Windows AD kerberos authentication

system · June 18, 2008, 5:53pm

Hello,
I am having a problem with getting windows AD authentication working when I use Kerberos authentication. It works fine when I use NTLM authentication, but I heard the kerberos authentication (java) made for a simpler login (single sign on?), so I’ve been trying to get this to work. Whenever I check to ‘use kerberos authentication’ though, it gives the error:
"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. "
I have done everything in the pdfs on business objects website, have created a mapped group for crystal reports, made an account and did setspn.exe as instructed, created krb5.ini and bcsLogin.conf, and added the following to the tomcat java config:
-Djava.security.auth.login.config=C:\windows\bscLogin.conf
-Djava.security.krb5.conf=C:\windows\Krb5.ini

I wasn’t sure exactly what went in those 2 files, but here they are:
krb5.ini:
[libdefaults]

default_realm = COMPANY.LOCAL

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

COMPANY.LOCAL = {

default_domain = COMPANY.LOCAL

kdc = COMPANY.LOCAL

bcsLogin.conf:
com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required;

};

nellanayrb (BOB member since 2008-06-18)

system · June 20, 2008, 5:02am

Just a simple test before digging further!!

If your user ID is in uppercase & you have JDK 1.4, then try login using the uppercase ID.

Its a known issue with JDK 1.4 (case sensitive). If this is the problem upgrade JDK to 1.5, if not try further troubleshooting

Chandru 901 (BOB member since 2007-07-20)

system · June 20, 2008, 1:43pm

A few troubleshooting hints:

Run kinit from the command line, see if you can authenticate.

Also check the app server logs, sometimes you may see a kerberos error there.

bension (BOB member since 2005-09-01)

system · June 24, 2008, 12:32pm

The user name I am testing with is in all lowercase, but I’ve tried logging in both ways, in all uppercase / all lowercase.

When I tried to run kinit from the command line it just said that it was a bad command or file name, since it’s an ini and not a program file.

nellanayrb (BOB member since 2008-06-18)

system · June 24, 2008, 2:29pm

kinit is an executable file. You can find it under:

C:\Program Files\Business Objects\j2sdk1.4.2_08\bin\kinit.exe

Of course, your path may be slightly different. If kinit doesn’t work, then there is a problem with your krb5.ini file or a problem with that account.

Some help on kinit:

c:>kinit user@DOMAIN pass

After you run this successfully, run klist, you should see something like this:

C:>klist

Credentials cache: C:\Documents and Settings!\krb5cc_!

Default principal: @DOMAIN, 1 entry found.

[1] Service Principal:
krbtgt/DOMAIN@DOMAIN
Valid starting: Jun 24, 2008 12:53
Expires: Jun 24, 2008 22:53

bension (BOB member since 2005-09-01)

system · July 10, 2008, 9:35pm

Hello, folks.

I had a problem like this here. Altough I could import groups and users via CMC, and despite being able to see klist success message, users could’nt still log on to Infoview.

After each logon attempt, a new error line like this was added to stdout.log:

“ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - Cannot create LoginContext. Configuration error: Can not specify multiple entries for com.businessobjects.security.jgss.initiate”

I solved it using an empty bscLogin.conf file.

jcolares (BOB member since 2008-07-10)

system · August 25, 2008, 6:57pm

From Tomcat, Java Infoview I get this error in stdout.log:

575554 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - Cannot create LoginContext. No LoginModules configured for com.businessobjects.security.jgss.initiate

I need to know some places to look to change something.

Over a year and half ago I successfully had Infoview Tomcat authenticating to active directory but abandoned this due to the fully qualified login name as we have multiple AD domains. Enterprise authentication has been adequate for now. Now I am revisiting AD authentication. I have since upgraded with SP2, SP3 & FP3.4. So I don’t know if my problem is any of the patches, Java or what. I can test with kinit fine. I have a good krb5.ini and bsclogin.conf. I can login with AD from CMC. I can login with AD from Infoview .NET. My problem is just Tomcat Java Infoview.

There are over a dozen helpful threads I have studied and tried most of the suggestions. I don’t see any with the reference to the words “No LoginModules” which is a keyword to my problem.

Thanks to the forum,

berzajsh (BOB member since 2005-10-03)

system · August 25, 2008, 7:03pm

Did you create the bscLogin.conf file? Also make sure you have this flag in your tomcat java options:
-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

bension (BOB member since 2005-09-01)

system · August 28, 2008, 7:46pm

Thanks for the hint, I did have a problem with my Krb5.ini and bscLogin.conf and I am closer to login. Now my error is:

185252 [http-8080-Processor24] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)

I have added many versions into setspn.exe hoping it’s the syntax to my server. Has anyone had the “No service creds” message and have any hints on where to search next for any changes?

berzajsh (BOB member since 2005-10-03)

system · September 9, 2008, 2:59pm

I was having a similar problem. AD users could log in to the CMC, but not InfoView. When trying to log in to InfoView I would get the following error:

I also noticed the following error in the stdout.log

Similar to jcolares suggestion, I removed the line that points to the custom bscLogin.conf file in the Tomcat Java options and that seemd to work.
I tried just a blank bscLogin.conf file but that didn’t work for me.

David M (BOB member since 2008-05-28)

system · September 11, 2008, 3:05pm

I figured out why I was getting the following error in the stdout.log:


"ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication - Cannot create LoginContext. Configuration error: Can not specify multiple entries for com.businessobjects.security.jgss.initiate"

One of the steps in the configuration guide has you reference the bcsLogin.conf file either in the Java Options tab of Tomcat OR the java.security file, but not both.
I did both and that was why I got this error. I removed the line added in the java.security file and left the line in the Java Options tab and everything works fine now.

David M (BOB member since 2008-05-28)