We are trying to configure BOE 4.0 (we are Ramp-Up program participants) on Windows Server 2008 R2, Tomcat 6.0.
We have the software installed (yes, latest ramp-up patches as well), we have successfully configured Active Directory in that we have Users imported into Users and Groups from our AD Groups. But we cannot sign on. The error we get is the same old:
Active Directory Authentication Plug-in could not authenticate at this time (FWM 00005)
The 4.0 system is built in the same domain as our other 3.1 systems, so same AD, same SPN configuration, same krb5, same authentication options, same Service Account, etc.
Are there any other 4.0 Ramp-Up customers out there with this issue? We are also opening an OSS with SAP, but just wanted to check here first to see if we might be missing something obvious…Thanks for your time!
We got it working. There were several interesting things that we didn’t pick up on until we reviewed KB 1476374 from SAP.
Ran the
setspn -x
to determine if there were duplicate SPN entries. The server we were testing with was a re-purposed machine and the output from this showed that there were duplicate entries for this particular server (MSSQLSrv entries). We deleted those using the
setspn -d
command.
Now our error message changed from the Plugin error to the user not being a member of a mapped in group. So we checked the Service Account that we were running with and noticed that under it’s properties the
Uses Kerberos DES Encryption types for this account
was checked. We unchecked it per the KB article instructions.
Recycled SIA and Tomcat (for good measure) and still had issues, so we then removed our initial mapped group from authentication, ran Update and re-added it. Bingo, it worked.
I’m sure we will be posting more out here as we move through the 4.0 Ramp-up. Is there a specific forum for 4.0 activity under the XI Server topics?
(BOB member since 2008-07-16)
B
(BOB member since 2007-03-23)