on 10-06-2009 5:04 PM
I'm using windows AD and tomcat and I seem to be stuck trying to get authentication to work properly.
I'm running windows 2003 server and I've created the krb5.ini and bscLogin.conf files and placed them in the C:\WINDOWS directory.
krb5.inic
[libdefaults]
default_realm = ECM-INC.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
ECM-INC.COM = {
kdc=ECM-ADC.ECM-INC.COM
default_domain=ECM-INC.COM
}
bsLogin.conf
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
I've added the following lines to the java options withing the tomcat configuration
-Djava.security.auth.login.config=C:\WINDOWS\bscLogin.conf
-Djava.security.krb5.conf=C:\WINDOWS\krb5.ini
I've edited the web.xml file within C:\Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF so that the Windows AD option is available when logging into infoview.
However when I try to login I receive the "# Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again." error
When I check the tomcat log I see the following error...
<log4j:event logger="com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication" timestamp="1254843473740" level="ERROR" thread="http-8080-Processor23">
<log4j:message><![CDATA[Authentication failed. Cannot get kdc for realm ECM-INC.COM
]]>
I've basically mirrored the installation of a server I did a few days prior and that one works and this one doesn't:( Any suggestions on what I might be missing?
The name of the domain controller is ECM-ADC, I can ping it by name and ip, nslookup returns the appropriate response as well.
Here is the response of the kinit command
C:\Program Files\Business Objects\javasdk\bin>kinit bosso
Password for bosso&ECM-INC.COM:########
Exception: krb_error 0 Cannot get kdc for realm ECM-INC.COM No error
KrbException: Cannot get kdc for realm ECM-INC.COM
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
substitute the & for a @
When you say the set command are you referring to the setspn command or am I missing something?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim,
I am getting the following error, I have a case in with SAP but have not recieved a response. I noticed that you are an SAP employee, is it possible to get you involved with my case? Either way below is the error I'm getting.
C:\Program Files (x86)\Business Objects\javasdk\bin>kinit.exe CHI\biadauth
Password for CHI\biadauth@CHI.CHICORP:######
Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
d in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 5 more
A little bit of background on this. We use a single lable domain with multiple forest and multiple domains in those forest. I realize that the kinit.exe tool only test a single domain so I picked out only one domain to test with but I still get the error above. Any thoughts?
Thanks,
Tammy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am having a similar problem. This is my Krb5.ini:
[libdefaults]
default_realm = VMIHQ.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
VMIHQ.LOCAL = {
default_domain = VMIHQ.LOCAL
kdc = CORP-DOM2.VMIHQ.LOCAL
}
I keep getting "Cannot Get KDC for Realm vmihq.local"
Ideas?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm using "kinit" to check and it throws me an error
C:\Program Files\Business Objects\javasdk\bin>kinit #boserver2
Password for #boserver2 at DOMAINNAME.INT:password
Exception: krb_error 6 Client not found in Kerberos database (6) Client not foun
d in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 5 more
Is there anything that I'm doing wrong?
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
"Client not found in Kerberos database" is a completely different error indicating an incorrect username. This also indicates the KDC (previous error) was actually found. Are you using 2008 DC's? I need to see the format the user is being entered in by kinit (user@ REALM.COM should be displayed on the screen after you hit enter).
Regards,
Tim
Thanks for your response.
It is REALMS (its was a typo in that previous post)
CAPS did not make any difference...
Any other suggestions??
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
my Krb5.ini says
libdefaults
default_realm = domainname.int
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
ralms
domainname.int = {
kdc = domaincontroller.domainname.int
default_domain = domainname.int
}
Do you see anything wrong with this?
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tim
std.out log show the following for me
[Krb5Loginmodule] user entered username: userloginname at domainname.int
[Krb5Loginmodule] authentication failed cannot get kdc realm domainname.int
Can you please help?
I'm stuck here for a long time....
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks a bunch that did the trick, I'm now able to log into cmc and infoview as well.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
There is something missing from the log file that I need to see. When a user logs in you should see what was submitted in the std.out (since you have enabled JDK tracing with debug=true in the bsclogin.conf)
"Cannot get kdc for realm ECM-INC.COM"
Without seeing the entire error message it seems that java cannot communicate with the KDC you have defined under the ECM-INC.COM realm (this would be the suspect KDC ECM-ADC.ECM-INC.COM) can you ping it? is it a domain controller?, is the global catalog enabled?
run the set command from a DOS window and try replacing that ECM-ADC part with the value in the logon server (all CAPS).
Also verify the problem exists by typing BOinstall\javasdk\bin\kinit username
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.