cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO not working when coming from Microsoft Forefront.(help Tim! ;-)

kevin_joyner
Explorer

on ‎10-20-2011 9:51 PM

0 Kudos

I'm running BO 4.0 SP2 with kerberos SSO with tomcat on a web box and then an app box for everything else. We have Kerberos SSO working with Windows AD but when we enable constrained delegation and try to proxy in via the Microsoft Forefront TMG SSO fails with "Account Information Not Recognized: Active Directory Authentication failed to log you on."

Debug and logging is enabled. I get a success message in stderr.log

Oct 20, 2011 4:39:14 PM com.wedgetail.idm.sso.util.DefaultAuditor auditAccess

INFO: access: /BOE/portal/110825/InfoView/logon/logonService.do by user: MY_LOGIN = granted

But then an error in stdout.log

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @MY_DOMAIN.COM

It looks like it's stripping the username off. The TMG admin says they can see where the ticket is passing with the user name. SAP support says they can't support the TMG(understandable) so here I am in limbo.

Ideas anyone?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
‎05-19-2014 5:16 PM
0 Kudos

Kevin,

Were you ever able to get BI SSO to work via TMG?

I'm currently trying to get BI 4.0 SSO to work using TMG as a reverse proxy.  BI SSO works find directly but when going thru TMG I'm getting a 500 error.

Any ideas/help would be appreciated.

thanks,

Dawn

Show replies
Show replies
kevin_joyner
Explorer
‎05-19-2014 6:30 PM
0 Kudos

It is working.  Since there are several potential reasons for the 500 you might need to narrow it down.  Try the noSSO page via the TMG just to make sure SSO is the only issue.   Also verify you can/can't login with the webi thick client.  The most helpful thing I've found to do is capture the network traffic during the login process using wireshark.  You should be able to see the ticket decryption process as well as any error messages.

Former Member
‎05-30-2014 6:33 PM
0 Kudos

Kevin,

Thanks for your suggestions.  I verified that I can login with the webi thick client and that I can log into the BO noSSO page via tmg.  The wireshark traces show that the kerberos tickets are being requested for the user against the domain (principal - username, service and instance - GC/domain controller) but I don't see a request for the web service (http/internalwebservername) as I do when accessing the site directly.  any suggestions?

For the TMG Authentication Delegation page are you using Negotiate or Kerberos Constrained Delegation?   Also are you using the spn for the internal site (http:/internalwebservername)

thanks,

Dawn

Former Member
‎10-30-2013 4:04 PM
0 Kudos

Hi guys,

I had the similar problem:

  • Login via client tools worked fine
  • Manual login via InfoView also no problem
  • Kerberos-ticket was created in the background

But when acitvating vintela SSO for InfoView I could see in stdout.log that no username was passed:

"[Krb5LoginModule] user entered username: @MY_DOMAIN.COM"

As there was no real error message it was hard to figure out what the problem was. The solution itself was to simply add the server-URL to the Intranet-pages in IE. This is described in several guides but I think it's good to document what happens if this is not done correctly

Regards

Show replies
Show replies
colin_terry
Explorer
‎11-04-2013 12:37 PM
0 Kudos

Hi Jens-Uwe

Could you be a bit more specific? What exactly did you add, and where?

What guides is this documented in?

Many Thanks,

Colin

Former Member
‎11-04-2013 1:04 PM
0 Kudos

Hi Colin,

I can't find the guide I read this once but what I did to solve the problem was to add the URL of the BO-webapplication to the local intranet sites in Internet Explorer.

This can be done in menue Internet Settings --> tab "security" --> local intranet --> sites --> advanced. Maybe the menue names differ a bit because I use german browser-locale.

Hope this helps

Jens-Uwe

kevin_joyner
Explorer
‎05-22-2012 4:13 PM
0 Kudos

Still having trouble with this.   Anyone had luck with Microsoft TMG and Mobi or had need to setup Apache for reverse proxy?

Show replies
Show replies
colin_terry
Explorer
‎01-19-2012 12:41 PM
0 Kudos

Hi Kevin,

We are struggling to even publish an XI3.1 application with Forefront UAG!! When users access the system using the url https://reports/InfoViewApp/logonNoSso.jsp, Tomcat redirects to https://reports/InfoViewApp/logon.jsp?sso=false, but then UAG comes up with a message saying 'The URL you have requested is not associated with any application'

Do you have any pointers regarding the UAG publishing process that you could kindly share?

Colin

Show replies
Show replies
kevin_joyner
Explorer
‎01-19-2012 3:19 PM
0 Kudos

We didn't use Forefront with our 3.1 implementation so I don't have specific advice. Our Forefront admin secured the site at the base URL so it doesn't seem to care what we click on beyond that. Check with your admin to see what they did, possibly they need to put in a manual entry for the URL you're using...

colin_terry
Explorer
‎03-15-2012 2:45 PM
0 Kudos

Kevin, We've now moved to BI4.0 and have successfully managed to deploy the application in UAG for manual AD authentication.

However we are now facing issues with the SSO through Forefront. I'm confused as to this potential requirement for DES encryption. Internally SSO is working fine, and this was configured as per the BI4SSO config document i.e. using RC4 encryption (as specified in the ktpass command, krb5.ini etc). Does the requirement for DES encryption mean that I need to reconfigure my SPNs to use the DES encryption mode for this to work with Forefront, as well as making the DES changes on the UAG server?

Any guidance appreciated,

Colin

kevin_joyner
Explorer
‎11-03-2011 8:05 PM
0 Kudos

We actually got this working. First we went through the steps of enabling DES on the TMG box and the tomcat server. This took a bit of doing as a modification to the registry is required. (set the SupportedEncryptionTypes registry entry to a value of 0x7FFFFFFF. The SupportedEncryptionTypes registry entry is at the following location:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\)

At this point we noticed the error message changed slightly. I then found an older XI R2 manual which referenced the setspn line needed to create a SPN for the application server in addition to the other SPN's referenced in the current manual.

setspn -a BOBJCentralMS/appserver.domain.com SERVICE_ACCOUNT

This was the ticket and now we seem to be running ok at least in test.

Show replies
Show replies
Former Member
‎10-25-2011 7:54 AM
0 Kudos

Dont know if this helps, but worth a read, Check SAP Note 1396724

Since the SPNego Login Module currently requires DES Encryption and since

it currently does support no other encryption type, customers have to

enable DES support as an encryption type for Kerberos on all Windows 7

client computers and on all Windows Server 2008 R2 domain controllers.

A procedure how to enable DES encryption types for Kerberos is described in

the Microsoft Knowledge Base Article 977321:

"The security principals and the services that use only DES encryption for

Kerberos authentication are incompatible with the default settings on a

computer that is running Windows 7 or Windows Server 2008 R2".

http://support.microsoft.com/kb/977321

Header

Show replies
Show replies
kevin_joyner
Explorer
‎10-25-2011 2:54 PM
0 Kudos

I'm not sure if setting the encryption on each PC is an option for us as the point of the Forefront product is to allow SSO once folks have logged into it from home. The DES support might still be our issue though. I did some googling and found the following article on getting Forefront to work with Netweaver by setting DES on the Forefront server.

[http://blogs.technet.com/b/edgeaccessblog/archive/2010/04/15/sap-netweaver-portal-publishing-with-single-sign-on.aspx]

I've sent it over to our Forefront admin to see if it helps.

julian_jimenez
Active Contributor
‎11-03-2011 3:43 PM
0 Kudos

Hi Kevin,

Wireshark traces taken in one of these clients will be useful to see if there are problems with the ticket obtained.

Regards,

Julian

Ask a Question