I am currently testing Bo on Windows 2022 servers and the standard practice to enable AD login is not working anymore there…
No usable errors - but the usual in the login screen…
Kontoinformationen nicht erkannt: Die Active Directory-Authentifizierung konnte Sie nicht anmelden. Wenden Sie sich an Ihren Systemadministrator, um zu überprüfen, ob Sie ein Mitglied einer gültigen, zugeordneten Gruppe sind, und versuchen Sie es erneut. Falls Sie kein Mitglied der Standarddomäne sind, geben Sie Ihren Benutzernamen als Benutzername@DNS_Domänenname ein, und versuchen Sie es erneut. (FWM 00006)
and in the stdout.log of tomcat - with debug true is only this:
Java config name: c:\Windows\krb5.ini
Loaded from Java config
KdcAccessibility: reset
default etypes for default_tkt_enctypes: 18 17.
KrbAsReq creating message
getKDCFromDNS using UDP
getKDCFromDNS using TCP
Hi Wobi,
probably I will not provide you the correct troubleshooting procedure. more like a shoot from a hip:
the CMC -auth- Win Auth - is it set and are the win events/logs ok?
I would use the wireshark, captured a time window when user tries to logon and filter “kerberos” - and search for info which cipher are offered and which is used/rejected. - i case there is used AES 128/256 I would check the service account if there are enabled the AES128/256 option in AD account properties…
BR Tom
well there are some possible checks for AD Service user to update - AES… and also @ KDC to enable this encryption - which the domain admin does not want to test in prod systems… so I have to wait for a test-environment named for a test… puh it takes some time… to solve this riddle…
Well we had 99% already ok - krb5 ini encryption was already updated… but the simple BO-Ad Configuration in CMC - had only the domain for the service user mentioned and not the FQDM ! (SIC) - So not other windows 22 Prolems but simple user configured wrong problem