cancel
Showing results for 
Search instead for 
Did you mean: 

"krb_error 6 Client not found in Kerberos database" error

Former Member
0 Kudos

Hello.

HELP!

I am trying to setup Windows AD SSO, and I got this error when using kinit,

krb_error 6 Client not found in Kerberos database

what could be the cause for this error?

I found a note saying that this error happens if it is a Windows2008 DC.

As for the environment I set up, the DC is Windows 2003, and BOE is in Windows2008 server.

BTW, manual AD works OK.

Thanks

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hello Tim,

Yes, I can log into other client tool such as Deski.

As you adviced, I have revised my bsclogin with debub option, however, I don't know where to look for the error details as you wrote. Could you give me more information on that?

Thank you.

Justine

BasicTek
Active Contributor
0 Kudos

sorry it's the boe\tomcat55\logs directory you want the std.out username should show up as user@ DOMAIN.COM

if the domain is not in CAPS (matching the default domain in the krb5.ini) then make sure the value in the CMC > auth > AD > default domain is set to the same as the krb5.ini.

If you see another error let us know.

Regards,

Tim

Former Member
0 Kudos

I had this issue and it was due to the InfoViewApp application not starting. Tomcat would start fine; however, if you checked:<br>

http://[server]:8080/manager/html<br>;

<br>

(after configuring tomcat-users.xml so you can login to the admin page)<br>

<br>

...you could see that InfoViewApp was not started.<br>

<br>

I reviewed my web.xml and changed the idm.princ from:<br>

<br>

BOSSO/bossosvcacct.mydomain.com@M Y D O M A I N.COM // added some spaces, forum thinks its an email address<br>

<br>

to <br>

<br>

BOSSO/bossosvcacct.mydomain.com<br>

<br>

At this point InfoViewApp started working but SSO still doesn't work.<br>

<br>

I get the following in stdout.log:<br>

<br>


17-03-10 16:22:40:285 - {ERROR} [/InfoViewApp].[action] Thread [http-80-Processor24];  Servlet.service() for servlet action threw exception
java.lang.IllegalStateException
	at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
	at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
	at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
	at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)
	at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)
	at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
	at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
	at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
	at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)

Edited by: Kevin Lee on Mar 18, 2010 12:32 AM

Edited by: Kevin Lee on Mar 18, 2010 12:32 AM

BasicTek
Active Contributor
0 Kudos

you should start a new thread, as the original one here was about manual logon. There doesn't seem to be much help in the logs. Also check the tomcat log.

Regards,

Tim

Former Member
0 Kudos

HI Tim,

I have the same problem in our deployment. We created user and SPN as you mention in your manual "Configuring vintela SSO... - complete expert edition"

Manual AD authentication works with no problem but SSO not. In stdout.log we have an error "18-03-10 11:58:11:303 - [/InfoViewApp].[action] Thread [http-8080-Processor23]; Servlet.service() for servlet action threw exception

java.lang.IllegalStateException ....." and so on.

We have BOE 3.1 + SP2 + fix pack 2.5 and integration kit for SAP (same patch level). => [at customer site]

-


In test enviroment in our company (different AD and BO Edge instalation) works SSO perfect with no problem. I found out that web.xml are different... (no SAP int. kit installation)

Tim how to troubleshoot this problem?

Thank you for reply!

Regards,

Gregor

Former Member
0 Kudos

Hi Tim,

Problem solved!

Problem was with CLASSPATH. When we installed SAP integration Kit we created folder c:\Program Files\Business Objects\Tomcat55\common\lib and paste Sapco.jar file. I coped other jar files from c:\Program Files\Business Objects\Tomcat55\shared\lib in this folder and SSO works from other clients.

Best regards,

Gregor

Former Member
0 Kudos

Hello Tim,

Thank you for the advice.

There is some improvement.

Now, when I execute the kinit.exe, I got this message,

New ticket is stored in cache file C:\Users\Administrator\krb5cc_s01a004bo01admin

However, when I tried to access the InfoView, I got this message,

type:Status Report

Message: /InfoViewApp/logon.jsp

Description: The requested resource (/InfoViewApp/logon.jsp) is not available.

Any suggestion?

Thank you.

BasicTek
Active Contributor
0 Kudos

can you login to client tools?

If so make sure your bsclogin has the following debug option

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

If you have to add it then restart tomcat. after the restart you should be able to see the user logon attempt and corresponding error, but remember only if client tools (deski, designer, crystal, can login with AD) If client tools fail then your AD config most likely the service account need to be checked.

Regards,

Tim

BasicTek
Active Contributor
0 Kudos

client not found in kerberos database means username not found. It indicates that a KDC was found and the username does not exist. In the case of 2008 DC's and the vintela service account UPN it is caused by a bug on Microsoft OS. Other possible causes (user entered in domain\user format, typo, duplicate UPN) what ever you entered before the username @REALM.COM

represents how the user is submitted when performing kinit. If you search your domain (REALM.COM) for user logon name attribute (you can do this in mmc users and computers advanced search), it should return 0 results (and cause that error) or more than 2 (and also cause that error). If it returns 1 the only issue I have seen is the 2008 DC one.

Also when searching notes use client not found in kerberos database, I know there are more notes out there.

Regards,

Tim