cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

QaaWS SSO (Pre-authentication information was invalid)

Go to solution
carlos_castrilln
Explorer

on ‎08-21-2013 12:16 PM

0 Kudos

Hi All,

In our SAP BO BI 4.0 SP04 Patch 4 platform on Windows we have configured SSO for web services clients as is described in this note:

 

1646920 - How to configure Web Services Single Sign-On (dswsbobje) with Tomcat for SAP BusinessObjects Business

Intelligence platform 4+

We have review again and again this configuration and all seem to be ok, but it doesn't work.

We obtain this message from server:

"login excepción (error: FWM00006). Pre-authentication information was invalid (24)"

First I have to say that we have correctly configured SSO with BI Launch pad.

We have read stdout.log Tomcat file and this is what we see:

[Krb5LoginModule] user entered username: SKMADTCSAP14$

[Krb5LoginModule] authentication failed Pre-authentication information was invalid (24)

This also what we see when analize kerberos protocol whith Wireshark.

It has sense for me if the user is SKMADTCSAP14$. It shows a credentials error because it is not my AD user. I think it must be???. SKMADTCSAP14 is our host name.

I don't understand why don't it uses my user for preauthentication. How does Tomcat get this user?. What did we do wrong?.

Thanks in advance,

Carlos Castrillón

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

carlos_castrilln
Explorer
‎11-25-2013 8:35 AM
0 Kudos

Hi,

Our issue was finally solved. There was the following problem...

Although we apply SAP Note correctly:

  1646920  - How to configure Web Services Single Sign-On (dswsbobje) with Tomcat for SAP BusinessObje...

In our case Active Directory account has contrained delegation checked (not delegation to any service) and in this case, a not is said in the note we must apply what is said in the note:

 

1730540 - Error: "An error occurred while logging on. (LO 02040)" while logging in to Live Office using AD SSO in BI 4.0

A new entry,

 

<init-param>

 

<param

-name>idm.allowS4U</param-name>

 

<param

-value>true</param-value>

</init-param>

must be added to dsdwbobje web.xml file

Regards,

Carlos

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎09-25-2013 10:27 AM
0 Kudos

Hello Karthik,

With the instructions below, there are two area's that need to be uncommented. First is the Kerberos Proxy Filter then you need to scroll down and theres another small area which has Kerberos Filter

  1. Backup and edit the file: ...\Tomcat6\webapps\dswsbobje\WEB-INF\web.xml
  3. Uncomment the Kerberos Proxy Filter and the Kerberos Filter sections to enable Kerberos SSO for Windows Active Directory (secWinAD) authentication. The following options must be specified (the rest are optional):
    • idm.realm (the same as the default_realm specified in the Krb5.ini file)
    • idm.princ (the same as specified for idm.princ in the global.properties located at ..\Tomcat6\webapps\BOE\WEB-INF\config\custom
    • idm.keytab (the same as specified for idm.keytab in the global.properties located at ..\Tomcat6\webapps\BOE\WEB-INF\config\custom) Please note, if you are using the hardcoded password set in Tomcat's Java Options do not make any changes to the keytab lines in the web.xml
  5. If SSL is not in use with the Java application server, then set the idm.allowUnsecured parameter to 'true'. (More info on Tomcat SSL can be found in the Knowledge Base Article ID:1484802).
  7. Backup and edit ...\Tomcat6\webapps\dswsbobje\WEB-INF\classes\dsws.properties by setting kerberos.sso to 'true'
  9. Restart Tomcat.
  11. On the client machine with the client tools installed, launch Query as a Web Service Designer.
  13. Add a new Managed Host.
  15. Enter the application server name
  17. Enter the Web Services URL: http://<WebAppServer>:<portNumber>/dswsbobje/services/Session (for example: http://GVBI4:8080/dswsbobje/services/Session).
  19. Enter the CMS hostname
  21. Change Authentication to Windows AD
  23. Select Enable Windows Active Directory Single Sing On.
  25. At the login prompt, leave User and Password blank and click OK

.

  1646920  - How to configure Web Services Single Sign-On (dswsbobje) with Tomcat for SAP BusinessObj...

Show replies
Show replies
Former Member
‎09-25-2013 2:55 PM
0 Kudos

Hello David,

I followed the same note, but encountered the issue. I did solved it , the issue was with Key tab file. We have two SPN names set for service account, and the key tab in the XML was mapped to wrong keytab.

Thanks

Karthik

Former Member
‎08-22-2013 5:05 AM
0 Kudos

Hi Carlos,

I am having the same issues on SP 6, patch 4, windows 2008 x64

Acquire TGT using AS Exchange
  [Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)

What is currently working for us

1. BI Launchpad SSO = Working (Using keytab security)

2. SSO via webclient tool = working

What is not working

1. SSO for web service tools, e.g analysis for office, Query as webservice.

2. Manual AD login works with these tools.

I have trippled check everything and cant work it out....

Show replies
Show replies
Former Member
‎09-25-2013 4:25 AM
0 Kudos

Hello David/Carlos,

Were you able to solve the issue? I an having similar issue with enabling webservices SSO.

Thanks

K

Ask a Question