But I have a problem with Infoview, I can login in CMC but not in Infoview, give me this error.
I read 5x that manual and not sucess.
PLEASE HELP ME
I have these files.
c:\windows\krb5.ini
[libdefaults]
default_realm = BUSINESSOBJECTS.DEV
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
BUSINESSOBJECTS.DEV = {
default_domain = BUSINESSOBJECTS.DEV
kdc = B-OBJECTSDEMO.BUSINESSOBJECTS.DEV
}
c:\windows\bscLogin.conf
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
};
Make sure that your Domain Controller Name is correct. The “kdc” in the krb5.ini file …
must be the name of the server that functions as your domain controller. This is NOT your BO application or web server, this is a remote network server that performs the authentication to Windows AD.
Also, make sure the user running the Tomcat service on your web server(s) (should be a Windows Service Account, not a local user) can query the Domain Controller in krb5.ini file. Your network team will need to set this up, it is not automatic.
Each user account for BO must be the exact Windows AD user (or aliased to it) or the authentication will fail. For example, if the default BO Enterprise user is JBUCKLEY but Windows AD user is JBUCK, when I try to login as JBUCKLEY using Windows AD authentication, it will fail. You will need to add an alias so that JBUCKLEY (Enterprise)=JBUCK (WinAD). This will need to be done for every user when using separate Enterprise Logins.
Thanks for your replay.
But I try to do that but now the Infoview give me this error.
Yes I have the same name in AD and CMC.
Yes the CMS and Tomcat use the AD user to run this services.
Yes I try to use kinit.exe and work.
Yes i use Klist to see them and work.
Yes I can logon with AD user to CMC.
Yes I can create more user in AD and see them in CMC.
But whend I try to use a AD user in Infoview I have this error.
That looks like there is something wrong with your Tomcat setup. Can you log into the Java InfoView with an Enterprise user account?
If no, you may be missing some of the InfoView files that make the “Business Objects/desktoplaunch” application work. The best thing to do there is to remove the applications from Tomcat, verify the additional settings required (follow the “Deploying on Tomcat - Chapter 4” instructions from the XI R2 Installation Guide), restart Tomcat and then redeploy all the applications.
If yes, try changing the Authentication Options in the CMC (under Authentication -> Windows AD) to “Use NTLM authentication” instead of Kerberos. This is how our system is setup. We could not get it to work using Kerberos directly.
I know what you are saying. The documentation looks easy to follow, but there are lots of places where you can make mistakes. It took us almost a full week to get everything working on our system. Keep trying, you will get there.
Another thing to check would be in the Tomcat Admin tool. Check that your “Java Options” include all the Business Objects extra code. Here is what our Java Options looks like:
Some of these things will be different on your system: we installed Tomcat @ C:\Tomcat, BO XI @ D:\BO and the krb5.ini and bscLogin.conf files @ C:\krb5, you will need to put in the directories on your server that you used.
Also, make sure your default domain (“realm”) and domain controller (“kdc”) match what is in the Authentication tab for Windows AD in the CMC. These are usually case-sensitive, which may be another reason why this fails (BOSTON.FIRM is not the same as boston.firm).
If you find something missing or misspelled, you will need to stop and restart Tomcat.
“Realm” is the name of the Windows Domain that users log into and “kdc” is the name of the actual Domain Controller server. In your case, the default domain (“realm”) would be "BUSINESSOBJECTS.DEV " and the server (“kdc”) should be “B-OBJECTSDEMO.BUSINESSOBJECTS.DEV”.
Only other thing I see is that some lines have directory paths with "" and some with “/”.
Try changing the last few entries to "" (i.e. C:\winnt\bscLogin.conf ), Tomcat may be confused by this.
I apologize, I did not see the Java questions earlier in the thread before my last message.
We are using Tomcat 5.0.27 with J2SDK 1.4.2.12 and JRE 1.5.0.06.
Looking at the STDER.LOG, one of two things are happening: either the domain controller server (kdc) is not correct or the user trying to query the domain controller does not have access to do so.
Each time the “SecWinAD” authentication is called, it fails. I think you need to find out what the name of the actual Windows Domain Server is. You are trying to hit the BO XI server (B-OBJECTSDEMO.BUSINESSOBJECTS.DEV) as the domain controller, but this may not be correct. Ask one of your network admins what the “Windows AD domain and domain controller server name” are. This will be what need to go in Tomcat and the CMC to make this work. Once you have this domain and domain controller, you will need to change these in the CMC as well as Tomcat.
Also, the user trying to initiate contact with the domain controller, appears to not be able to. Here is the error that shows this:
Again, ask the network admins to make sure this user has read access to the Windows AD domain.
I have a virtual machine with Windows 2003 using AD and BO install in the same machine.
So the B-OBJECTSDEMO.BUSINESSOBJECTS.DEV is the same.
DOMAIN is BUSINESSOBJECTS.DEV
server name is B-OBJECTSDEMO
Next, check that the “mpinheiro@BUSINESSOBJECTS.DEV” user is populated in your AD domain user list and has access to query the domain controller. If you copied the AD user list from your actual domain, those users will still have the original domain listed, not BUSINESSOBJECTS.DEV.
Other than that, I am not sure where else to check. Maybe you have a Tomcat expert in house that could help. When we got stuck, we had to bring one in (it is not me, I just remember what we learned but am not an expert).
Good Luck,
Jim
P.S. Unfortunately, my company doesn’t allow IM at all.
Did you have SSO and Windows AD authentication working fine? We are facing similar issues at our end. Did you apply SP2 in your BOXIR2 enviroment to get this working?
Create a folder on the C:\ drive of the Web server called WINNT. Place both files in that folder. This will be used for kinit connectivity testing and that folder is where the utility will look for these files.
Also, place both of these files in the
\\d$\Program Files\Business Objects\Tomcat\conf directory on the Web server.
Test the formatting and functionality of your Java configuration files on the Tomcat web application server by using the kinit command.
The general format is kinit username@BCBSNC.COM secretpassword (without the quotes).
If this works properly, you will not see any error messages.
The next command you should enter is klist (without the quotes).
You should see a Default principal confirmation reply.
Place the following two entries at the bottom of the Tomcat Configuration / Java tab / Java Options section.
(BOB member since 2006-01-27)
(BOB member since 2006-07-17)
(BOB member since 2006-01-27)
(BOB member since 2006-07-17)
(BOB member since 2006-01-27)
(BOB member since 2003-11-10)
(BOB member since 2007-07-24)