cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

windows AD authentication hanging then fails

Go to solution
Former Member

on ‎01-23-2015 7:59 PM

0 Kudos

Hello,

I'm in the process of setting up Windows AD and SSO, authentication and I'm at the stage where I should be able to login to the BI launchpad using Windows AD. However after I login, the process hangs and then fails with the following message.

I made sure that I completed the following before trying to login:

(taken from page 276 of the BOE Admin guide 4.1)

• created a service account on the domain controller for the BI platform.

• verified that the HTTP service principal names (SPN) have been added to the service account.

• successfully mapped AD user groups into the BI platform.

• tested AD credentials on the CCM.

• created, configured, and tested the required configuration files for your web application server.

• the application server's Java settings have been modified to load the configuration files.

I have checked the Tomcat logs but don't see anything that stands out.

Can anyone recommend trouble shooting steps for this stage?

Appreciate the help.

Paul

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-17-2015 5:03 PM
0 Kudos

I've managed to resolve this by running wdeploy after the following have been completed:

- bscLogin.conf file created

- krb5.ini file created

- BILaunchpad.properties file created

In order for information in the BILaunchpad.properties file to take effect, wdeploy needs to be run. First undeploy and then redeploy.

This post has some helpful information as well as links SAP notes and the wdeploy guide.

http://scn.sap.com/thread/3400477

Show replies
Show replies

Answers (3)

Answers (3)

former_member197037
Participant
‎02-05-2015 7:57 AM
0 Kudos

Hi Paul,

Check for "Commit succeeded" and the user acoount name as:

principal is username@DOMAIN.COM in tomcat logs to verify if the bscLogin.conf file is being loaded fine by the application server.

Keep the thread posted.

Regards,

Nagendra

Show replies
Show replies
Former Member
‎02-11-2015 7:18 PM
0 Kudos

Hi Nagendra,

After attempting to login using WinAD, I checked the 'stdout' file in the Tomcat logs folder. The file did state:

Acquire TGT using AS Exchange

principal is user@domain

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: BA E4 ED 52 43 08 79 70   4A A0 A5 D0 7F 13 BE BF  ...RC.ypJ.......

Commit Succeeded

So, to your comment, it looks like the bscLogin.conf file is being loaded by the application server.

However, after attempting to login it takes 30-40 seconds and then gives me this message:

Any thoughts on what to check next?

Thanks, Paul

former_member197037
Participant
‎02-12-2015 9:09 AM
0 Kudos

Hi Paul,

I would like to advice the following:

1) Double check the .properties file for any typos

2) In regards to the Service Principal Name Entry in CMC >> Authentication >> Windows AD try the following:

  • Ensure there are no typos or white spaces before or after the SPN
  • Replace the SPN entry in CMC from the registered SPN say BOSSO/CMS.DOMAIN.COM to the service account name. Click Update and try logging in again.

Regards,

Nagendra

former_member191664
Active Contributor
‎02-12-2015 5:59 PM
0 Kudos

Do you set udp_preference_limit = 1 in your C:\Windows\Krb5.ini?

Hope this helps,

Jin-Chong

Former Member
‎02-17-2015 12:23 AM
0 Kudos

Thanks Nagendra,

I followed your suggestions, however, what resolved this for me (finally) was to run wdeploy, and undeploy and then redeploy. After that I was able to login with Windows AD successfully.

Thanks for your help, much appreciated.

Paul

former_member926196
Active Participant
‎01-24-2015 8:41 AM
0 Kudos

Hi Paul,

Check if there are any white spaces in the Service Principal Name under CMC>>Authentication>>WindowsAD.

List the SPN's for the service account by using setspn -l service_account_name and verify if the right SPN has been entered.

-Ambarish-

Show replies
Show replies
former_member136842
Employee
Employee
‎01-26-2015 10:40 AM
0 Kudos

Hi,

always useful: enable the kerberos debugger and check the logs:

http://service.sap.com/sap/support/notes/1372493

Regards

-Seb.

Former Member
‎01-26-2015 9:57 PM
0 Kudos

Thanks Amarish,

I checked the Service Principal Name and it's correct.

I found that when entering the SPN, it is validated once entered, and if it's incorrect and error will be thrown.

Could you confirm something for me. When I log into the 'manage servers' in the 'Central Configuration Manager', using Windows AD, doesn't this confirm that Windows AD is properly configured if login is successful?

I'm trying to identity a means to trouble shoot why Windows AD isn't working in the BI Launchpad but is working else where.

Thanks, Paul

former_member136842
Employee
Employee
‎01-27-2015 8:05 AM
0 Kudos

Hi,

this means that the C++ part of the application is working. These parts are the CMS Service, CCM, Universe Designer etc.

When this is working you can narrow down the issue to the Java Part of the Application, meaning the configuration of the Tomcat for Windows AD.

Regards

-Seb.

Former Member
‎01-30-2015 12:05 AM
0 Kudos

Seb,

I've enabled the kerberos debugger, however nothing seems to be jumping out of those log files.

What I was hoping is if you could comment on the Tomcat Java configuration details below. These are the properties currently in my Tomcat Java tab. Are these sufficient to enable manual AD authentication?

-Djava.library.path=C:\Windows\SysWOW64\;E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\

-Dcatalina.base=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Dcatalina.home=E:\Program Files (x86)\SAP BusinessObjects\tomcat\

-Djava.endorsed.dirs=E:\Program Files (x86)\SAP BusinessObjects\tomcat\common\endorsed\

-Dbobj.enterprise.home=E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\

-Xrs

-XX:MaxPermSize=384M

-Djava.awt.headless=true

-XX:+HeapDumpOnOutOfMemoryError

-Xloggc:E:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\tomcat.gc.log

-XX:+PrintGCDetails

-XX:+UseParallelOldGC

-Dcom.wedgetail.idm.sso.password=password

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf

-Djava.security.krb5.conf=C:\Windows\Krb5.ini

-Djcsi.kerberos.debug=true

-Dlog4j.debug

Thanks, Paul

former_member136842
Employee
Employee
‎01-30-2015 10:32 AM
0 Kudos

Hello,

these settings look fine. Check the .properties Files you configured for any typos. These are usually the root cause of AD issues. Please note that the Java part is case sensitive. Any information related to the domain (Hostnames, FQDNs, etc.) should be in upper case.

Regards

-Seb.

former_member189884
Contributor
‎01-30-2015 12:21 PM
0 Kudos

I'd still suggest the Kerberos logging via the registry and even wireshark the login attempt on the server to see if there are any Kerberos issues.

Former Member
‎02-05-2015 12:14 AM
0 Kudos

Sebastian,

I've enabled the kerberos debugger and have been looking through the stderr.log file. These are new to me but I'm trying to identity any clues as to why the attempt to login with manual AD hangs and then returns with this message:

Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)

What I've noticed in the logs are the following patterns:

1) a 'info' section with details like this:

Feb 4, 2015 3:52:45 PM org.apache.catalina.startup.TaglibUriRule body

INFO: TLD skipped. URI: /WEB-INF/cetaglib is already defined

2) the above info ends with this JAVA IO message:

SEVERE: IOException while loading persisted sessions: java.io.EOFException

java.io.EOFException

This is followed by a number of lines with JAVA and Apache port numbers. This is then followed by more 'info' details.

3) The last section if the [DEBUG] details. What I see here is that Kerberos queries are being submitted and received and then the queries are re-submitted to the next AD server. The requests are repeated a number of times.

The last two lines of the log file are:

log4j:WARN No appenders could be found for logger (org.apache.axis2.deployment.WarBasedAxisConfigurator).

log4j:WARN Please initialize the log4j system properly.

As I've mentioned I'm not familiar enough with these logs to extract meaningful clues, does anything stand out for you?

Cheers, Paul

former_member189884
Contributor
‎01-23-2015 8:46 PM
0 Kudos

since you have checked the logins via the CCM the errors are in Java. have you tested with Kinit? also verify the case of everything is the same and if anything else you can enable Kerberos logging in the registry to see if anything shows there: http://support.microsoft.com/kb/262177

Show replies
Show replies
Former Member
‎01-23-2015 9:51 PM
0 Kudos

Thanks Josh.

I have tested with Kinit and it was successful. I went through all the settings I'm aware of and made sure the case is all the same.

I'm wondering if I need to use WDeploy? In the Admin guide it states:

The new properties will take effect only after the BOE web application is redeployed on the machine

running the web application server. Use WDeploy to redeploy BOE on the web application server. For

more information on using WDeploy to undeploy web applications, see the SAP BusinessObjects

Business Intelligence Platform Web Application Deployment Guide.

Also, the Microsoft link about seems to be empty?

Paul

Ask a Question