BO4 win AD SSO with MSAS : Unsupported SSO scenario

Hi,

I try to configure BO4 with SSO win AD authentication.
After user can login with SSO to BILaunchpad, user still failed to create voyager or analysis for OLAP. the olap connection in CMC use SSO authentication, if we use pre-defined authentication we can browse the cube. the error message show : login failed. invalid user or password. if we check in APS trace, there is Unsupported SSO scenario message.

Our configuration :
VM1 = domain controller
VM2 = MSAS 2008 and IIS
VM3 = BO

Is there anyone experence with this kind of error ?

Thank you,

saeful (BOB member since 2013-06-11)

Welcome to B:bob:B!
If possible please post the full error message from the APS trace. It might just help get you an answer.

Nick Daniels (BOB member since 2002-08-15)

Hi Nick,

Thanks for the info.
The APS trace file actualy quite big, its about 9mb.
from the trace file I notice another error which mentioned in SAP Note 1689744. the error said : com.businessobjects.multidimensional.services.service.core.connection.sso.WindowsADSSOManager||Get GSSCredential failed with exception: A org.ietf.jgss.GSSException occurred; original exception message Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))

from SAP note above, the cause is : KVNO version mismatch between the keytab and the AD object. how to resolve this ?

when create the keytab, I use this command :
C:\Windows\system32>ktpass.exe -out c:\WINNT\mybo.keytab -princ boservice@TEST.COM -pass mypassword -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

this is a chunk of aps trace file.

|7F2891BE6C7940F9B8E2742EEF5DF7C323ac3d|2013 06 11 15:17:39.653|+0700|Information| |==| | |aps_MYSIA.AdaptiveProcessingServer| 2928|1062|Transport:Shared-2/10| |9|1|1|1|BIlaunchpad.WebApp|MYBO:2676:47.420:1|BIlaunchpad.WebApp|MYBO:2676:47.420:1|.openCube|MYBO:2928:1062.168650:1|CtSliyvRCERVvMDt05PyZxA1a2|||||||||com.businessobjects.multidimensional.services.service.core.connection.sso.WindowsADSSOManager||Get GSSCredential failed with exception: A org.ietf.jgss.GSSException occurred; original exception message Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
|7F2891BE6C7940F9B8E2742EEF5DF7C323ac3e|2013 06 11 15:17:39.669|+0700|Error| |>>| | |aps_MYSIA.AdaptiveProcessingServer| 2928|1062|Transport:Shared-2/10| |9|1|1|1|BIlaunchpad.WebApp|MYBO:2676:47.420:1|BIlaunchpad.WebApp|MYBO:2676:47.420:1|.openCube|MYBO:2928:1062.168650:1|CtSliyvRCERVvMDt05PyZxA1a2|||||||||com.businessobjects.multidimensional.services.server.transport.corba.SessionServant||calling [Session] method [openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)] message [Unsupported SSO scenario.]
– Context Info :
{
“processid” : “2928@MYBO”,
“threadid” : “Transport:Shared-2/10”,
“requestid” : “17”,
“object” : “Session”,
“method” : “openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)”
}
– type [GenericDescriptor] value [{
“classType”: “GenericDescriptor”,
“connectionName”: “VOYAGERConn”,
“connectionDescription”: “”,
“connectionType”: “CUBE”,
“isDataSource”: “true”,
“credentials”:
{
“classType”: “ConnectionCredentials”,
“username”: “”,
“password”: “[********]”
},
“super”:
{
“classType”: “ConnectionDescriptorBase”,
“providerName”: “SSAS2008”,
“providerDescription”: “”,
“serverName”: “http://mydb/olap/msmdpump.dll”,
“properties”: [
{“CONNECTION_ID”: “CONNECTION_ID=ASHq76yl.exMryOI0RgmIXc”,
{“CATALOG”: “CATALOG=Adventure Works DW 2008R2”,
{“SERVERTYPE”: “SERVERTYPE=SERVER”,
{“CUBE”: “CUBE=Adventure Works”,
{“PROTOCOL”: “PROTOCOL=XMLA”,
{“SAVELANG”: “SAVELANG=false”,
{“PROVIDER”: “PROVIDER=SSAS2008”,
{“LANG”: “LANG=”,
{“CATALOGPROPERTYNAME”: “CATALOGPROPERTYNAME=CATALOG”]
}
}]
– type [AuthenticationType] value [SSO]
com.businessobjects.multidimensional.services.AuthenticationException: Unsupported SSO scenario.
at com.businessobjects.multidimensional.services.model.session.Session.openCube(Session.java:442)
at com.businessobjects.multidimensional.services.model.session.Session.openCube(Session.java:378)
at com.businessobjects.multidimensional.services.server.transport.corba.SessionServant.openCube(SessionServant.java:139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.businessobjects.framework.services.mdas.MDASInterceptor.invoke(MDASInterceptor.java:102)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.CommonTransportInterceptor.invokeHelper(CommonTransportInterceptor.java:125)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.CommonTransportInterceptor.invoke(CommonTransportInterceptor.java:87)
at com.businessobjects.framework.servers.common.proxy.cglib.MethodInterceptorChain.intercept(MethodInterceptorChain.java:136)
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA$$EnhancerByCGLIB$$52fe28a2.openCube()
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA._OB_op_openCube(SessionPOA.java:257)
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA._invoke(SessionPOA.java:103)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.ServantDispatcher.dispatch(ServantDispatcher.java:234)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.POA_impl._do_OB_dispatch(POA_impl.java:1977)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.POA_impl._OB_dispatch(POA_impl.java:1913)
at com.crystaldecisions.thirdparty.com.ooc.OB.DispatchRequest_impl.invoke(DispatchRequest_impl.java:75)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.ThreadPoolDispatchStrategy$Dispatcher.run(ThreadPoolDispatchStrategy.java:271)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:743)

Thank you,

saeful (BOB member since 2013-06-11)

Hi,

we are facing the same issue. Did you find out something new? SSO is working for Launchpad but not for MSAS OLAP Connection.

Best regards,
Ben

bengnaedig (BOB member since 2011-09-01)

hi Ben,

What did you find in your aps trace file?
for my problem above (bold font) is caused by different kvno used in my keytab file and actual kvno used by service account . you can find detail solution in sap notes 1853668.

rgds,

saeful (BOB member since 2013-06-11)

Hi,

thanks for your answer. We are drving crazy. SAP Support couldn’t solve the problem yet. Here is a part of the log file:

|416BAB6F902B439BB700F29C15FAE76F68eb1d|2013 07 19 11:31:07.829|+0200|Error| |>>| | |aps_BULTS125.AdaptiveProcessingServer| 5500|345165|Transport:Shared-388/81| |19|0|1|1|BIlaunchpad.WebApp|BULTS125:1332:36.1067:1|BIlaunchpad.WebApp|BULTS125:1332:36.1067:1|.openCube|BULTS125:5500:345165.732191:1|CiLEBbJSeE_.iwkuDQXpT6k429|||||||||org.apache.commons.httpclient.HttpMethodDirector||Error establishing Kerberos security context (ODA10067)
org.apache.commons.httpclient.auth.AuthenticationException: Error establishing Kerberos security context (ODA10067)
at com.businessobjects.multidimensional.data.xmla.transport.http.apache.NegotiateAuthScheme.authenticate(NegotiateAuthScheme.java:126)
at org.apache.commons.httpclient.HttpMethodDirector.authenticateHost(HttpMethodDirector.java:281)
at org.apache.commons.httpclient.HttpMethodDirector.authenticate(HttpMethodDirector.java:233)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:169)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at com.businessobjects.multidimensional.data.xmla.transport.http.apache.OdaHttpClient.execute(OdaHttpClient.java:145)
at com.businessobjects.multidimensional.data.xmla.transport.http.apache.StatefulHttpClient.send(StatefulHttpClient.java:65)
at com.businessobjects.multidimensional.data.xmla.transport.http.apache.ApacheHttpClientTransport.send(ApacheHttpClientTransport.java:81)
at com.businessobjects.multidimensional.data.xmla.metadata.specifications.loaders.XmlaSpecificationLoader.executeCheckedDiscoverRequest(XmlaSpecificationLoader.java:75)
at com.businessobjects.multidimensional.data.xmla.metadata.specifications.loaders.XmlaDataSourceSpecificationLoader.getDataSources(XmlaDataSourceSpecificationLoader.java:47)
at com.businessobjects.multidimensional.data.xmla.admin.XmlaConnection.getDataSources(XmlaConnection.java:220)
at com.businessobjects.multidimensional.data.xmla.admin.XmlaConnection.createDatasource(XmlaConnection.java:375)
at com.businessobjects.multidimensional.data.xmla.admin.XmlaConnection.open(XmlaConnection.java:328)
at com.businessobjects.multidimensional.data.core.admin.adaptors.ConnectionAdaptor.open(ConnectionAdaptor.java:102)
at com.businessobjects.multidimensional.data.provider.connection.StandaloneConnectionFactoryODA.createODAConnection(StandaloneConnectionFactoryODA.java:115)
at com.businessobjects.multidimensional.data.provider.connection.StandaloneConnectionFactoryODA.createConnection(StandaloneConnectionFactoryODA.java:70)
at com.sap.ip.bi.base.service.connection.impl.GenericConnectionPool.getVirtualConnectionInternal(GenericConnectionPool.java:220)
at com.sap.ip.bi.base.service.connection.impl.StandaloneConnectionPool.getConnectionInternal(StandaloneConnectionPool.java:59)
at com.sap.ip.bi.base.service.connection.impl.GenericConnectionPool.getConnectionOrCreateOneIfRequested(GenericConnectionPool.java:175)
at com.sap.ip.bi.base.service.connection.impl.GenericConnectionPool.getConnection(GenericConnectionPool.java:145)
at com.businessobjects.multidimensional.services.service.core.connection.ConnectionFactory.createConnection(ConnectionFactory.java:125)
at com.businessobjects.multidimensional.services.model.cube.Cube.registerConnection(Cube.java:713)
at com.businessobjects.multidimensional.services.model.cube.Cube.(Cube.java:176)
at com.businessobjects.multidimensional.services.model.session.Session.createCube(Session.java:524)
at com.businessobjects.multidimensional.services.model.session.Session.openCube(Session.java:427)
at com.businessobjects.multidimensional.services.model.session.Session.openCube(Session.java:378)
at com.businessobjects.multidimensional.services.server.transport.corba.SessionServant.openCube(SessionServant.java:139)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.businessobjects.framework.services.mdas.MDASInterceptor.invoke(MDASInterceptor.java:102)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.CommonTransportInterceptor.invokeHelper(CommonTransportInterceptor.java:125)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.CommonTransportInterceptor.invoke(CommonTransportInterceptor.java:87)
at com.businessobjects.framework.servers.common.proxy.cglib.MethodInterceptorChain.intercept(MethodInterceptorChain.java:136)
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA$$EnhancerByCGLIB$$ae30f110.openCube()
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA._OB_op_openCube(SessionPOA.java:257)
at com.businessobjects.multidimensional.services.transport.corba.SessionPOA._invoke(SessionPOA.java:103)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.ServantDispatcher.dispatch(ServantDispatcher.java:234)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.POA_impl._do_OB_dispatch(POA_impl.java:1977)
at com.crystaldecisions.thirdparty.com.ooc.OBPortableServer.POA_impl._OB_dispatch(POA_impl.java:1913)
at com.crystaldecisions.thirdparty.com.ooc.OB.DispatchRequest_impl.invoke(DispatchRequest_impl.java:75)
at com.businessobjects.framework.servers.platform.adapters.ebus.orb.ThreadPoolDispatchStrategy$Dispatcher.run(ThreadPoolDispatchStrategy.java:271)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.businessobjects.multidimensional.data.xmla.transport.http.apache.NegotiateAuthScheme.authenticate(NegotiateAuthScheme.java:118)
… 48 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
… 51 more
Caused by: KrbException: Identifier doesn’t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:46)
… 56 more

Thanks,
Ben

bengnaedig (BOB member since 2011-09-01)

Hi,

does anyone has an example of his keytab command for SSO with SSAS. I’ve found different commands on the SAP Support site. Sometimes with HTTP/r3-rtm2-tz.winauthtz.com@WINAUTHTZ.COM and sometimes with BICMS/bossosvcacct.vtiauth08.com@VTIAUTH08.COM.

And also which spn entries are important.

Thanks for your help, it’s really a frustrating.

Best regards,
Ben

bengnaedig (BOB member since 2011-09-01)

Did you ever find a solution for this? I am running into the exact same issue.
thanks!

melbrng (BOB member since 2007-10-30)