on 11-23-2009 7:24 PM
BO Experts,
I have a problem getting the SSO for Java InfoView in an 3.1 SP2
environment
Tomcat version: 5.5.20 to work.
I followed Tim Ziembas Guide Configuring Vintela SSO in dist.environment and got to the point where all logs look fine, but the last
step - SSO with InfoViewfails
starting Designer DeskI and clicking OK without entering login data works fine
I activated debug=true in the bscLogin.conf and kerberos logging and also set the following options in Tomcat Java tab</p>
Dcom.wedgetail.idm.sso.password Djcsi.kerberos.maxpacketsize Djcsi.kerberos.debug
log file contains credentials obtained for the SPN
do not see the user name populated with AD SSO if I login with AD as login method the log contains the proper credentials and a 'commit succeeded' Manual AD login works from clients on the server and elsewhere
shows 3 tickets for the user initial flag, 1 krbtgt for the user, and 1HTTP SPN for the URL in which vintela SSO was attempted But SSO is not successful in the browser we get the following error
Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName and then try again. (FWM 00006)
Please provide us a resolution.
Thanks
Chandhu
In tomcat.log and stdout.log we see the following error
InfoViewApp Thread [http-8000-Processor23] for action threw exception java.lang.IllegalStateException ResponseFacade.sendError(ResponseFacade at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117) com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30) at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)
Thanks Tim for the reply. Yes I am using the exact same user from the exact same domain. Please see the tomcat log and stdout.log I attached earlier.
-Chandhu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The tomcat log does not log the username from SSO attempts (only manual), but that error is very specific, are you sure you are receiving it after an SSO attempt?
According to your post (which I had to edit the HTML out to get it to show the whole thread) SSO is occurring properly but the user that is attempting SSO is not a member of a mapped group. Try purging your tickets (right click kerb tray) and SSO again. Is this happening for multiple workstations?
Regards,
Tim
Thanks Tim for the reply. Yes we are receiving the error after an SSO attempt. We tried with multiple user ids who are part of the mapped group.
We tried it multiple times after purging the tickets. This is happenning for multiple workstations. I am also attaching the jce_verbose log
-Chandhu
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADError.ThrowException(SecWinADError.java:46)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:294)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startLogin(SecWinADAuthentication.java:152)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:337)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)
at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:85)
at com.businessobjects.clientaction.shared.logon.LogonAction.singleSignOn(LogonAction.java:334)
at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.handleLogon(PartnerLogonAction.java:223)
at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.perform(PartnerLogonAction.java:399)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException: Generic error (description in e-text) (60)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:291)
... 33 more
Caused by: KrbException: Generic error (description in e-text) (60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:405)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 45 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
I have the same situation, but the confusing part is that the SSO works fine. But if you look at the stdout and tomcat log files, there are these error messages like this.
07-12-09 14:08:39:233 - [/InfoViewApp].[action] Thread [http-8080-Processor25]; Servlet.service() for servlet action threw exception
java.lang.IllegalStateException
* at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)*
* at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)*
* at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)*
* at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)*
* at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)*
* at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)*
* at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)*
* at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)*
* at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)*
* at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)*
* at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)*
* at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)*
* at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)*
* at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)*
* at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)*
* at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)*
* at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)*
* at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)*
* at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)*
* at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)*
* at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)*
* at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)*
* at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)*
* at java.lang.Thread.run(Thread.java:595)*
This message appears everytime a user logs in and logs out. I'm worried that we might have potential issues because of these errors.
Tim, if you seen this error before, please let me know how to get rid of these errors.
Thanks,
Reddy
Problem resolved. Our AD account was using constrained delegation (company policy). According to SAP Support with the current implementation (BOE 3.1 SP2), this is not possible with Vintela. After removing these restraints, Infoview SSO began functioning as expected.
According to SAP updated Vintela libraries will be included in SP3, which is currently slated for Q2 release in 2010, and these will allow constrained delegation.
Thanks everyone for the replies.
-Chandhu
If you are receiving this error for SSO "Account information not recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName" then try again then it typically indicates the user logged into the workstation is not a member of a valid mapped group and an SSO attempt was made when you hit the URL. If you receive that error for manual logon then it could be anything but you said that was working.
Are you sure the workstation was logged on with the exact same user from the exact same domain as you logged in manually with? "1 krbtgt for the user" should show the SSO'd username UPN, is that what you are able to successfully login with manually?
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
the web.xml file under webapps/InfoView is not configured correctly.
Can you verify you have set all the necessary option for Vintela and SPN/Keytab definition etc?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.