Solved: Authentication failed. Cannot get kdc for realm

Former Member · ‎10-06-2009

I'm using windows AD and tomcat and I seem to be stuck trying to get authentication to work properly.

I'm running windows 2003 server and I've created the krb5.ini and bscLogin.conf files and placed them in the C:\WINDOWS directory.

krb5.inic

[libdefaults]
    default_realm = ECM-INC.COM
    dns_lookup_kdc = true
    dns_lookup_realm = true
 [realms]
ECM-INC.COM = {
    kdc=ECM-ADC.ECM-INC.COM
    default_domain=ECM-INC.COM
}

bsLogin.conf

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

I've added the following lines to the java options withing the tomcat configuration

-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf

-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini

I've edited the web.xml file within C:\Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF so that the Windows AD option is available when logging into infoview.

However when I try to login I receive the "# Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again." error

When I check the tomcat log I see the following error...

<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication" timestamp="1254843473740" level="ERROR" thread="http-8080-Processor23">
<log4j:message><![CDATA[Authentication failed. Cannot get kdc for realm ECM-INC.COM
]]>

I've basically mirrored the installation of a server I did a few days prior and that one works and this one doesn't:( Any suggestions on what I might be missing?

Former Member · ‎10-06-2009

The name of the domain controller is ECM-ADC, I can ping it by name and ip, nslookup returns the appropriate response as well.

Here is the response of the kinit command

C:\Program Files\Business Objects\javasdk\bin>kinit bosso
Password for bosso&ECM-INC.COM:########
Exception: krb_error 0 Cannot get kdc for realm ECM-INC.COM No error
KrbException: Cannot get kdc for realm ECM-INC.COM
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
        at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

substitute the & for a @

When you say the set command are you referring to the setspn command or am I missing something?

Former Member · ‎11-17-2012

Hi Tim,

I am getting the following error, I have a case in with SAP but have not recieved a response. I noticed that you are an SAP employee, is it possible to get you involved with my case? Either way below is the error I'm getting.

C:\Program Files (x86)\Business Objects\javasdk\bin>kinit.exe CHI\biadauth

Password for CHI\biadauth@CHI.CHICORP:######

Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun

d in Kerberos database

KrbException: Client not found in Kerberos database (6)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)

at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)

at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)

at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

... 5 more

A little bit of background on this. We use a single lable domain with multiple forest and multiple domains in those forest. I realize that the kinit.exe tool only test a single domain so I picked out only one domain to test with but I still get the error above. Any thoughts?

Thanks,

Tammy

Former Member · ‎04-18-2012

I am having a similar problem. This is my Krb5.ini:

[libdefaults]

default_realm = VMIHQ.LOCAL

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

VMIHQ.LOCAL = {

default_domain = VMIHQ.LOCAL

kdc = CORP-DOM2.VMIHQ.LOCAL

}

I keep getting "Cannot Get KDC for Realm vmihq.local"

Ideas?

Former Member · ‎12-07-2009

I'm using "kinit" to check and it throws me an error

C:\Program Files\Business Objects\javasdk\bin>kinit #boserver2

Password for #boserver2 at DOMAINNAME.INT:password

Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun

d in Kerberos database

KrbException: Client not found in Kerberos database (6)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)

at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)

at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)

at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

... 5 more

Is there anything that I'm doing wrong?

Thanks!

Former Member · ‎12-07-2009

Thanks for your response.

It is REALMS (its was a typo in that previous post)

CAPS did not make any difference...

Any other suggestions??

Former Member · ‎12-04-2009

my Krb5.ini says

libdefaults

default_realm = domainname.int

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

ralms

domainname.int = {

kdc = domaincontroller.domainname.int

default_domain = domainname.int

}

Do you see anything wrong with this?

Thanks!

Former Member · ‎12-04-2009

Hi Tim

std.out log show the following for me

[Krb5Loginmodule] user entered username: userloginname at domainname.int

[Krb5Loginmodule] authentication failed cannot get kdc realm domainname.int

Can you please help?

I'm stuck here for a long time....

Thanks!

Former Member · ‎10-06-2009

Thanks a bunch that did the trick, I'm now able to log into cmc and infoview as well.

BasicTek · ‎10-06-2009

There is something missing from the log file that I need to see. When a user logs in you should see what was submitted in the std.out (since you have enabled JDK tracing with debug=true in the bsclogin.conf)

"Cannot get kdc for realm ECM-INC.COM"

Without seeing the entire error message it seems that java cannot communicate with the KDC you have defined under the ECM-INC.COM realm (this would be the suspect KDC ECM-ADC.ECM-INC.COM) can you ping it? is it a domain controller?, is the global catalog enabled?

run the set command from a DOS window and try replacing that ECM-ADC part with the value in the logon server (all CAPS).

Also verify the problem exists by typing BOinstall\javasdk\bin\kinit username

Regards,

Tim

Authentication failed. Cannot get kdc for realm

Accepted Solutions (1)

Accepted Solutions (1)

Answers (8)

Answers (8)

Re: SAP Build Apps - How to do Data Refresh for Ma...

Re: How to show custom Data in a Fiori App (RAP)

Re: CF Deployment Error: Error getting tenant t0

FIS Invoice Approval Error in Fiori

Re: SAP Analytics Cloud 2000 rows limit