Linux tomcat - Windows processing - AD

Hi,

I have a customer who is having the following installation

• Windows 2003 with business objects servers installed with Tomcat
• Redhead linux with tomcat
• Windows 2003 Active Directory.

Logon using the tomcat on the businessobjects server works

Now the client wants to enable the end users to login with there AD username and password on the redhead installation this fails.

Has anyone have any documentation on how to install the sebservices on linux and then connection this to Windows AD?

martensnl (BOB member since 2006-12-19)

Good question.

I have not tried this configuration, however it should work. You need to create krb5.ini (may be krb5.conf on LINUX) for specifying realm(domain) details. And also create bscLogin.conf.

Create SPN for application(tomcat) server. Map the AD groups in CMC and check logging into InfoView and Client tools using AD authentication.

I don’t think there will be straight forward document for doing these steps on LINUX, however you can refer many articles regarding Windows AD authentication on Windows.

nicholas (BOB member since 2008-07-31)

Hi Nicholas,

We tried these steps already, but probelly I’m makeing a error some ware. So fare I know is that the kerberos installation on the linux machine isn’t working correctly, but I’m not really sure.

I hope that there is someone how has done a installation like this and do have some documentation on it.

martensnl (BOB member since 2006-12-19)

Yes… and if some one can share the document about their Environment setup then it would be quite helpful.

By the way, can you share what error message/s you are getting while configuring Kerberos authentication on Linux?

nicholas (BOB member since 2008-07-31)

Hello

Windows / Start / All Programs / Tomcat / Tomcat Configuration / Java Tab

Add folowing options

-Djava.security.auth.login.config=\bscLogin.conf

-Djava.security.krb5.conf=\krb5.ini

-Dsun.security.krb5.debug=true (to trace in Tomcat authentification and « KDC not found » error message)

Then move the config files in the directory as set in these options.

The log of Tomcat is in the <Tomcat_Home>/Logs/stdout.log

When I had not set in AD Plugin in CMC the Default AD Domain with the REALMNAME set in krb5.conf, which is case sensitive, I get the following in stdout.log

Krb5LoginModule] user entered username: userid@domain.corp.com

[…]
[Krb5LoginModule] authentication failed Cannot get kdc for realm REALMNAME
[…]

+2cents

MKergoat (BOB member since 2010-07-07)

MKergoat Welcome to B B!!

Thanks for your efforts…just to inform you they are not using Tomcat on Windows.
Its on Redhat Linux see first post

nicholas (BOB member since 2008-07-31)

Oh, I’m very sorry
You are right, maybe there is no graphic tool for Tomcat Configuration under Linux
But for some other parts and advices, you could note that I’ve changed for unix users.
Maybe readers had autocorrect these details.

But these were the hardest points I had to dig in the configuration steps : the SPN and the realm which are both case sensitive between BO and AD on one side (field Service Principal Name), and BO and krb5 on the other side (field Default AD Domain).
By the way, I’ve spent 3+ hours by phone with SAP support to resolve the case sensitive issue which was not directly documented.

And the SPN in my 3.1SP1 platform is not set to Tomcat, but to :
BOBJCentralMS/host.domain.corp.com (as said in a doc found in SAP support).

On the application account side, the AD Delegation could be “any service (kerberos only)” or “specified service” + “kerberos” + one BOBJCentralMS service type per CMS host in the list (and also one SPN per CMS host in AD).

+2cents

MKergoat (BOB member since 2010-07-07)