AD in multiforest. FWM 00005

Hi guys.
I have installed BO XO 3.1 SP2 on windows 2003 + default tomcat.
And i have a big trouble in configuring AD (+ SSO) for multi domains in diffrenet forests.
A have used a guide Configuring Vintela SSO in Distributed Environments - Complete.pdf
As a result the user in own domain, where BO is installed can login successful, even using SSO, but user from domain from other forest can’t.
Bo gives an error:
Account Information Not Recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)
and
in stdout.log
Commit Succeeded
What wrong?
May be it because of i’m loging to BO from a BO-server (in this domain) with the user from other domain like username@OTHER.DOMAIN ???
Thanks

vinisman (BOB member since 2008-12-24)

Please check the SPN settings in CMC > Authentication > Windows AD > ServicePrincipalName. What’s the value here?

Which SPN’s did you created? And check if there are any duplicate SPN’s.

By the way, you should have 2 way transitive trust amongst the domains.

Try kinit test for user from other domain.

nicholas (BOB member since 2008-07-31)

Hi, nicholas
In service principal name field i have BOSSO/Tech_sso_Phn.child.second.domain
kinit test passing good and user from other domain recieve a ticket.
About AD architecture:
We have first.domain and child.first.domain in one forest and
second.domain and child.second.domain in other forest. The trust type between second.domain and first.domain is FOREST and relations is 2-way transitive

vinisman (BOB member since 2008-12-24)

The account attributes in AD are:
dn: CN=BOSSO,OU=TechAccounts,DC=child,DC=second,DC=domain
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: BOSSO
description: Tech account for using in Business Objects report system
userPassword: *****
givenName: BOSSO
distinguishedName: CN=BOSSO,OU=TechAccounts,DC=child,DC=second,DC=domain
instanceType: 4
whenCreated: 20100618081146.0Z
whenChanged: 20100618094235.0Z
displayName: BOSSO
uSNCreated: 6811865
uSNChanged: 6812667
name: BOSSO
objectGUID:: HSB+KlWeQES4ynRjNSo+XQ==
userAccountControl: 590336
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 129217615801054545
lastLogon: 129217612599652242
pwdLastSet: 129213223067656072
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAaznhCaCElArInS6PaxAAAA==
accountExpires: 9223372036854775807
logonCount: 6008
sAMAccountName: Tech_sso_Phn
sAMAccountType: 805306368
userPrincipalName: BOSSO/Tech_sso_Phn.child.second.domain@CHILD.SECOND.DOMAIN
servicePrincipalName: HTTP/10.18.1.167
servicePrincipalName: HTTP/pp-rep001.child.second.domain
servicePrincipalName: HTTP/pp-rep001
servicePrincipalName: BOSSO/Tech_sso_Phn.child.second.domain
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=second,DC=domain
lastLogonTimestamp: 129213277406247990

vinisman (BOB member since 2008-12-24)

for sharing the attributes information.

Few questions though:

1. BO server belongs to which domain (First/Second)?
2. Did you checked for Duplicate SPN’s?

Try with BOSSO@child.second.com in the ServicePrincipalName field in CMC > Authentication > Windows AD tab, although this (entering UPN) is not the recommanded way.

Commit Succeeded means that Kerberos is working fine and giving tickets to users from both domains.

Also try logging into Deski/Designer (Client tools) and see if the login is successful.

nicholas (BOB member since 2008-07-31)

Bo in second domain.
We have not Duplicate SPN’s
If trying BOSSO@child.second.com variant then error The Active Directory plugin failed to verify the provided SPN. Please ensure the SPN identifies a valid account appear
Logging into Deski gives an error:
“[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Failure at call to a server Active Directory.(hr=#0x80042909)”

vinisman (BOB member since 2008-12-24)

Hummm…Not seen this error message message:
“[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Failure at call to a server Active Directory.(hr=#0x80042909)”

Are you sure about users from First domain are able to access Second domain’s resources (Shared Drives\Printers…etc)?

Just wondering if the sufficient right are assigned to Service Account user (BOSSO in your case). Check the Account properties and also Delegation tab in user’s properties.

Which encryption method are you using?

nicholas (BOB member since 2008-07-31)

I used -crypto RC4-HMAC-NT, but i didn’t write this in krb5.ini, is it wrong?
I am working on BO server which is in second domain, but a logged on it through RDP wiht my user at first domain. And i am trying to login in infoview also with my user at first domain.
AT CMC i am able to add AD groups from both domains!
In delegation tab Trust this user for delegation to any services(Kerberos only) is checked

vinisman (BOB member since 2008-12-24)

Just a basic question which I forgot - Are you able to map the Groups and Users from both domains (specially First domain).

Did you see Users created in CMC > Users list?

Also if I just concentrate on this - Failure at call to a server Active Directory, seems like there is some connectivity issue with AD server.

You can try forcing the encryption in krb5.ini if you see something similar in stdout.log

KDC has no support for this Encryption type

Would it be possible for you to send the krb5.ini entries? And I hope you are starting the SIA/CMS with the Service User account.

nicholas (BOB member since 2008-07-31)

I found a log, when take an option -Dsun.security.krb5.debug=true

The error:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: user@BEE.first.RU

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.

KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=ms-dcs008.bee.first.ru TCP:88, timeout=30000, number of retries =3, #bytes=164
DEBUG: TCPClient reading 240 bytes
KrbKdcReq send: #bytes read=240
KrbKdcReq send: #bytes read=240
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Thu Jun 24 21:17:49 ICT 2010 1277389069000
suSec is 669417
error code is 25
error Message is Additional pre-authentication required
realm is BEE.first.RU
sname is krbtgt/BEE.first.RU
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Pre-Authentication: Set preferred etype = 23
KrbAsReq salt is BEE.first.RUuser
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=ms-dcs008.bee.first.ru TCP:88, timeout=30000, number of retries =3, #bytes=230
DEBUG: TCPClient reading 1628 bytes
KrbKdcReq send: #bytes read=1628
KrbKdcReq send: #bytes read=1628
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply user
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is user@BEE.first.RU
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B0 49 1A 7F C8 EF D6 57
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: A1 82 C1 F2 44 BB 33 C7 54 1A DB 51 0F 67 FD 99 …D.3.T…Q.g…

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 86 E6 1A A7 3D 9B 8F 8C C1 85 32 D3 2A D9 25 B0 …=…2.*.%.
0010: A7 D0 DA 9D D3 1F 73 67
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 49 20 A6 86 CB D3 C8 AF 05 56 E5 4B 06 61 31 BA I …V.K.a1.

Commit Succeeded

Found ticket for user@BEE.first.RU to go to krbtgt/BEE.first.RU@BEE.first.RU expiring on Fri Jun 25 07:17:49 ICT 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for user@BEE.first.RU to go to krbtgt/BEE.first.RU@BEE.first.RU expiring on Fri Jun 25 07:17:49 ICT 2010
Service ticket not found in the subject

Realm doInitialParse: cRealm=[BEE.first.RU], sRealm=[bee.second.local]
Realm parseCapaths: no cfg entry
Realm parseHierarchy: cRealm has 3 components:
Realm parseHierarchy: cComponents[0]=BEE
Realm parseHierarchy: cComponents[1]=first
Realm parseHierarchy: cComponents[2]=RU
Realm parseHierarchy: sRealm has 3 components:
Realm parseHierarchy: sComponents[0]=bee
Realm parseHierarchy: sComponents[1]=second
Realm parseHierarchy: sComponents[2]=local
Realm parseHierarchy: no common part
Realm parseHierarchy: total links=1
Realm parseHierarchy A: retList[0]=BEE.first.RU
Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/bee.second.local@BEE.first.RU
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=ms-dcs008.bee.first.ru TCP:88, timeout=30000, number of retries =3, #bytes=1638
DEBUG: TCPClient reading 1573 bytes
KrbKdcReq send: #bytes read=1573
KrbKdcReq send: #bytes read=1573
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Credentials acquireServiceCreds: no tgt; searching backwards
Credentials acquireServiceCreds: no tgt; cannot get creds
KrbException: Fail to create credential. (63) - No service creds
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:279)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAction.run(SecWinADAction.java:113)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startKerbLogin(SecWinADAuthentication.java:315)
at com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADAuthentication.startLogin(SecWinADAuthentication.java:152)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:337)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)
at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:40)
at com.businessobjects.clientaction.shared.logon.LogonAction.logon(LogonAction.java:288)
at com.businessobjects.clientaction.shared.logon.LogonAction.handleLogon(LogonAction.java:295)
at com.businessobjects.clientaction.shared.logon.LogonAction.perform(LogonAction.java:518)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595

vinisman (BOB member since 2008-12-24)

It seems, that i had configured krb5.ini wrong? but i can’t understand how is correct.
Can sombody help me to configure it to my AD topology:
I have BO in child.forest1.com
forest1.com and forest2.com are in 2-way transitive mode.
I want to login users from child.forest2.com!

vinisman (BOB member since 2008-12-24)

Found this very important log- KrbException: Fail to create credential. (63) - No service creds Definitely issue lies with krb5.ini or SPN.

Yesterday, I was looking for -Dsun.security.krb5.debug=true, but could not find it. In which guide you found it?

So if you share it with us, definitely some one will provide suggestion.

The correct way is:

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.com
.child1.domain.com = CHILD1.DOMAIN.COM
child1.domain.com = CHILD1.DOMAIN.com
.child2.domain.com = CHILD2.DOMAIN.COM
child2.domain.com = CHILD2.DOMAIN.com
.otherdomain.com = OTHERDOMAIN.COM
otherdomain.com = OTHERDOMAIN.com
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[logging]
[realms]
DOMAIN.COM = {
admin_server = ADSERVER1.DOMAIN.COM
kdc = ADSERVER1.DOMAIN.COM
default_domain = DOMAIN.COM
}
CHILD1.DOMAIN.COM = {
admin_server = ADSERVER2.CHILD1.DOMAIN.COM
kdc = ADSERVER2.CHILD1.DOMAIN.COM
default_domain = CHILD1.DOMAIN.COM
}
CHILD2.DOMAIN.COM = {
admin_server = ADSERVER3.CHILD2.DOMAIN.COM
kdc = ADSERVER3.CHILD2.DOMAIN.COM
default_domain = CHILD2.DOMAIN.COM
}
OTHERDOMAIN.COM = {
admin_server = OTHERADSERVER1.OTHERDOMAIN.COM
kdc = OTHERADSERVER1.OTHERDOMAIN.COM
default_domain = OTHERDOMAIN.COM
}

Hope this helps.

nicholas (BOB member since 2008-07-31)

Nicholas. -Dsun.security.krb5.debug=true jption i found in google)
it realy helps!)
I solve the first trouble - it if logging with user from other domain in designer.
Resolution i found on sap site:

XIR3
Create the following registry String Value:
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\Enterprise\Auth Plugins\secWinAD\UseFQDNForDirectoryServers
Set it’s value to ‘True’ then restart the CMS/SIA for the change to take effect.

But the second error i can’t resolve - it is logging in Infoview with user from other domain.

And what about krb5.ini file? I have other topology:

And if i understand correctly i should take [capath] parameter in krb5.ini ?

vinisman (BOB member since 2008-12-24)

Yes, you need to add [capath] parameter in krb5.ini.

I saw your post there Sergey Fedechkin

Concentrate on this error
KrbException: Fail to create credential. (63) - No service creds
and highlight it in that post. Tim will get it for sure. 8)

I hope adding [capath] should resolve this as I had done it in the past.

nicholas (BOB member since 2008-07-31)

Yes i am ))

But i can’t configure [capath] right

vinisman (BOB member since 2008-12-24)

Сongratulate me))
I Have DONE it!

For user from domain child.first.domain to login in child.second.domain the riht will be:
[capaths]
CHILD.FIRST.DOMAIN = {
FIRST.DOMAIN = .
CHILD.SECOND.DOMAIN = SECOND.DOMAIN
CHILD.SECOND.DOMAIN = FIRST.DOMAIN
}
CHILD.SECOND.DOMAIN ={
SECOND.DOMAIN = .
CHILD.FIRST.DOMAIN = FIRST.DOMAIN
CHILD.FIRST.DOMAIN = SECOND.DOMAIN
}

vinisman (BOB member since 2008-12-24)

Great…just found Note 1406795. It has very similar example:

[capaths]
CHILD.FOREST2.COM = {
FOREST1.LAB = FOREST2.COM
FOREST2.COM = .
}
FOREST1.LAB = {
CHILD.FOREST2.COM = FOREST2.COM
FOREST2.COM = .
}
FOREST2.COM = {
FOREST1.LAB = .
CHILD.FOREST2.COM = .
}

nicholas (BOB member since 2008-07-31)

Yes, just this example helps me)

vinisman (BOB member since 2008-12-24)