I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.
Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"
The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:
com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.
java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)
at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)
at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)
Tomcat log shows:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: @XX.YY.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
There is no username passed.
I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.
global.properties:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=XX.YY.COM
idm.princ=BOSSO/bodservice.XX.YY.com
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:\winnt\BODvintela.keytab
BIlaunchpad.properties
authentication.default=secWinAD
cms.default=XXXX:6400
authentication.visible=true
bscLogin.conf
com.businessobjects.security.jgss.initiate
{com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Krb5.ini
[libdefaults]
default_realm = XX.YY.COM
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
XX.YY.COM = {
kdc =XXXX.XX.YY.COM
default_domain = XX.YY.COM
}
We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.
Edited by: Dong Li on Jul 28, 2011 11:16 PM
Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.