SSO works but...

security CMC
1

All -

I’ve been able to set up SSO with Infoview in XI3.1, thanks in large part to Josh Fletcher’s most excellent article. But here is the strange thing if i click on the url link to log into Infoview, I get right in everytime but when I log out and I’m at the Infoview log in page and I enter my username and password and selecting AD authentication I the mesage

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact …

It is like the session is holding onto something.

Suggestions?

patw

Josh’s article
http://geek2live.net/posts/active-directory-sso-with-vintela-in-xi-3-1/

pwilling (BOB member since 2003-02-03)

2

Hi,

Single Sign On and manual AD Authentication depend on two different authentication mechanisms, that’s why one can work even if the other one is failing.

The easiest way to troubleshoot your problem is to use the kinit utility (under [BO Install Dir]\javasdk\bin) and try to create a ticket with any user from there.

This method used to create the kerberos tickets on kinit is similar to that used when you login using manual authentication.

Your problem is either on:
a)the SPN (BOBJCentralMS/servername…)
b)the krb5.ini file (SSO doesn’t depend on the krb5.ini file and that would explain why it works)

iguanasterix :iceland: (BOB member since 2008-02-18)

3

Thank you for your response.

I successfully created a ticket using my network login usit the kinit utility.

One point I failed to mention in my initial post was that in order to get kinit to work successfully was to create a WINNT folder and move my BOSSO.keytab, bsclogin.conf and krb5.ini files to this location. I initially had these files in the Windows folder but when i ran kinit, it was looking for the files in WINNT.

Windows 2008 Server 64 bit
Java 1.6
Tomcat

thanx
patw

pwilling (BOB member since 2003-02-03)

4

Hi,

Having those files on the WINNT folder shouldn’t be a problem, as long as you update your java variables accordingly. (Tomcat)

a)Have you applied this patch?
http://support.microsoft.com/kb/951191 (not necessary if you’ve already applied SP2 for Windows Server 2008)

b)Have you tried logging in as username@DOMAIN?

c)Make sure debug=true on the bsclogin.conf… then try to login with the manual authentication, and verify the stdout.log for tomcat. You should be able to receive a lot of information on the kerberos authentication process, and you might see the real cause of the problem there.

iguanasterix :iceland: (BOB member since 2008-02-18)

5

Thank you.

From the Stdout log file
Acquire TGT using AS Exchange [Krb5LoginModule] authentication failed
Cannot get kdc for realm carolinas.org

I can SSO into Infoview from my workstation and thick client tools on the server. I can manually login using AD with thick client tools on server and Webi Rich Client on my workstation. Can’t use SSO with Webi Rich Clinet on my workstation.

In the krb5.ini file I have switched between
kdc=carolinas.org and the the name of the domain controller server name

If I use kdc=carolinas.org I can generate a ticket using kinit utility
If I use kdc=DC name.carolinas.org I receive krb_error 6 Client not found in Kerboros database

But I can still login to thick client tools with SSO AD and SSO for Infoview.

thx
patw

pwilling (BOB member since 2003-02-03)

6

Hi,

The KDC should be defined as name.carolinas.org (the name of one of the domain controllers)

Your real problem is the “Client not found in Kerberos database” error.

This problem has been reported by many users so I would suggest a quick search (the problem is most likely on the SPN)

The client tools don’t depend on kerberos authentication and that’s why they are working.

iguanasterix :iceland: (BOB member since 2008-02-18)

7

Thank you.

I’ve switched back my kdc definition in my krb5.ini file to

CAROLINAS.ORG = {
kdc = CAROLINAS.ORG
default_domain = CAROLINAS.ORG
}

Now when I run the kinit utility a ticket is generated.

I will check with the AD Admins regarding the SPN.

thx
patw

pwilling (BOB member since 2003-02-03)