17 Replies Latest reply: Sep 28, 2009 9:46 PM by John Yates RSS

Windows AD Authentication to CMC

John Yates
Currently Being Moderated

Unable to logon to CMC using Windows AD authentication, error:

 

"Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

 

Windows AD authentication is enabled, using Kerberos.  Service account "Service Principal Name" is set correctly using SETSPN utility.  AD Sync runs successfully every hour and imports any users that are members of the defined group. 

 

Have read threads in this forum related to using all caps, does not seem to help.

 

Both the Apache Web Server and Server Intelligence service are running with logon set to service account credentials.  Service account is member of local Administrators group.

 

Business Objects Enterprise XI 3.1

Recently installed FixPack 1.3 to see if that helped and to be at latest revision.

SAP Integration Pack is installed.  SAP Authentication / SSO works for CMC, InfoView, Web Intelligence.  Also using SAP Enterprise Portal can publish BI sourced Crystal reports on BOE using SSO with no prompt for credentials.

 

Windows 2003 R2 32 Standard Edition

BOE server is in same domain as user accounts attempting to logon.  Windows 2003 Forest with Single Domain, at both 2003 Domain and Forest functionailty level.

  • Re: Windows AD Authentication to CMC
    Tim Ziemba
    Currently Being Moderated

    Use [this doc|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977] to troubleshoot. Sections 4-6 involve setting up kerberos manual AD auth (disregard ther SSO references.)

     

    You mention SAP auth, which currently is set up external/seperate from enterprise/AD auth. If you are trying to authenticate to SAP then post in the SAP integration kit forum.

     

    For kerberos AD tmake sure you can

    1) Login with client tools (CCM/deski/crystal/designer/etc) If that works then the service account and SPN are usually ok. IF not then most common causes are duplicate SPN or DES encryption is not allowed.

     

    2) kinit from the businessobjectsjavasdk in directory. This will require your krb5.ini be in c:winnt and will verify java SDK connectivity to AD and the krb5.ini files only

     

    Typically if the above 2 tests work you should be able to login to infoview unless the java options are not set properly or in more rare cases encryption or multi domain issues exist.

     

    Oh and for no reason do you need to run tomcat under the servide account, switch it back to local service.

     

    Regards,

     

     

    Tim

    • Re: Windows AD Authentication to CMC
      John Yates
      Currently Being Moderated

      Thanks, I will review the document.  I did mention SAP Authentication, but just to add that it is working!

       

      I am first trying to just get Windows AD to authenticate to CMC.  Am I correct is understanding that process is unrelated to authntication using Java apps, so using Kinit to troubleshoot would be premature at this point?

      • Re: Windows AD Authentication to CMC
        Tim Ziemba
        Currently Being Moderated

        kinit is 1 piece of the puzzle for java authentication (krb5.ini and java SDK only). For non-SSO you also must verify the service account (login to a client tool for this) tomcat java options/bsclogin.conf (if debug=true is set you can verify this works by seeing the AD username in the sdt.out

         

         

        Regards,

         

         

        Tim

        • Re: Windows AD Authentication to CMC
          John Yates
          Currently Being Moderated

          We followed the document through Section 4 and were we successful in authenticating using Windows AD for access to Desktop Intelligence, Designer, Business Views.

           

          Then completed Java Apps configuration through Section 6 and can now authenticate using Windows AD to CMC and InfoView.

           

          This so far is a test; we used accounts in the same domain as the BOE server, which is an SAP application domain, to simplify the setup.  The user commmunity that will need SSO capabilities are in a separate domain and forest.  Today we are going to configure the settings for the user domain and attempt to authenticate through the trust. 

           

          Thanks for your assistance, so far so good!

           

          It is surprising that there are so many more details in this document, and in some cases direct conflicts with the steps in the installation and administrators guides.

          • Re: Windows AD Authentication to CMC
            Tim Ziemba
            Currently Being Moderated
            John Yates wrote:

            It is surprising that there are so many more details in this document, and in some cases direct conflicts with the steps in the installation and administrators guides.

             

            This is true and it is noted in the guide that you cannot use both docs (one or the other). The admin guide is certainly 1 way to set things up but after much experience in support we have identified many issues that customers run into as well as simple tests that can quickly identify these issues. My document is a compilation of these issues/tests. Also it is written to simplify configuration for customers with multiple environments. I will have another version coming out in the coming months that has an even more simplified approach. Believe me it's a battle to try to make a single document that takes in consideration all customer environments (AD/Sun/web-apps/BO/clustering/etc).

             

            Regards,

             

             

            Tim

            • Re: Windows AD Authentication to CMC
              John Yates
              Currently Being Moderated

              We were successful in setting up multiple domain support by editing the KRB5.INI to add an additional Realm then updating the Windows AD Authentication settings to include additional groups from the user domain.

               

              Now we can authenticate to all applications using Windows AD to multiple domains.

               

              Section 6 of the document is straightforward, but we are experiencing issues with the Section 7.  the server.xml edits are prettty clear, but we are having issues modifying web.xml.

               

              1.) We are assuming that correct web.xml folder path is same as server.xml

              D:\Program Files\Business Objects\Tomcat55\conf

               

              2.) The default web.xml file has no existing lines consistent with your example:

              <context-param>

              <param-name>authentication.default</param-name>

               

              So attempted to copy and and paste sample with edits for Realm into the file.  Problem is that we are not sure where to locate that code.  We put it near the bottom below the MIME settings.

               

              3.) Removing the open and close comments for the authFilter.

               

              There are no existing lines consistent with that example in the default web.xml.  Once again, we just copied and pasted the example into the file.

              <!u2014

              <filter>

              <filter-name>authFilter</filter-name>

              <filter-class>com.businessobjects.sdk.credential...

               

              4.) Removing the open and close comments for the filter mapping

               

              Once again there are no existing lines of code in the default web.xml, so we copied your example minus open and close comments amongst the filter settings.

               

              <!--

              <filter-mapping>

              <filter-name>authFilter</filter-name>

              <url-pattern>/logon/logonService.do</url-pattern>

              </filter-mapping>

              -->

               

              5.) Opened the web.xml using Internet Explorer to make sure the sections we removed comments from were displayed in bold

               

              6.) Added the Java Options:

               

              -Dcom.wedgetail.idm.sso.password=password

              -Djcsi.kerberos.maxpacketsize=0

              -Djcsi.kerberos.debug=true

               

              After stopping Tomcat and restarting with fresh logs, we do see "Credentials Obtained" in STDOUT.log file but there are errors:

               

              May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext filterStart

              SEVERE: Exception starting filter authFilter

              java.lang.ClassNotFoundException: com.businessobjects.sdk.credential.WrappedResponseAuthFilter

               

              May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext start

              SEVERE: Error filterStart

               

              May 21, 2009 6:39:33 PM org.apache.catalina.core.StandardContext start

              SEVERE: Context [/AdminTools] startup failed due to previous errors

              log4j:WARN No appenders could be found for logger (org.apache.commons.digester.Digester.sax).

              log4j:WARN Please initialize the log4j system properly.

               

              May 21, 2009 6:39:35 PM org.apache.catalina.core.StandardContext start

              SEVERE: Error filterStart

               

              May 21, 2009 6:39:35 PM org.apache.catalina.core.StandardContext start

              SEVERE: Context [/AnalyticalReporting] startup failed due to previous errors

               

              7.) The CMC and other applications fail with a HTTP 500 Error.  We put the web.xml back to default for now.

              • Re: Windows AD Authentication to CMC
                Tim Ziemba
                Currently Being Moderated

                Well again if you are using my doc for troubleshooting and the admin guide or other docs you will not get have a difficult time getting anywhere.

                 

                In my doc section 7 assumes the following

                1) you used the format I recommended in the for the initial ktpass command

                2) you are not using a keytab

                3) the password is specified in the tomcat java options

                4) djcsi tracing is enabled.

                 

                If those aren't all true then I can't get you the error we need to move forward. You can always open a message with support we have a whole team of folks that are familiar with both configs.

                 

                 

                Regards,

                 

                 

                Tim

                • Re: Windows AD Authentication to CMC
                  John Yates
                  Currently Being Moderated

                  Sorry, not sure why my last post is all jumbled together.  The most significant portion of the question above was to clarify the path of the web.xml to edit.  There are 20 or more files with this name on disk.

                   

                  I mentioned that we were attempting to edit:

                   

                  - D:\Program Files\Business Objects\Tomcat55\conf\web.xml

                   

                  This file did not have any of the default values you mention.

                   

                  Instead we realize now the file in question to be modified is:

                   

                  - D:\Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml

                   

                  We made the recommended edits from section 7 of your document to this file.  Is this the correct for configuring SSO for InfoView?  After stopping Tomcat, removing logs, restarting Tomcat, the "Credentials Obtained" is successful.

                   

                  Testing from a client using IP address in URL does not authenticate with SSO, but manually typing in username and password still works as tested earlier in the process.

                   

                  Running the KINIT utility yeilds no errors. So we are moving on to Section 8 to resolve client SSO issues.  Thanks in advance for your assistance.

                  • Re: Windows AD Authentication to CMC
                    Tim Ziemba
                    Currently Being Moderated

                    The IP will need to be added to the browser local intranet sites before it will work as will the FQDN. Try using the hostname from a client (other than the tomcat server).

                     

                     

                    Regards,

                     

                     

                    Tim

                    • Re: Windows AD Authentication to CMC
                      John Yates
                      Currently Being Moderated

                      We are attempting from a client computer, using both IP address and hostname.  Both the IP address and hostname are part of "Local Intranet Sites" and IE is configured for "Automatic Logon with Current Usename and Password".  SSO is working with current browser settings for many other SAP applications including NetWeaver Enterprise Portal, BPC and RWD uPerform 3.1.

                       

                      It appears that BOE is attempting to authenticate, see the same error as we got from before any of this was setup:

                       

                      "Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

                       

                      The issue may be multidomain related.  Do you have a separate document for setting up multiple domain support?  The correct Realm settings are in KRB5.ini, but do we need to list both domains in the WEB.XML?  We actually tried using a user account from the primary domain where BOE server is member and SPN is defined, that did not work either.  As I said, we are moving into Section 8 anyway, since it appears to be related to troubleshooting client SSO issues.

                       

                      Thanks!

                      • Re: Windows AD Authentication to CMC
                        Hari Krish
                        Currently Being Moderated

                        May be try this in the krb5.ini,

                         

                        [libdefaults]

                        default_realm = CORP.XXX.COM

                        dns_lookup_kdc = true

                        dns_lookup_realm = true

                        [realms]

                        CORP.XXX.COM = {

                        default_domain = CORP.XXX.COM

                        kdc = abcdef12.CORP.XXX.COM

                        kdc = abcdef14.CORP.XXX.COM

                        kdc = abcdef15.CORP.XXX.COM

                        }

                         

                        It is working for us (we got five kdc), but not sure how many kdc you can add.

                      • Re: Windows AD Authentication to CMC
                        Tim Ziemba
                        Currently Being Moderated

                        The error message indicates the user doing SSO was not in a mapped group, although this error is unusual for SSO.

                         

                        To recap manual authentication is working for multiple domains right?

                        Are you receiving credentials obtained in the std.out for the vintela service account (idm.princ @IDM.REALM)?

                         

                        The settings you have to perform SSO always are less secure than Microsoft defaults (only SSO in intranet zone) so that shouldn't be an issue although we rarely see the browser set this way (it means that any site on the internet can challange you and your browser will sned credentials.

                         

                        If manual auth is working there are no changes needed in the krb5.ini SSO does not use the krb5.ini and is usually easier to set up than manual auth in that regard. Is the service principal name in the CMC > Authentication > AD set to the CMS service account's SPN? (i.e. BOSSO/myserviceaccount.mydomain.com)?

                         

                        Also at any time you can open a case with support - authentication team to get an engineer assigned to help. We have a worldwide team of people trained on this.

                         

                         

                        Regards,

                         

                         

                        Tim

    • Re: Windows AD Authentication to CMC
      Bhargav Mantha
      Currently Being Moderated

      Hi Tim,

       

      We are getting the same error. 

       

      Objective: Configuring Manual AD Authentication

      Environment: BOXI3.1 on a Windows 2008 server, Apache Tomcat as the App Server.

       

      Error: Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

       

      Steps followed:

      1. Configured the service account and some of us are able to Log in through the clients tools using AD Authentication

      2. Configured krb5.ini and bsclogin.conf as per the instructions in your doc and in the manual. In the krb5.ini file, is the host name the same as the name of the BO server or is it the name of the AD server ? What exactly do we need to enter in the host name ?

      3. When I try to run the kinit command it gives the error 'kinit is not recognized as an internal or external command'. Does that mean that Kerberos is not installed on the BO server ?

       

      4. You also mentioned using std.out. What is that where do I find it ?

       

      Thanks

      • Re: Windows AD Authentication to CMC
        Tim Ziemba
        Currently Being Moderated

        to test kinit you must be in BOinstall\javasdk\bin

        the krb5.ini must be in c:\winnt

         

        then you can test the krb5.ini. If you were using regular AD like with a client tool discovery of AD domain controllers is automatic via OS API calls. When using java the java SDK doesn't seem capable of the same calls sp to make those calls it requires the krb5.ini to show it the AD configuration to use.

         

        If you search SAP notes for krb5.ini you should find a rules for configuring krb5.ini which details a lot more information.

         

         

        Regards,

         

         

        Tim

Actions