cancel
Showing results for 
Search instead for 
Did you mean: 

SSO with BO XI 3.1 SP2 - All Client apps work fine, but InfoView fails

Former Member
0 Kudos

BO Experts,

I have a problem getting the SSO for Java InfoView in an 3.1 SP2

environment

Tomcat version: 5.5.20 to work.

I followed Tim Ziembas Guide Configuring Vintela SSO in dist.environment and got to the point where all logs look fine, but the last

step - SSO with InfoViewfails

starting Designer DeskI and clicking OK without entering login data works fine

I activated debug=true in the bscLogin.conf and kerberos logging and also set the following options in Tomcat Java tab</p>

Dcom.wedgetail.idm.sso.password Djcsi.kerberos.maxpacketsize Djcsi.kerberos.debug

log file contains credentials obtained for the SPN

do not see the user name populated with AD SSO if I login with AD as login method the log contains the proper credentials and a 'commit succeeded' Manual AD login works from clients on the server and elsewhere

shows 3 tickets for the user initial flag, 1 krbtgt for the user, and 1HTTP SPN for the URL in which vintela SSO was attempted But SSO is not successful in the browser we get the following error

Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName and then try again. (FWM 00006)

Please provide us a resolution.

Thanks

Chandhu

In tomcat.log and stdout.log we see the following error

InfoViewApp Thread [http-8000-Processor23] for action threw exception java.lang.IllegalStateException ResponseFacade.sendError(ResponseFacade at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117) com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30) at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Thanks Tim for the reply. Yes I am using the exact same user from the exact same domain. Please see the tomcat log and stdout.log I attached earlier.

-Chandhu

BasicTek
Active Contributor
0 Kudos

The tomcat log does not log the username from SSO attempts (only manual), but that error is very specific, are you sure you are receiving it after an SSO attempt?

According to your post (which I had to edit the HTML out to get it to show the whole thread) SSO is occurring properly but the user that is attempting SSO is not a member of a mapped group. Try purging your tickets (right click kerb tray) and SSO again. Is this happening for multiple workstations?

Regards,

Tim

Former Member
0 Kudos

Thanks Tim for the reply. Yes we are receiving the error after an SSO attempt. We tried with multiple user ids who are part of the mapped group.

We tried it multiple times after purging the tickets. This is happenning for multiple workstations. I am also attaching the jce_verbose log

-Chandhu

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADError.ThrowException(SecWinADError.java:46)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:294)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startLogin(SecWinADAuthentication.java:152)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:337)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)

at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)

at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)

at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)

at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:85)

at com.businessobjects.clientaction.shared.logon.LogonAction.singleSignOn(LogonAction.java:334)

at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.handleLogon(PartnerLogonAction.java:223)

at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.perform(PartnerLogonAction.java:399)

at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)

at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Thread.java:595)

Caused by: javax.security.auth.login.LoginException: Generic error (description in e-text) (60)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:291)

... 33 more

Caused by: KrbException: Generic error (description in e-text) (60)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)

at sun.security.krb5.Credentials.sendASRequest(Credentials.java:405)

at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)

... 45 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

BasicTek
Active Contributor
0 Kudos

I've never seen errors quite like that before although they do look like something is wrong with the authentication plugin. It would be best to log a message for this in SMP as this may need to be escalated to our Developers.

Regards,

Tim

Former Member
0 Kudos

I have the same situation, but the confusing part is that the SSO works fine. But if you look at the stdout and tomcat log files, there are these error messages like this.

07-12-09 14:08:39:233 - [/InfoViewApp].[action] Thread [http-8080-Processor25]; Servlet.service() for servlet action threw exception

java.lang.IllegalStateException

* at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)*

* at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)*

* at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)*

* at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)*

* at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)*

* at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)*

* at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)*

* at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)*

* at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)*

* at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)*

* at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)*

* at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)*

* at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)*

* at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)*

* at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)*

* at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)*

* at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)*

* at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)*

* at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)*

* at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)*

* at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)*

* at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)*

* at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)*

* at java.lang.Thread.run(Thread.java:595)*

This message appears everytime a user logs in and logs out. I'm worried that we might have potential issues because of these errors.

Tim, if you seen this error before, please let me know how to get rid of these errors.

Thanks,

Reddy

BasicTek
Active Contributor
0 Kudos

those errors don't look related to authentication

Former Member
0 Kudos

Problem resolved. Our AD account was using constrained delegation (company policy). According to SAP Support with the current implementation (BOE 3.1 SP2), this is not possible with Vintela. After removing these restraints, Infoview SSO began functioning as expected.

According to SAP updated Vintela libraries will be included in SP3, which is currently slated for Q2 release in 2010, and these will allow constrained delegation.

Thanks everyone for the replies.

-Chandhu

BasicTek
Active Contributor
0 Kudos

yep, I was told that was the issue. It's strange as the error in XIR2 was java.lang.nullpointer so that's why I didn't know by your logs. I have the escalation targeted for SP3 so that should be out around May 2010 hopefully.

regards,

Tim

BasicTek
Active Contributor
0 Kudos

If you are receiving this error for SSO "Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName" then try again then it typically indicates the user logged into the workstation is not a member of a valid mapped group and an SSO attempt was made when you hit the URL. If you receive that error for manual logon then it could be anything but you said that was working.

Are you sure the workstation was logged on with the exact same user from the exact same domain as you logged in manually with? "1 krbtgt for the user" should show the SSO'd username UPN, is that what you are able to successfully login with manually?

Regards,

Tim

Former Member
0 Kudos

the web.xml file under webapps/InfoView is not configured correctly.

Can you verify you have set all the necessary option for Vintela and SPN/Keytab definition etc?