cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO xi3.1 AD authentication issues after a DC was decommissioned.

Go to solution
steve_bagdanovich
Explorer

on ‎08-28-2014 6:34 PM

0 Kudos

Hello,

We have recently had an issue with windows AD authentication after several DC's were decommissioned at our company. We have two domains for this thread we will call domain 1 Alpha an domain 2 Beta. absolutely nothing was changed in the BO config. Everyone was working fine yesterday. Users from DC Alpha have no issues with AD authentication. however users from domain Beta get

  • Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

We are sure there is a reference to a decommissioned DC somewhere in the config but was cannot find it. Does anyone have a clue as to where these references are located? or are we barking up the wrong tree since LDAP is not used? thank you in advance for your input.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member189884
Contributor
‎08-28-2014 7:17 PM
0 Kudos

Check your krb5.ini file in either c:\windows or if using older docs it would have been c:\winnt on the server.

-Josh

Show replies
Show replies

Answers (2)

Answers (2)

steve_bagdanovich
Explorer
‎08-29-2014 6:50 PM
0 Kudos

Hi Josh,.

We finally tested login this morning for the Bravo domain. for some odd reason they are still getting the same login error. This is a clustered configuration. I did find a krb5.ini file in both server and made the change. DO we need to restart the CMS db as well? Stuck.. Thank you.

Show replies
Show replies
former_member189884
Contributor
‎08-29-2014 6:57 PM
0 Kudos

should only need to restart the web app server, Tomcat is default.

you can always go to the bin directory of the jre being used for your web app server and run the kinit command to verify krb5.ini settings. kinit user@DOMAIN.COM

also enabling Kerberos logs or collecting a wireshark trace on the web app server can show a bit more, logs: How to enable Kerberos event logging

steve_bagdanovich
Explorer
‎08-29-2014 7:11 PM
0 Kudos

Thank you Josh, here is what we get for the failed user.

D:\Business Objects\javasdk\jre\bin>kinit preis@KAPLANINC.COM

Password for user@BRAVO.COM:@@@@@@@

Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no s

upport for encryption type

KrbException: KDC has no support for encryption type (14)

        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)

        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)

        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)

        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)

        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

Caused by: KrbException: Identifier doesn't match expected value (906)

        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

        ... 5 more

D:\Business Objects\javasdk\jre\bin>

former_member189884
Contributor
‎08-29-2014 7:17 PM
0 Kudos

sounds like you are using a 2008 dc and des is being attempted. Make sure the service account does not have des enabled but also add the following two lines to the libdefaults section of the krb5.ini:

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

Former Member
‎01-04-2016 10:33 PM
0 Kudos

Hello,

For today's reader, in 2016, don't use RC4 as Kerberos encryption algorithm !

See:

Kerberos(SSO): throw RC4 away, adopt AES !

Regards,

Stéphane;

steve_bagdanovich
Explorer
‎08-28-2014 7:51 PM
0 Kudos

You hit that one WAY out of  the park on the first swing. I cannot thank you enough.

Show replies
Show replies
former_member189884
Contributor
‎08-28-2014 7:54 PM
0 Kudos

glad to get you running again... as an fyi in the krb5.ini file you can specify multiple kdc's for example:

KDC = DC1.DOMAIN.COM

KDC = DC2.DOMAIN.COM

KDC = DC3.DOMAIN.COM

KDC = DC4.DOMAIN.COM

Ask a Question