Windows Active Directory/Kerberos

server administration XI Server Discussion
1

I have followed the docs and am still falling short on getting Kerberos setup for manual logins.

I have CMS and all BO servers on single windows server.

I have war files installed on Websphere 6.1 AIX server.

I have configured the service user, SPN, tested kinit from the BO server with a successful message.

I can login to Deski via Windows AD as long as I’m using an account that is in the domain that is in the same domain as the AD Administration account.

Using the same account I can’t login via the CmcApp webapp.

Here are a few questions where the doc doesn’t seem that clear:

  1. Do I need to configure for SSO even though I only want to setup Manual AD logins at this time? On the Webpshere server I have defined a krb5.conf and bscLogin.conf file. I have added paths to these files in my jvm arguments. This is all I have done on the Webpshere side of the house.

  2. I’m not sure about Windows AD configuration within the CMC. We have a parent domain I’ll call THEBOSS.COM. There are no users in this parent domain. My users are in DEV.THEBOSS.COM and PROD.THEBOSS.COM. . For the AD Administration name I am using an account that is in the DEV.THEBOSS.COM domain. The default AD domain is set to DEV.THEBOSS.COM. I can login to Deski with a user that is in the DEV.THEBOSS.COM domain, but not a user that is in PROD.THEBOSS.COM… Here is the krb5.conf file I am using on the Websphere server and in the c:\winnt folder of the BO server.

[libdefaults]
	default_realm = DEV.THEBOSS.COM
	default_tkt_enctypes = rc4-hmac des-cbc-md5
	default_tgs_enctypes = rc4-hmac des-cbc-md5
	forwardable  = true
	renewable  = true
	noaddresses = true
	clockskew  = 300
[realms]
	DEV.THEBOSS.COM = {
		kdc = SERVER1.DEV.THEBOSS.COM:88
		default_domain = THEBOSS.COM
	PROD.THEBOSS.COM = {
		kdc = SERVER2.PROD.THEBOSS.COM:88
		default_domain = THEBOSS.COM
	}
[domain_realm]
	.THEBOSS.COM = DEV.THEBOSS.COM
	.THEBOSS.COM = PROD.THEBOSS.COM
  1. I’m pretty sure the SPN is configured correctly. I have only created one and that is for the service definition. Should there be one for the HTTP endpoint for the CMC app?

brewdude (BOB member since 2004-09-21)

2

I configured Windows AD without SSO on Tomcat mapped to one Domain yesterday and it’s working fine.
I had a few issues with defining the SPN in the CMC, but apart from that I can log in using Enterprise or Windows AD from both the CMC and Infoview.

I was not aware that you could map to multiple AD domains though :oops:

Edited: Is there not some confusion as to multiple domain CONTROLLERS as opposed to multiple DOMAINS ? i.e. redundency vs separate domain access?

What messages do you receive when trying to log in?

This Yet another Kerberos/AD login problem helped me get through the process :yesnod:

MikeD :south_africa: (BOB member since 2002-06-18)

3

Maybe I need to just do the same and setup a single domain to get a baseline. I will need to be able to allow users from both domains to login eventually.

brewdude (BOB member since 2004-09-21)

4

I’m just wondering if that’s at all possible as you only have one place to establish the AD Administrator Name in the CMC that is qualified with the Domain name so how does one then add the next AD administrator?

The 360 degree crowd (Goiffen&Smith) made a similar comment in another post and if he thinks the same i’d pretty much go with that statement :?

I.e. if I’m wrong please let me know asap :lol:

MikeD :south_africa: (BOB member since 2002-06-18)

5

I see you have your Websphere running on AIX rather than Windows.

Just looking at the release notes for XIR2 on Linux/AIX, it says that Windows AD is offered as an authentication option but isn’t actually supported on the Unix platform.

See page 11 of the document below:

http://help.sap.com/businessobject/product_guides/boexir2/en/xir2_linux_aix_releasenotes_en.pdf

andyt :uk: (BOB member since 2006-02-02)

6

That document is for XI R2 not XI 3.1

brewdude (BOB member since 2004-09-21)

7

Hi,

I am trying to configure jvm settings of Websphere. In what field i have to write java arguments of krb5.ini and bsclogin.conf?

Thanks in advance,

Diana

dbvc (BOB member since 2009-09-14)

8

You include those in the generic jvm settings.

brewdude (BOB member since 2004-09-21)