on 01-23-2015 7:59 PM
Hello,
I'm in the process of setting up Windows AD and SSO, authentication and I'm at the stage where I should be able to login to the BI launchpad using Windows AD. However after I login, the process hangs and then fails with the following message.
I made sure that I completed the following before trying to login:
(taken from page 276 of the BOE Admin guide 4.1)
• created a service account on the domain controller for the BI platform.
• verified that the HTTP service principal names (SPN) have been added to the service account.
• successfully mapped AD user groups into the BI platform.
• tested AD credentials on the CCM.
• created, configured, and tested the required configuration files for your web application server.
• the application server's Java settings have been modified to load the configuration files.
I have checked the Tomcat logs but don't see anything that stands out.
Can anyone recommend trouble shooting steps for this stage?
Appreciate the help.
Paul
I've managed to resolve this by running wdeploy after the following have been completed:
- bscLogin.conf file created
- krb5.ini file created
- BILaunchpad.properties file created
In order for information in the BILaunchpad.properties file to take effect, wdeploy needs to be run. First undeploy and then redeploy.
This post has some helpful information as well as links SAP notes and the wdeploy guide.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Paul,
Check for "Commit succeeded" and the user acoount name as:
principal is username@DOMAIN.COM in tomcat logs to verify if the bscLogin.conf file is being loaded fine by the application server.
Keep the thread posted.
Regards,
Nagendra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Nagendra,
After attempting to login using WinAD, I checked the 'stdout' file in the Tomcat logs folder. The file did state:
Acquire TGT using AS Exchange
principal is user@domain
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: BA E4 ED 52 43 08 79 70 4A A0 A5 D0 7F 13 BE BF ...RC.ypJ.......
Commit Succeeded
So, to your comment, it looks like the bscLogin.conf file is being loaded by the application server.
However, after attempting to login it takes 30-40 seconds and then gives me this message:
Any thoughts on what to check next?
Thanks, Paul
Hi Paul,
I would like to advice the following:
1) Double check the .properties file for any typos
2) In regards to the Service Principal Name Entry in CMC >> Authentication >> Windows AD try the following:
Regards,
Nagendra
Hi Paul,
Check if there are any white spaces in the Service Principal Name under CMC>>Authentication>>WindowsAD.
List the SPN's for the service account by using setspn -l service_account_name and verify if the right SPN has been entered.
-Ambarish-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
always useful: enable the kerberos debugger and check the logs:
http://service.sap.com/sap/support/notes/1372493
Regards
-Seb.
Thanks Amarish,
I checked the Service Principal Name and it's correct.
I found that when entering the SPN, it is validated once entered, and if it's incorrect and error will be thrown.
Could you confirm something for me. When I log into the 'manage servers' in the 'Central Configuration Manager', using Windows AD, doesn't this confirm that Windows AD is properly configured if login is successful?
I'm trying to identity a means to trouble shoot why Windows AD isn't working in the BI Launchpad but is working else where.
Thanks, Paul
Seb,
I've enabled the kerberos debugger, however nothing seems to be jumping out of those log files.
What I was hoping is if you could comment on the Tomcat Java configuration details below. These are the properties currently in my Tomcat Java tab. Are these sufficient to enable manual AD authentication?
-Djava.library.path=C:\Windows\SysWOW64\;E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\
-Dcatalina.base=E:\Program Files (x86)\SAP BusinessObjects\tomcat\
-Dcatalina.home=E:\Program Files (x86)\SAP BusinessObjects\tomcat\
-Djava.endorsed.dirs=E:\Program Files (x86)\SAP BusinessObjects\tomcat\common\endorsed\
-Dbobj.enterprise.home=E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\
-Xrs
-XX:MaxPermSize=384M
-Djava.awt.headless=true
-XX:+HeapDumpOnOutOfMemoryError
-Xloggc:E:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\tomcat.gc.log
-XX:+PrintGCDetails
-XX:+UseParallelOldGC
-Dcom.wedgetail.idm.sso.password=password
-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\Krb5.ini
-Djcsi.kerberos.debug=true
-Dlog4j.debug
Thanks, Paul
Sebastian,
I've enabled the kerberos debugger and have been looking through the stderr.log file. These are new to me but I'm trying to identity any clues as to why the attempt to login with manual AD hangs and then returns with this message:
Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)
What I've noticed in the logs are the following patterns:
1) a 'info' section with details like this:
Feb 4, 2015 3:52:45 PM org.apache.catalina.startup.TaglibUriRule body
INFO: TLD skipped. URI: /WEB-INF/cetaglib is already defined
2) the above info ends with this JAVA IO message:
SEVERE: IOException while loading persisted sessions: java.io.EOFException
java.io.EOFException
This is followed by a number of lines with JAVA and Apache port numbers. This is then followed by more 'info' details.
3) The last section if the [DEBUG] details. What I see here is that Kerberos queries are being submitted and received and then the queries are re-submitted to the next AD server. The requests are repeated a number of times.
The last two lines of the log file are:
log4j:WARN No appenders could be found for logger (org.apache.axis2.deployment.WarBasedAxisConfigurator).
log4j:WARN Please initialize the log4j system properly.
As I've mentioned I'm not familiar enough with these logs to extract meaningful clues, does anything stand out for you?
Cheers, Paul
since you have checked the logins via the CCM the errors are in Java. have you tested with Kinit? also verify the case of everything is the same and if anything else you can enable Kerberos logging in the registry to see if anything shows there: http://support.microsoft.com/kb/262177
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Josh.
I have tested with Kinit and it was successful. I went through all the settings I'm aware of and made sure the case is all the same.
I'm wondering if I need to use WDeploy? In the Admin guide it states:
The new properties will take effect only after the BOE web application is redeployed on the machine
running the web application server. Use WDeploy to redeploy BOE on the web application server. For
more information on using WDeploy to undeploy web applications, see the SAP BusinessObjects
Business Intelligence Platform Web Application Deployment Guide.
Also, the Microsoft link about seems to be empty?
Paul
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.