on 08-06-2009 6:32 AM
Hello.
HELP!
I am trying to setup Windows AD SSO, and I got this error when using kinit,
krb_error 6 Client not found in Kerberos database
what could be the cause for this error?
I found a note saying that this error happens if it is a Windows2008 DC.
As for the environment I set up, the DC is Windows 2003, and BOE is in Windows2008 server.
BTW, manual AD works OK.
Thanks
Hello Tim,
Yes, I can log into other client tool such as Deski.
As you adviced, I have revised my bsclogin with debub option, however, I don't know where to look for the error details as you wrote. Could you give me more information on that?
Thank you.
Justine
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
sorry it's the boe\tomcat55\logs directory you want the std.out username should show up as user@ DOMAIN.COM
if the domain is not in CAPS (matching the default domain in the krb5.ini) then make sure the value in the CMC > auth > AD > default domain is set to the same as the krb5.ini.
If you see another error let us know.
Regards,
Tim
I had this issue and it was due to the InfoViewApp application not starting. Tomcat would start fine; however, if you checked:<br>
http://[server]:8080/manager/html<br>;
<br>
(after configuring tomcat-users.xml so you can login to the admin page)<br>
<br>
...you could see that InfoViewApp was not started.<br>
<br>
I reviewed my web.xml and changed the idm.princ from:<br>
<br>
BOSSO/bossosvcacct.mydomain.com@M Y D O M A I N.COM // added some spaces, forum thinks its an email address<br>
<br>
to <br>
<br>
BOSSO/bossosvcacct.mydomain.com<br>
<br>
At this point InfoViewApp started working but SSO still doesn't work.<br>
<br>
I get the following in stdout.log:<br>
<br>
17-03-10 16:22:40:285 - {ERROR} [/InfoViewApp].[action] Thread [http-80-Processor24]; Servlet.service() for servlet action threw exception
java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)
at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)
at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Edited by: Kevin Lee on Mar 18, 2010 12:32 AM
Edited by: Kevin Lee on Mar 18, 2010 12:32 AM
HI Tim,
I have the same problem in our deployment. We created user and SPN as you mention in your manual "Configuring vintela SSO... - complete expert edition"
Manual AD authentication works with no problem but SSO not. In stdout.log we have an error "18-03-10 11:58:11:303 - [/InfoViewApp].[action] Thread [http-8080-Processor23]; Servlet.service() for servlet action threw exception
java.lang.IllegalStateException ....." and so on.
We have BOE 3.1 + SP2 + fix pack 2.5 and integration kit for SAP (same patch level). => [at customer site]
-
In test enviroment in our company (different AD and BO Edge instalation) works SSO perfect with no problem. I found out that web.xml are different... (no SAP int. kit installation)
Tim how to troubleshoot this problem?
Thank you for reply!
Regards,
Gregor
Hi Tim,
Problem solved!
Problem was with CLASSPATH. When we installed SAP integration Kit we created folder c:\Program Files\Business Objects\Tomcat55\common\lib and paste Sapco.jar file. I coped other jar files from c:\Program Files\Business Objects\Tomcat55\shared\lib in this folder and SSO works from other clients.
Best regards,
Gregor
Hello Tim,
Thank you for the advice.
There is some improvement.
Now, when I execute the kinit.exe, I got this message,
New ticket is stored in cache file C:\Users\Administrator\krb5cc_s01a004bo01admin
However, when I tried to access the InfoView, I got this message,
type:Status Report
Message: /InfoViewApp/logon.jsp
Description: The requested resource (/InfoViewApp/logon.jsp) is not available.
Any suggestion?
Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
can you login to client tools?
If so make sure your bsclogin has the following debug option
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
If you have to add it then restart tomcat. after the restart you should be able to see the user logon attempt and corresponding error, but remember only if client tools (deski, designer, crystal, can login with AD) If client tools fail then your AD config most likely the service account need to be checked.
Regards,
Tim
client not found in kerberos database means username not found. It indicates that a KDC was found and the username does not exist. In the case of 2008 DC's and the vintela service account UPN it is caused by a bug on Microsoft OS. Other possible causes (user entered in domain\user format, typo, duplicate UPN) what ever you entered before the username @REALM.COM
represents how the user is submitted when performing kinit. If you search your domain (REALM.COM) for user logon name attribute (you can do this in mmc users and computers advanced search), it should return 0 results (and cause that error) or more than 2 (and also cause that error). If it returns 1 the only issue I have seen is the 2008 DC one.
Also when searching notes use client not found in kerberos database, I know there are more notes out there.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.