There doesn’t appear to be an EDGE 3.1 specific document, for setting-up WinAD login on a Tomcat WebServer (Windows Server 2003 STD).
Therefore, I have referred to all the WinAD content in Chapter 12 of the “Business Objects Enterprise Administrator’s Guide 3.1” - and a little bit from Miles Escow’s SCN document for the IIS set-up (eg. Service Account and SETSPN, etc).
In the CMC, I can see the WinAD group and users…and I have given them access-rights.
When I try to login to the Java CMC - http://:8080/CmcApp/logon.faces - using one of these WinAD accounts, and the WinAD drop-down, I get the following error…
Account Information Not Recognized: Active Directory Authentication failed to log you on.
Please contact your system administrator to make sure you are a member of a valid mapped group and try again.
If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again.
(FWM 00006)
My guess is that it is an “EFFECTIVE RIGHTS” issue as discussed on Page 502 of the Admin Guide, but the document doesn’t include any screenshots of what these rights look like when “Checked”.
If anyone who has this working can post some screenshots of those settings, or knows the cause of this “FWM 00006” error it would be appreciated.
I did one of these a couple of weeks ago (Edge 3.1 specifically). I just followed the regular BOXI R3 setup instructions for AD Tomcat and Kerberos and all that.
If youve gone through that and it looks configured ok (and youve done the troubleshooting steps that are in the guide and they return no errors), wait a few minutes. I got a similar error as soon as I did it, but after waiting, it started working. Which made me think AD was catching up or something…
Do you think it makes any difference that my SIA is running under the display name " Server Intelligence Agent (SERVERNAME) " - but my SPN is configured under the FQDN name for the server SERVERNAME.HQ.COMPANY.ORG …?
we are facing a similar issue at a client where we have BOEDGE and WIN2008 AD Server Domain Controller. Once we upgraded our AD servers to Win2008 users can no longer login to AD via Kerberos.
We got the similar error as you described when i ran Kinit on the BO server.
I am currently running into the same error. The funny thing is that this error happens only with some users . I am myself also a victim of this problem . But I used to be able to login with my AD name. It seems that the problem started when I changed my password.
I enclose my Tomcat log, both accounts belong to the same AD group and I am not aware of any setup difference. Both users appear in CMC users and groups and I can log with my AD account into Desktop intelligence.
If you can share with me what the SAP support told you maybe it would also work for me.
Thanks!!!
[Krb5LoginModule] user entered username: Quentin.XXXXXX@AG.XXXXX.NET
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
KDC has no support for encryption type (14)
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
I wish MJRBIM shared with us the information he got from SAP.
No, unfortunately, the issue is still pending, the project manager considered that we already spent too much time on that and decided to go with the enterprise signon. Kind of sad though.
I own MJRBIM an answer: Active directory is 2008’s version.
…It was a really detailed issue - and the only way we fixed it was to open a SAP support ticket - and have one of their staff WebEx in to our system with our AD Admin.
(BOB member since 2007-03-23)
(BOB member since 2006-02-08)
(BOB member since 2006-01-18)
. I am myself also a victim of this problem 
. But I used to be able to login with my AD name. It seems that the problem started when I changed my password.
(BOB member since 2009-03-29)