongst the filter settings.

<!--

<filter-mapping>

<filter-name>authFilter</filter-name>

<url-pattern>/logon/logonService.do</url-pattern>

</filter-mapping>

-->

5.) Opened the web.xml using Internet Explorer to make sure the sections we removed comments from were displayed in bold

6.) Added the Java Options:

-Dcom.wedgetail.idm.sso.password=password

-Djcsi.kerberos.maxpacketsize=0

-Djcsi.kerberos.debug=true

After stopping Tomcat and restarting with fresh logs, we do see "Credentials Obtained" in STDOUT.log file but there are errors:

May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext filterStart

SEVERE: Exception starting filter authFilter

java.lang.ClassNotFoundException: com.businessobjects.sdk.credential.WrappedResponseAuthFilter

May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext start

SEVERE: Error filterStart

May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext start

SEVERE: Context [/AdminTools] startup failed due to previous errors

log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).

log4j:WARN Please initialize the log4j system properly.

May 21, 2009 6:39:35 PM org.apache.catalina.core.StandardContext start

SEVERE: Error filterStart

May 21, 2009 6:39:35 PM org.apache.catalina.core.StandardContext start

SEVERE: Context [/AnalyticalReporting] startup failed due to previous errors

7.) The CMC and other applications fail with a HTTP 500 Error. We put the web.xml back to default for now.

Sorry, not sure why my last post is all jumbled together. The most significant portion of the question above was to clarify the path of the web.xml to edit. There are 20 or more files with this name on disk.

I mentioned that we were attempting to edit:

- D:\Program Files\Business Objects\Tomcat55\conf\web.xml

This file did not have any of the default values you mention.

Instead we realize now the file in question to be modified is:

- D:\Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml

We made the recommended edits from section 7 of your document to this file. Is this the correct for configuring SSO for InfoView? After stopping Tomcat, removing logs, restarting Tomcat, the "Credentials Obtained" is successful.

Testing from a client using IP address in URL does not authenticate with SSO, but manually typing in username and password still works as tested earlier in the process.

Running the KINIT utility yeilds no errors. So we are moving on to Section 8 to resolve client SSO issues. Thanks in advance for your assistance.

We are attempting from a client computer, using both IP address and hostname. Both the IP address and hostname are part of "Local Intranet Sites" and IE is configured for "Automatic Logon with Current Usename and Password". SSO is working with current browser settings for many other SAP applications including NetWeaver Enterprise Portal, BPC and RWD uPerform 3.1.

It appears that BOE is attempting to authenticate, see the same error as we got from before any of this was setup:

"Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

The issue may be multidomain related. Do you have a separate document for setting up multiple domain support? The correct Realm settings are in KRB5.ini, but do we need to list both domains in the WEB.XML? We actually tried using a user account from the primary domain where BOE server is member and SPN is defined, that did not work either. As I said, we are moving into Section 8 anyway, since it appears to be related to troubleshooting client SSO issues.

Thanks!

May be try this in the krb5.ini,

[libdefaults]

default_realm = CORP.XXX.COM

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

CORP.XXX.COM = {

default_domain = CORP.XXX.COM

kdc = abcdef12.CORP.XXX.COM

kdc = abcdef14.CORP.XXX.COM

kdc = abcdef15.CORP.XXX.COM

}

It is working for us (we got five kdc), but not sure how many kdc you can add.

Hi Tim,

We are getting the same error.

Objective: Configuring Manual AD Authentication

Environment: BOXI3.1 on a Windows 2008 server, Apache Tomcat as the App Server.

Error: Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

Steps followed:

1. Configured the service account and some of us are able to Log in through the clients tools using AD Authentication

2. Configured krb5.ini and bsclogin.conf as per the instructions in your doc and in the manual. In the krb5.ini file, is the host name the same as the name of the BO server or is it the name of the AD server ? What exactly do we need to enter in the host name ?

3. When I try to run the kinit command it gives the error 'kinit is not recognized as an internal or external command'. Does that mean that Kerberos is not installed on the BO server ?

4. You also mentioned using std.out. What is that where do I find it ?

Thanks

As the originator of this thread, I am marking it as answered.

We are at this point still unable to open web applications like InfoView without prompt, but Windows AD authentication works great based on Tim's document and assistance.

Since we also setup specific objects based on permissions using SAP authentication, we are leaving the configuration as is.

Thanks!

Hi,

We made AD authentification work fine on XI 3.0 last November 2008 but were unable to make it work SSO.

It means that since then, users have to log on writing their NT password.

Do you solve this issue which allow user to connect directly without identifying with their password ?

No, we were not able to successfully setup unprompted access using Windows AD Authentication, users must enter name and password. This is acceptable for now, considering we are using SAP Authentication as well.