cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSO problem with windows AD authentication at BI 4.0

Former Member
0 Kudos

I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.

Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:

com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.

java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!

at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)

Tomcat log shows:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @XX.YY.COM

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

There is no username passed.

I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=XX.YY.COM

idm.princ=BOSSO/bodservice.XX.YY.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\winnt\BODvintela.keytab

BIlaunchpad.properties

authentication.default=secWinAD

cms.default=XXXX:6400

authentication.visible=true

bscLogin.conf

com.businessobjects.security.jgss.initiate

{com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Krb5.ini

[libdefaults]

default_realm = XX.YY.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

XX.YY.COM = {

kdc =XXXX.XX.YY.COM

default_domain = XX.YY.COM

}

We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.

Edited by: Dong Li on Jul 28, 2011 11:16 PM

Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor
0 Kudos

The problem is likely with the vintela account setup,

idm.princ=BOSSO/bodservice.XX.YY.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\winnt\BODvintela.keytab

We haven't completed the 4.x white paper yet so the steps followed should be like the XI 3.1 SP3 guide (adjusting for the global.properties instead of web.xml) KB 1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 **Best Practice**

Setting things up with the keytab initially adds another point of failure as well. In that guide there is a logging function, password option, and way to test the idmprinc @IDM.REALM via kinit which is also helpful.

Regards,

Tim

Former Member
0 Kudos

Thanks for your reply and excellent documents, Tim.

After I review your document, we delete/create domain user and run ktpass again. We only use one domain user "bodserivce" for all configurations. Ktpass command is as follows:

ktpass -out bosso.keytab -princ bodservice[@]XX.YY.COM -pass ?????? -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

I have to change authorization princ to "bodservice" at CMC Windows AD authentication so that I can log in manually by Windows AD. I remove password java option from Tomcat configuration and change global.properties as follows:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=XX.YY.COM

idm.princ=bodservice

idm.keytab=C:\winnt\bosso.keytab

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

BIlaunchpad.properties

authentication.visible=true

authentication.default=secWinAD

cms.default=hostname:6400

I tried BI launch pad SSO; SSO is still not working with the same error. I also run

D:\Program Files (x86)\SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\kinit -k -t bosso.keytab bodservice[@]XX.YY.COM. new ticket is stored.

Please advice. Thanks.

BasicTek
Active Contributor
0 Kudos

ok look in the std.out for credentials obtained. If it's there then the problem is probably on the client side, if not then something is still wrong with the setup.

Regards,

Tim

Former Member
0 Kudos

Hi guys, we had the exact same issue with BI 4.0 and SSO, and after much frustration got it to work the following way:

(remember to replace <at> with @)

Our setup:

-


Windows Domain Functional Level: 2003

Windows 2008 R2 SAP servers

Windows Domain: MYDOMAIN.COM

DNS Suffix (for FQDN): MYDOMAIN.COM (Note: your AD and DNS might have different names)

Windows Domain Controller: MYDC.MYDOMAIN.COM

BI Server FQDN: bi4dev.mydomain.com

BI Service User (UPN): SAPServiceBI4<at>MYDOMAIN.COM

BI Service User (SAM): MYDOMAIN\SAPServiceBI4

Cleanup for previous attempts:

-


In case you have already tried to configure SSO, cleanup all you have done:

- List current SPN's assigned to the Service User (setspn -l SAPServiceBI4) and delete all SPN's (setspn -D <SPN> SAPServiceBI4)

- Check for duplicate SPN's assigned to the Service User and delete them too: setspn -X

- Delete or rename current keytab file

- On AD ensure the UPN of the Service User is back to normal (usually when you run KTPASS it changes the Ad User name to the SPN you specified, ie. change HOST/server.com<at>MYDOMAIN.COM back to SAPServiceBI4<at>MYDOMAIN.COM)

- In the global.properties file, remove the SPN entry for idm.princ= and the keytab entry for idm.keytab=

- In the BI CMC > Authentication > Windows AD, uncheck/disable "Enable Windows Active Directory"

- Reboot the whole server to clear the cache etc for a clean start

SSO Config:

-


- Create new Service User or use previous one as per guide:

UPN=SAPServiceBI4<at>MYDOMAIN.COM, SAM=MYDOMAIN\SAPServiceBI4

- Add user to Local Administrators group and update Local Security Policy as per guide (Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a Process Level Token)

- On Domain Controller run the KTPASS to create SPN and Keytab file (this is VERY important: for the SPN you need to specify the URL that users will be using in their webbrowser to access the BI Launchpad. (For example, if your server URL to BI Launchpad is http://server.domain.com:8080/BOE/BI, then use server.domain.com<at>DOMAIN.COM):

ktpass -princ HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM -mapuser SAPServiceBI4<at>MYDOMAIN.COM -pass passw123 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out SAPServiceBI4.keytab

- Now, on the AD goto Domain Users and check your Service Account. The UPN should now have changed to HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM, whilst the SAM is still MYDOMAIN\SAPServiceBI4. Also, RESET THE PASSWORD to the SAME password you had for the Service User (right-click user > Reset Password) - this prevents any funny Kerberos credential issues between AD and the keytab.

- Next, goto the Delegation tab and select "Trust this user for delegation to any service (Kerberos only)". If the Delegation tab is not visible, run the setspn commands below and retry.

- Run "setspn -l SAPServiceBI4". There should now already be an SPN registered (which is the FQDN), namely HTTP/bi4dev.mydomain.com. Register additional SPN's (shortname and IP):

setspn -a HTTP/bi4dev SAPServiceBI4

setspn -a HTTP/10.10.20.30 SAPServiceBI4

- Create folder C:\WINNT and copy the keytab file to it (you can use C:\Windows itself I guess, but I played it safe)

- Assign the Service User to the SIA service in the CCM as MYDOMAIN\SAPServiceBI4

- Create/edit the "global.properties" file under ..\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom\:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=MYDOMAIN.COM

idm.princ=HTTP/bi4dev.mydomain.com (!! Use the SPN defined in the KTPASS command above)

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:/WINNT/SAPServiceBI4.keytab (!! VERY IMPORTANT !! Don't use backslashes (example C:\WINNT\SAPServiceBI4.keytab), use the forwardslash as it should be in Java format)

- Create the "BIlaunchpad.properties" file in the same location:

authentication.visible=true

authentication.default=secWinAD

cms.default=bi4dev:6400

- Increase the Tomcat header size limit in the "server.xml" file as per guide

- Create file "C:\WINNT\krb5.ini":

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[domain_realm]

.domain.com = MYDOMAIN.COM

domain.com = MYDOMAIN.COM

[realms]

MYDOMAIN.COM = {

default_domain = MYDOMAIN.COM

kdc = MYDC.MYDOMAIN.COM

}

- Create file "C:\WINNT\bscLogin.conf":

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:39 AM

Former Member
0 Kudos

- Modify the Tomcat JAVA options:

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf=C:\WINNT\krb5.ini

Now you can restart the server again. Once it is up and running, go into the BI CMC > Authentication > Windows AD and configure it as follows:

- Enable Windows AD

- Ad Admin Name = MYDOMAIN\SAPServiceBI4 (or any other user that can read the AD)

- Default Domain = MYDOMAIN.COM

- Add AD Group = MYDOMAIN\Domain Users

- Use Kerberos Authentication + Cache Security Context

- Service Principal Name = HTTP/bi4dev.mydomain.com

.. and set the rest as per the guide or your preferences. I opted for "Create new alias only when user logs on" so as not to import all the Domain Users at once. Restart the SIA and/or Tomcat services in CCM. Now you can test SSO via your AD login to the BI launchpad.

But alas, it still didn't work for us!? So I found a Java error in this logfile:

..\Program Files (x86)\SAP BusinessObjects\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt

bundle=/admin

Registering config info for bundle=/admin

Starting bundle=com.businessobjects.webpath.InfoView

Registering web.xml for bundle=/InfoView

Registering config info for bundle=/InfoView

Error with config registration for bundle=/InfoView

com.wedgetail.idm.sso.ConfigException: Could not validate keytab [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Clock skew too greatKrbError:

Error code: 37

Error message: null

Client name: null

Client realm: null

Client time: null

Server name: krbtgt/MYDOMAIN.COM

Server realm: MYDOMAIN.COM

Server time: Mon Aug 01 21:14:04 CAT 2011)]

at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:181)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)

at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)

at com.businessobjects.http.servlet.internal.FilterRegistration.init(FilterRegistration.java:42)

at com.businessobjects.http.servlet.internal.FilterRegistrationManager.registerFilter(FilterRegistrationManager.java:260)

Take note this error: "Clock skew too greatKrbError"

Our Domain Controller and SAP Server time was over 4 minutes out of sync. So as a test I increased my local time on the SAP server to about the same time as the DC and VOILA! SSO works!

By the way, at first we had another error in this file, which was something like "keytab not found, could not find or read CWINNTSAPServiceBI4.keytab". This is when we used backslashes in the "global.properties" for the entry "idm.keytab=C:\WINNT\SAPServiceBI4.keytab". After changing it to forwardslahes it could find/read the keytab file "idm.keytab=C:/WINNT/SAPServiceBI4.keytab"

I hope this solves everyone's SSO problems!

Former Member
0 Kudos

Thanks for sharing your experience, Bernardt; Your reply resolved my problem.

I changed idm.keytab property for windows path with "/"; It resolved my problem. SSO is working with keytab.

Former Member
0 Kudos

GREAT THANKS FOR YOU, Bernardt Nel, for the symbols "/" in the path of keytab file in the global properties file.

Only this advice helped us to solve the same problem.

Too bad that SAP writes guides with such serious mistakes and SUPPORT cannot solve the high message with all details about our settings already 2 weeks. Only this forum was usefull.

Answers (2)

Answers (2)

Former Member
0 Kudos

Hello,

For today's reader, in 2015 (soon 2016), don't use RC4 as Kerberos encryption algorithm !

See:

Regards,

Stéphane;

Former Member
0 Kudos

The same problem happened after applying SP02 on BO 4.0 SP01.

I had double backslashes instead of single \. It worked. Another way of having keytab path.

--Srikar

Edited by: Srikar Garisa on Sep 8, 2011 7:13 AM