on 12-28-2011 9:16 PM
Everything in the "Configuring Vintela SSO in distributed Environments =- Complete Guide" went relatively smoothly until I had to edit the web.xml. The first problem was that the guide didn't tell me where to find the web.xml. Luckily at http://geek2live.net/page/4/ Step 15 I found a path. Then once I uncommented the authfilter section I got the 404 error.
What can I post here to help troubleshoot this issue?
Thanks,
Phil
Hi Pap,
We had the same issue in BOBJ 3.1 SP 3.6.
In Authfilter for "IDM.PRINC" instead of using "BOSSO/<SERVICENAME> just use the service name.
Thanks,
Sravanthi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I wasnt to verify a couple other settings. Loction and the idm.keytab parameter.
Here are the two locations for the web.xml file I have been keeping in synch:
Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF\web.xml
and
Program Files (x86)\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF
Also do I need to enable the idm.keytab. Right now I have it commented out,
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\WINNT\HostMachineName-svc_BOECMS_TST.keytab</param-value>
</init-param>
Thanks,
Phil
Edited by: PAPutzback on Dec 29, 2011 3:27 PM
I still have the keytab commented out but the change to the idm.principal has caused this error tot repalce the 404 error:
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
-
<context-param>
<param-name>cms.default</param-name>
<param-value>ETBO1:6400</param-value>
</context-param>
<context-param>
<param-name>cms.visible</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>authentication.default</param-name>
<param-value>secwinAD</param-value>
</context-param>
<context-param>
<param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>siteminder.authentication</param-name>
<param-value>secWinAD</param-value>
</context-param>
<context-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>sso.enabled</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>sso.sap.primary</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>logontoken.enabled</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>persistentcookies.enabled</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>trusted.auth.user.retrieval</param-name>
<param-value>USER_PRINCIPAL</param-value>
</context-param>
<context-param>
<param-name>trusted.auth.user.param</param-name>
<param-value></param-value>
</context-param>
<context-param>
<param-name>trusted.auth.shared.secret</param-name>
<param-value></param-value>
</context-param>
<context-param>
<param-name>config.logon.service.context</param-name>
<param-value></param-value>
</context-param>
<context-param>
<param-name>config.logon.service.url</param-name>
<param-value></param-value>
</context-param>
<context-param>
<param-name>SMTPFrom</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>url.error</param-name>
<param-value>/jsp/common/error.jsp</param-value>
</context-param>
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>com.businessobjects.infoview.ApplicationResources</param-value>
</context-param>
<context-param>
<param-name>distributable</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>path.rightFrame</param-name>
<param-value>1</param-value>
</context-param>
<filter>
<filter-name>EncodingFilter</filter-name>
<filter-class>com.businessobjects.webutil.encoding.EncodingFilter</filter-class>
</filter>
<filter>
<filter-name>ApplicationServiceCacheControlFilter</filter-name>
<filter-class>com.businessobjects.webutil.caching.ApplicationServiceCacheControlFilter</filter-class>
</filter>
<filter>
<filter-name>CacheControlFilter</filter-name>
<filter-class>com.businessobjects.webutil.caching.CacheControlFilter</filter-class>
</filter>
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>CAL.COMMUNITY.COM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>svc_BOECMS_TST</param-value>
</init-param>
<!--
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\WINNT\HostMachineName-svc_BOECMS_TST.keytab</param-value>
</init-param>
-->
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>../logonNoSso.jsp</param-value>
<description>
The URL of the page to show if an error occurs during authentication.
</description>
</init-param>
</filter>
<filter-mapping>
<filter-name>EncodingFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>EncodingFilter</filter-name>
<url-pattern>*.faces</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ApplicationServiceCacheControlFilter</filter-name>
<url-pattern>/common/appService.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CacheControlFilter</filter-name>
<url-pattern>*.gif</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CacheControlFilter</filter-name>
<url-pattern>*.css</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CacheControlFilter</filter-name>
<url-pattern>*.js</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CacheControlFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CacheControlFilter</filter-name>
<url-pattern>/ure/ure/cache/images/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/logon/logonService.do</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.businessobjects.sdk.ceutils.SessionCleanupListener</listener-class>
</listener>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>com.crystaldecisions.webapp.struts.framework.CrystalUTF8InputActionServlet</servlet-class>
<init-param>
<param-name>application</param-name>
<param-value>com.businessobjects.infoview.ApplicationResources</param-value>
</init-param>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>content</param-name>
<param-value>text/html;charset=utf-8</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>validate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>nocache</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet>
<servlet-name>AppServiceServlet</servlet-name>
<servlet-class>com.crystaldecisions.webapp.struts.framework.CrystalUTF8InputActionServlet</servlet-class>
<init-param>
<param-name>application</param-name>
<param-value>com.businessobjects.infoview.ApplicationResources</param-value>
</init-param>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>content</param-name>
<param-value>text/html;charset=utf-8</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>validate</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Not Found Servlet</servlet-name>
<servlet-class>com.businessobjects.webutil.ForwardServlet</servlet-class>
<init-param>
<param-name>url</param-name>
<param-value>/httperror_404.htm</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
Please make changes as below and try again
<param-name>cms.visible</param-name>
<param-value>true</param-value>
</context-param>
set to FALSE
<context-param>
<param-name>sso.sap.primary</param-name>
<param-value>true</param-value>
</context-param>
set to FALSE
In server.xml in Tomcat55/Conf folder change as below
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="32768" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />
Thanks,
Sravanthi
It appears the forums strips out the tags if I post to much in one post. Here is the last bit of the file.:
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.object</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>AppServiceServlet</servlet-name>
<url-pattern>/common/appService.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Not Found Servlet</servlet-name>
<url-pattern>/ProductId.txt</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
<error-page>
<error-code>404</error-code>
<location>/httperror_404.htm</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/httperror_500.jsp</location>
</error-page>
<taglib>
<taglib-uri>/WEB-INF/c.tld</taglib-uri>
<taglib-location>/WEB-INF/c.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/fmt.tld</taglib-uri>
<taglib-location>/WEB-INF/fmt.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/WEB-INF/struts-html.tld</taglib-uri>
<taglib-location>/WEB-INF/struts-html.tld</taglib-location>
</taglib>
The following is from my TomCat Properties.
-Djava.library.path=C:/Windows/SysWOW64/;C:/Program Files (x86)/Business Objects/BusinessObjects Enterprise 12.0/win32_x86/
-Dcatalina.base=C:/Program Files (x86)/Business Objects/Tomcat55/
-Dcatalina.home=C:/Program Files (x86)/Business Objects/Tomcat55/
-Djava.endorsed.dirs=C:/Program Files (x86)/Business Objects/Tomcat55/common/endorsed/
-Dbobj.enterprise.home=C:/Program Files (x86)/Business Objects/BusinessObjects Enterprise 12.0/
-Dbusinessobjects.olap.stylesheets=C:/Program Files (x86)/Business Objects/OLAP Intelligence 12.0/stylesheets/
-Djava.library.path=C:\Windows\SysWOW64\;C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\
-Dcatalina.base=C:\Program Files (x86)\Business Objects\Tomcat55\
-Dcatalina.home=C:\Program Files (x86)\Business Objects\Tomcat55\
-Djava.endorsed.dirs=C:\Program Files (x86)\Business Objects\Tomcat55\common\endorsed\
-Dbobj.enterprise.home=C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\
-Xrs
-XX:MaxPermSize=256M
-Dbusinessobjects.olap.bin=
-Dbusinessobjects.olap.stylesheets=C:\Program Files (x86)\Business Objects\OLAP Intelligence 12.0\stylesheets\
-Djava.awt.headless=true
-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf
-Djava.security.krb5.conf=C:\WINNT\Krb5.ini
-Dcom.wedgetail.idm.sso.password=password1
-Djcsi.kerberos.maxpacketsize=0
-Djcsi.kerberos.debug=true
Your Tomcat config looks good.
Please make changes as said above and here is my XML
<context-param>
<param-name>cms.default</param-name>
<param-value>HOSTNAME:6400</param-value>
</context-param>
<!-- Choose whether to let the user change the CMS name -->
<!-- If it isn't shown the default System from above will be used -->
<context-param>
<param-name>cms.visible</param-name>
<param-value>false</param-value>
</context-param>
<!-- You can specify the default Authentication types here -->
<!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
<context-param>
<param-name>authentication.default</param-name>
<param-value>secWinAD</param-value>
</context-param>
<!-- Choose whether to let the user change the authentication type -->
<!-- If it isn't shown the default authentication type from above will be used -->
<context-param>
<param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>
<!-- The default home page -->
<context-param>
<param-name>homepage.default</param-name>
<param-value>/jsp/listing/home.jsp</param-value>
</context-param>
<!-- If the locale preference is disabled (only english languages will be used/allowed) -->
<context-param>
<param-name>disable.locale.preference</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to false to disable Siteminder single sign on. -->
<context-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</context-param>
<!-- You can specify the siteminder Authentication type here -->
<!-- secLDAP, secWinAD -->
<context-param>
<param-name>siteminder.authentication</param-name>
<param-value>secLDAP</param-value>
</context-param>
<!-- Set to true to enable Vintela single sign on. -->
<context-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</context-param>
<!-- Set to true to enable other single sign on. -->
<context-param>
<param-name>sso.enabled</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to true to use SAP SSO as the application's primary SSO mechanism -->
<context-param>
<param-name>sso.sap.primary</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to false to disable logon with token. -->
<context-param>
<param-name>logontoken.enabled</param-name>
<param-value>true</param-value>
</context-param>
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>DOMAIN NAME</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value><SERVICENAME></param-value>
</init-param>
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\winnt\bofinale.keytab</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>../logonNoSso.jsp</param-value>
<description>
The URL of the page to show if an error occurs during authentication.
</description>
</init-param>
</filter>
I am still getting this error:
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
-
type Status report
message com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
description The server encountered an internal error (com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78) that prevented it from fulfilling this request.
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="32768" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443"/>
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
And that is here:
ETBO1\Program Files (x86)\Business Objects\Tomcat55\conf\server.xml
If you don't mind, let's replace the original web.xml and server.xml file and try modifying again. Let's change the authentication part first without modifying Authfilter.
Please change the authentication part as below and make sure you get InfoViewApp page and let us know.
<context-param>
<param-name>cms.default</param-name>
<param-value>ETBO1:6400</param-value>
</context-param>
<!-- Choose whether to let the user change the CMS name -->
<!-- If it isn't shown the default System from above will be used -->
<context-param>
<param-name>cms.visible</param-name>
<param-value>false</param-value>
</context-param>
<!-- You can specify the default Authentication types here -->
<!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
<context-param>
<param-name>authentication.default</param-name>
<param-value>secWinAD</param-value>
</context-param>
<!-- Choose whether to let the user change the authentication type -->
<!-- If it isn't shown the default authentication type from above will be used -->
<context-param>
<param-name>authentication.visible</param-name>
<param-value>true</param-value>
</context-param>
<!-- The default home page -->
<context-param>
<param-name>homepage.default</param-name>
<param-value>/jsp/listing/home.jsp</param-value>
</context-param>
<!-- If the locale preference is disabled (only english languages will be used/allowed) -->
<context-param>
<param-name>disable.locale.preference</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to false to disable Siteminder single sign on. -->
<context-param>
<param-name>siteminder.enabled</param-name>
<param-value>false</param-value>
</context-param>
<!-- You can specify the siteminder Authentication type here -->
<!-- secLDAP, secWinAD -->
<context-param>
<param-name>siteminder.authentication</param-name>
<param-value>secLDAP</param-value>
</context-param>
<!-- Set to true to enable Vintela single sign on. -->
<context-param>
<param-name>vintela.enabled</param-name>
<param-value>true</param-value>
</context-param>
<!-- Set to true to enable other single sign on. -->
<context-param>
<param-name>sso.enabled</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to true to use SAP SSO as the application's primary SSO mechanism -->
<context-param>
<param-name>sso.sap.primary</param-name>
<param-value>false</param-value>
</context-param>
<!-- Set to false to disable logon with token. -->
<context-param>
<param-name>logontoken.enabled</param-name>
<param-value>true</param-value>
</context-param>
I made the change. The only one I think that did not match was
<!-- You can specify the siteminder Authentication type here -->
<!-- secLDAP, secWinAD -->
<context-param>
<param-name>siteminder.authentication</param-name>
<param-value>secLDAP</param-value>
</context-param>
Mine was originally secWinAD
I can manually log in to InfoView with my AD info but not with the service account info.
Thats good, Since we didn't change the AuthFIlter yet, this is known.
Please change the Authfilter as below
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>DOMAIN.DOMIAN</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>SERVICEBO</param-value>
</init-param>
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\winnt\bofinale.keytab</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>../logonNoSso.jsp</param-value>
<description>
The URL of the page to show if an error occurs during authentication.
</description>
</init-param>
</filter>
OK, In your BOBJ server type below command and pleas paste the log
setspn -L <SERVICENAME>
below is mine, please compare it with yours
C:\Users\boadm>setspn -L SERVICEBO
Registered ServicePrincipalNames for CN=SERVICEBO,OU=USERS,OU=SAP,OU=SITES,DC=DOMAIN,DC=local:
HTTP/10.1.47.71
HTTP/SAPBO01.DOMAIN.LOCAL
HTTP/SAPBO01
BOSSO/SERVICEBO.DOMAIN.LOCAL
You can register the setspn as below :-
example
setspn -A HTTP/SAPBO01.LEPRINO.LOCAL SERVICEBO
C:\Users\BOECMS_TST>setspn -l BOECMS_TST
Registered ServicePrincipalNames for CN=BOECMS_TST,OU=Service Accounts - BV,
OU=Servers,DC=cal,DC=community,DC=com:
http/10.246.32.103
http/10.246.32.102
http/etbo1
http/etbo2.cal.community.com
http/etbo2
http/etbo1.cal.community.com
ETBO1/BOECMS_TST.cal.community.com
ETBO2/BOECMS_TST.cal.community.com
And I am still getting the 404 error.
And I have this error in the tomcat.log
Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: No keytab entries for BOECMS_TST_AT_CAL.COMMUNITY.COM in keytab
Running kinit gives me this:
C:\Program Files (x86)\Business Objects\javasdk\bin>kinit BOECMS_TST
Password for BOECMS_TST AT CAL.COMMUNITY.COM:password
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no s
upport for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 5 more
1). You can try deleting all 02 ETB02 entries from ETB01 setspn
example :- setspn -D http://http/etbo2.cal.community.com BOECMS_TST
Also in Web.xml file in the place of IDM.PRIC use BOECMS_TST (Account Name)
please use the below command to create the key
ktpass -out bofinale.keytab -princ BOECMS_TSTATDOMAIN.LOCAL -password <password> -kvno 255-ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
AT -- @ (forums not allowing me to type @ as it thinks as email address)
I got the new key tab and made the change in web.xml
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:\WINNT\bosso.keytab</param-value>
</init-param>
This is the error in TomCat
[localhost].[/InfoViewApp] Thread [Thread-1]; Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: No keytab entries for BOECMS_TST_AT_CAL.COMMUNITY.COM in keytab: Version: 5.2
File: C:\WINNT\bosso.keytab, modified Thu Dec 29 16:09:57 EST 2011, loaded Thu Dec 29 16:33:35 EST 2011
I am also still getting the 404 error in the internet explorer when trying to connect to infoview.
Let's get the InfoPage working and we will work on keytab.
Did you tried deleting all 02 ETB02 entries from ETB01 setspn
example :- setspn -D http://etbo2.cal.community.com BOECMS_TST
comment the idm.keytab and please provide password in Tomcat configuration.
Also please paste setspn -L BOECMS_TST after deleting the ETB02 from ETB01 system.
SETSPN -!
C:\Users\PAPutzba>setspn -l BOECMS_TST
Registered ServicePrincipalNames for CN=BOECMS_TST,OU=Service Accounts - BV,
OU=Servers,DC=cal,DC=community,DC=com:
http/10.246.32.102
http/etbo1
http/etbo1.cal.community.com
ETBO1/BOECMS_TST.cal.community.com
I can manually log in to info view now.
FYI. I am logged into the machine via rdp with my username, not the service account. I also can manually log in to infoview with my username but not the BOECMS_TST service account. Is there something there we need to change?
Great ! it means we got the InfoViewPage working.
You can login manually because, we have commented the keytab in web.xml
Now, let's uncomment the keytab in web.xml and try to login with the keytab file which got generated by the command I gave you.
Make sure NON-SSL in server.xml has the value mentioned before.
if you still have FWN-006 error, then something wrong in keytab file. Please paste the complete command and output.
points are appreciated.
I commented out the file and now I get the 404 error in internet explorer.
This is from the tomcat log:
29-12-11 17:29:10:785 - [localhost].[/InfoViewApp] Thread [Thread-1]; Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: No keytab entries for BOECMS_TST_AT_CAL.COMMUNITY.COM in keytab: Version: 5.2
File: C:\WINNT\bosso.keytab,
I amde a copy of the keytab file and opened it in notepad and the only text I can read is CAL.COMMUNITY svc_BOECMS_TST and the rest of the text is not alpha-numeric
Looks like something wrong with your service account and keytab.
Check the properties of service account BOECMS_TST in AD server.
check in the document for properties of AD user - Configuring Vintela SSO in Distributed Environments - Complete.pdf. Note 1261835 - Configuring java SSO (aka vintela, kerberos) in Distributed Environments - XI 3.1 **Best Practices*
Check this note also - 1262301 - Infoview returns an error 404 or 'Didn't find name at offset' when Tomcat is configured with SSO Vintela and AD Kerberos.
Hi,
Check the properties of the service account,option "Trust this user for delegation" should be checked.
Second Stop tomcat and rename the InfoViewApp folder under the tomcat and restart the tomcat.After that automatically new infoviewapp folder will create.then change in the web.xml file.
Stop the tomcat andthen SIA under the CCM.Then first start SIA and Then tomcat.
May be this helps you..WE got the same error message while enabling SSO.Our issue with option "Trust this user for delegation" was not checked.
Hope this helps you..
Thanks,
Amit
Hi,
>
> Check the properties of the service account,option "Trust this user for delegation" should be checked.
> Second Stop tomcat and rename the InfoViewApp folder under the tomcat and restart the tomcat.After that automatically new infoviewapp folder will create.then change in the web.xml file.
>
> Stop the tomcat andthen SIA under the CCM.Then first start SIA and Then tomcat.
>
> May be this helps you..WE got the same error message while enabling SSO.Our issue with option "Trust this user for delegation" was not checked.
>
>
> Hope this helps you..
> Thanks,
> Amit
Delgation Tab. Option (Trust this user for delegation to any service (Kerberos only) ) is selected
Account Tab:
We got this error "KTPASS failed getting target domain for specified user" when trying to recrete the keytab using the syntax
ktpass -out bosso.keytab -princ HTTP/ETBO1@ at CAL.ECommunity.COM -mapuser BOECMS_TST -pass password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
So we are going to try
ktpass -out bosso.keytab -princ HTTP/ETBO1 at CAL.ECommunity.COM -mapuser CHE\BOECMS_TST -pass password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
and then
ktpass -out bosso.keytab -princ HTTP/ETBO1 at CAL.ECommunity.COM -mapuser BOECMS_TST at CAL.COMMUNITY.COM -pass password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
AS far as the OP goes this problem has been fixed. I stil lcan't get the BO aps like Designer or Web Intelligence Rich Client to work with SOS but that takes this off topic. I'll have to start a new thread for that. I think they solutions that helped the most were getting the syntax of SETSPN correct and also setting the parameters in the system and web.xml files correctly.
Thanks for all the help,
Phil
Edited by: PAPutzback on Jan 3, 2012 3:46 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Phil!
Looks like you are missing some essentials for the Vintela configuration:
Here the steps you need:
1. let you Windows AD Admin create a service account (SA) for you, which should have admin rights on the server of BO
ie: bo_user
2. The SA should have checked: "Usage Cannot Change Password" + "Password never expires"
3. The SA should have also checked: "Trust this user for delegation to any service (Kerberos only)
HINT
There is a fix for Windows 2003 AD Server, which is necessary to handle the SPN users correctly - ask your Admin which server you are using
HINT
4. Your Admin now should create the service SPNs with:
setspn -a HTTP/hostname .. ie: HTTP/BOSERVER (everything in upper case letters, don't use any underscores)
setspn -a HTTP/Full Qualified Host Name .. ie: HTTP/BOSERVER.WORK.COM
setspn -a HTTP/ip-address .. ie: 179.120.120.12
HINT
If you are using HTTPS on the server, you will still need HTTP entries within your SPN
HINT
5. Your Admin should now create your KTPASS file
ktpass -out vintela.keytab -princ HTTP/BOSERVER(enter here at symbol)WINAUTHTZ.COM -mapuser bo_user -pass <password> -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
6. Your Admin should now reset the password for the user in Windows AD to the original. And then copy the KTPASS file "vintela.keytab" to your server
7. Enter the user + domain to your CMCAPP under AD Groups. And enter the SPN name HTTP/BOSERVER under "Use Kerberos authentication -> Service Principal Name"
8. Stop your SIA via CMS (= main service running on the BO Server) and run it with different user ie: bo_user
9. Make sure that your user ie: bo_user has within "Local Security Setting -> Local Policies -> User Rights Asignment" the role "Act as part of the operation system"
10. Enter details for KRB5.ini and BSCLogin.conf to Tomcat launch properties
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\Krb5.ini
HINT
The web.xml files are under your BO Installation within the Tomcat webapp directory
ie: C:\Program Files (x86)\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF
HINT
11. Within the web.xml files (opendocument, InfoViewApp, dswsbobje) enter true for vintela.enabled, and disable siteminder
12. Within the web.xml for vintela
idm.realm = WORK.COM
idm.princ = HTTP/BOSERVER
13. Within the web.xml for vintela
create an entry for idm.keytab with the location of your keytab file
ie:
<init-param>
<param-name>idm.keytab</param-name>
<param-value>c:\winnt\vintela.keytab</param-value>
</init-param>
HINT
You can open the content of the keytab file, where you should find you SPN/idm.princ in readable format HTTP/BOSERVER
HINT
I hope I have covered everything essential
ciao Hakan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Phil!
>
HINT
> You can open the content of the keytab file, where you should find you SPN/idm.princ in readable format HTTP/BOSERVER
> HINT
>
> I hope I have covered everything essential
> ciao Hakan
In my latest keytab ran with the syntax of my previous post I see this
CAL.COMMUNITY.COM HTTP ETBO1
Thanks,
Phil
nd should the following text in web.xml be uncommented?
<!-- For Vintela SSO the following filter mapping needs to be uncommented.
There is also a filter which needs to be uncommented.
-->
<!--
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/logon/logonService.do</url-pattern>
</filter-mapping>
-->
Yes, below should be uncommented
<!-- For Vintela SSO the following filter mapping needs to be uncommented.
There is also a filter which needs to be uncommented.
-->
<!--
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/logon/logonService.do</url-pattern>
</filter-mapping>
-->
It should looks like below
<!-- For Vintela SSO the following filter mapping needs to be uncommented.
There is also a filter which needs to be uncommented.
-->
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/logon/logonService.do</url-pattern>
</filter-mapping>
Things seem to be falling into place now.
On my remote machine I can log into infoview with SSO.
On the local machine I get this error
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
When I try to login into OpenDocument http://etbo1:8080/OpenDocument/opendoc/openDocument.jsp
I get the following error:
An error has occurred: An error occured while trying to view the document
Please make sure Service User is Local Administrator of the server and also check under Policies that "Act as a part of operating system user".
Also please increase the value of MaxHttpHeader Value for Non-SSL
Please check below notes
1495990 - HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level
1302775 - Error: HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException when logging into Infoview with Active Directory Single Sign-On
I have set the header size for both HTTP and HTTPS to the settings posted on page 1 of this doc.
In server.xml in Tomcat55/Conf folder change as below
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="32768" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8080" redirectPort="8443" />
I only get the wedgtail HTTP Status 500 error on the host server not the clients.
Edited by: PAPutzback on Dec 30, 2011 6:56 PM
Hi Phil,
We need to change in the server side for the Bad Tag error 78.
The maximum GET length is a client (browser) related issue. Servers MUST be able to handle the URI of any resource they serve, and SHOULD be able to handle URIs of unbounded length if they provide GET-based forms that could generate such URIs
lets increase the value to 65536 of MaxHttpHeaderSize
Also check if the IE browser settings are correct:
- Enable Integrated Windows Authentication*
- Add the InfoView Link to Local Intranet site.
Can you please check in other browser also.
Did you added below paramaters in Tomcat configuration?
-Djcsi.kerberos.maxpacketsize=0
-Djcsi.kerberos.debug=true
Also, could you try with:
-Dsun.security.krb5.debug=true
The last one will create huge file..so I would say immidiately disable this tracing after issue is reproduced.
I changed the maxHTTPHeader size.
The other settings already existed
I added the krb5.debug=true setting
Here is the log after trying to open info view
30-12-11 14:30:15:288 - [/InfoViewApp].[action] Thread [http-8080-Processor25]; Servlet.service() for servlet action threw exception java.lang.IllegalStateException [DEBUG] Fri Dec 30 14:30:15 EST 2011 jcsi.kerberos: GSS: Acceptor supports: KRB5 30-12-11 14:30:15:335 - [/InfoViewApp].[jsp] Thread [http-8080-Processor25]; Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
Dec 30, 2011 2:30:15 PM org.apache.catalina.core.StandardHostValve custom
SEVERE: Exception Processing ErrorPage[errorCode=500, location=/httperror_500.jsp]
Excellent job, giving all those details.
Now I had read Tim Ziemba's Docs since the beginning I have never really understand the correct to use on the Service Principal name we use on the CMC.
Currently I have "BOSSO/ServerName.myDomain.COM", but other post say to use: "BOCMS/ServiceAcct.myDomain.COM".
Which is the correct format? Also do I use this on the web.xml for idm.princ or use the ServiceAcct?
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.