Kerberos and Windows AD problems.....

Hi Guys,

I have some bad issues with configuring Kerberos for Java application, I have looked through the other posts and have not been able to find a resolution…

When trying to connect the Java Infoview the following message displays:

Account Information Not Recognized: Internal Error

Looking at the logs the error in the jce_defualt.log is as follows:

<log4j:event logger=“com.crystaldecisions.sdk.occa.security.internal.LogonService” timestamp=“1270658766292” level=“WARN” thread=“http-80-Processor23”>
log4j:message</log4j:message>
log4j:throwable<![CDATA[com.crystaldecisions.sdk.exception.SDKServerException: Failed to contact the Active Directory server.

cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
detail:Failed to contact the Active Directory server.

The server supplied the following details: OCA_Abuse exception 10505 at [.\exceptionmapper.cpp : 79] 50045 { , , secWinAD}
…Failed to contact the Active Directory server. Plugin error: SecWinAD Error: an error occurred in CAccountEntity::InitFromSid().
at com.crystaldecisions.sdk.exception.SDKServerException.map(SDKServerException.java:107)
at com.crystaldecisions.sdk.exception.SDKException.map(SDKException.java:196)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:687)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:629)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:223)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.logonEx(SessionMgr.java:678)
at com.businessobjects.clientaction.shared.logon.LogonUtils.logon(LogonUtils.java:85)
at com.businessobjects.clientaction.shared.logon.LogonAction.logon(LogonAction.java:343)
at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.logon(PartnerLogonAction.java:185)
at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.handleLogon(PartnerLogonAction.java:211)
at com.businessobjects.clientaction.partner.shared.logon.PartnerLogonAction.perform(PartnerLogonAction.java:399)
at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586)
at com.businessobjects.webutil.struts.CrystalUTF8InputActionServlet.process(CrystalUTF8InputActionServlet.java:32)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:510)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at com.businessobjects.webutil.websessiontimeout.WebSessionTimeoutFilter.doFilter(WebSessionTimeoutFilter.java:161)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
Caused by: com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
at com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuseHelper.read(oca_abuseHelper.java:106)
at com.crystaldecisions.enterprise.ocaframework.idl.OCA.OCAs._LogonEx4Stub.ContinueLogonEx4(_LogonEx4Stub.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.crystaldecisions.enterprise.ocaframework.ManagedService.invoke(ManagedService.java:424)
at com.crystaldecisions.sdk.occa.security.internal._LogonEx4Proxy.ContinueLogonEx4(_LogonEx4Proxy.java:98)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:354)
at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
… 31 more
]]></log4j:throwable>
</log4j:event>

and the message in the stdout.log :

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: DWRFIPROVA@T-RFI.IT

Acquire TGT using AS Exchange
principal is DWRFIPROVA@T-RFI.IT
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 1C F7 3B F8 2A EA 1A EA
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 1C F7 3B F8 2A EA 1A EA
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3B 87 94 EC CE D8 CD 83 F4 0F C0 C0 48 A9 47 8E ;…H.G.

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: A4 AB 8C 3D 3B 43 D5 E3 0E 15 97 A8 E0 1C C8 79 …=;C…y
0010: D0 BC 15 13 DF 52 E6 54
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 18 16 0F BC E1 4E 98 86 07 FA 99 8C 12 AB 49 4C …N…IL

Commit Succeeded

Very Strange Thing:-(

The kinit commands return no errors and below are the krb5.ini and bscLogin.conf files.

bscLogin.conf :
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true verbose=true;};

krb5.ini :
[libdefaults]
default_realm = T-RFI.IT
dns_lookup_kdc = true
dns_lookup_realm = true
forwardable = true

[realms]
T-RFI.IT = {
kdc = M-SERVER1.T-RFI.IT
default_domain = T-RFI.IT
admin_server = M-SERVER1.T-RFI.IT
}

Thanks a LOT
ZAV

zavatta_fighter (BOB member since 2005-05-10)

I have found the answer. Domain where “BO server” was installed doesn’t have bidirectional-mode connection with Domain where “AD server” was installed.
After changing the domain everything works fine.

Best Regards,

zavatta_fighter (BOB member since 2005-05-10)

Hi,

We are also facing same problem.
Can you please help us telling that where u made this bidirectional-mode connection .
I mean on BO server or AD server?

Thanks and Regards,
Amar

amar12312 (BOB member since 2008-05-13)

Hi ZAV,

I found this

<log4j:throwable><![CDATA[com.crystaldecisions.sdk.exception.SDKServerException: Failed to contact the Active Directory server

from jce_defualt.log which you added.

So definitely there was a connection issue of BO server with AD server.

Can you please describe more about - bidirectional-mode connection as this is new term for me.

nicholas (BOB member since 2008-07-31)

Hi All,
unfortunally I 'm not an Active Directory Expert, but a good test to know if BOXI Server cand connect fine AD is trying to connect with Client Tools like Deski or
Designer installed on BOXI Server using Win AD Authentication.

 You can find some information about AD on : http://grok.lsu.edu/Article.aspx?articleId=5268




  :wave:

zavatta_fighter (BOB member since 2005-05-10)

Thanks for reply.

Actually I have checked event logs as well as CMS logs.
One thing I have observed, Only EU domain user can able to login with Windows AD authentication.
AP domain user also able to login, but only for 20 minutes (after clicking update button in authentication tab of CMC).

Very strange issue.

Note: We have created “cmsuser” on EU domain who has administartive rights on Active Directory.

Please provide your inputs.

Thanks and Regards,
Amar.

amar12312 (BOB member since 2008-05-13)