on 03-24-2015 7:57 AM
Before rejecting, I have already searched through SAP Notes and Forum's. Sharing my findings below
BI 4.1 SP 4.4 + Explorer 4.1 SP 4.4 + Design Studio
Windows 2012 server with SQL 2012 repository
Issue has been seen on BI 4.1 SP 2.3 + Explorer 4.1 SP 2.3
Issue is not specific to any single server or clustered environment. Service account password doesn't have special character in it.
C:\Windows\system32>"F:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\kinit.exe" -k -t c:\windows\host.keytab Service_Account@DOMAIN.COM
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 4 more
KDC has the correct domain controller name.
No duplicate SPN's for the service account.
Have already tried the kinit command with a differrent JDK version
Password doesn't have any special character.
The same service account if used with a Windows 2008 server works fine.
No issues with any 3.1 environment.
We have also raised an SAP ticket on this, but no help is able to resolve the issue.
Any inputs on the issue?
Hi All,
Thank you for your valuable inputs. We are using McAfee as the Antivirus.
It gets very hard to turn it off as it goes through a lot of process.
One observation:
> If we turn off the AV scan for 10 minutes, create the keytab, turn the scan back on, then kinit commands works smoothly with the new Keytab file even when AV scan is still running.
> But the issue still exist if the keytab is created with the AV scan running.
Turning off the scan is not always an option, but not sure what part of the scan is interfering with the keytab creation.
Will try with the crypto ALL parameter once, but any thoughts on McAfee AV scan.
Something changed in last couple of months in AV which might be causing the issue.
Any help is appreciated to identify this.
Thanks,
Pallab
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
it's not exactly clear to me When the user / administrator experiences this error.
Please could you clarify : What is the workflow that leads to this?
What tool is being used, or service being configured, when this error is thrown?
regards,
H
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We are trying to configure AD SSO. Manual AD authentication works okay.
Even when we do the kinit on the service account, that generates the tkt.
The keytab used to respond earlier in Win2012, but now every new keytab that we create, gives the error while testing.
SSO dooesn't work as well with the keytab.
We have tried this in an already configure environment where SSO was working earlier.
We are still using the same command as before, when it worked ealier.
Workflow:
> Use ktpass command to generate the keytab:
ktpass out C:/windows/host.keytab princ Service_Account@DOMAIN.COM pass **** kvno 255 ptype KRB5_NT_PRINCIPAL crypto RC4-HMAC-NT
> From SAPJVM> BIN ... run kinit command to test the keytab.
Hi Pallab,
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
Caused by: KrbException: Identifier doesn't match expected value (906)
The above error is generally seen when the password used for the service account mentioned in the ktpass command is incorrect.
Are you able to AD SSO when the password is hardcoded in Java options?
-Ambarish-
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.