Configure CRS2008 to using AD and Kerberos with Java application servers.

Advertisement
November 30

Hi All,
I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.
I have create service account in domain controller: CMSACC
I have create two user account: CRuser1 and CRuser2
I have create domain group: CRSGroup
After I had run the setspn in domain controller,I got the message at below:
Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:
    BOBJCentralMS/BDMGTSRV.BD.com
CMC Setting:
AD Administration Name: BD\administrator
Default AD Domain: BD.com
Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com
Service principal name:BOBJCentralMS/CMSACCatBD.com
I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.
bscLogin.conf:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
krb5.ini:
[libdefaults]
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
forwardable = true
BD.com = {
default_domain = BD.com
kdc = BDMGTSRV.BD.com
I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:
Exception: krb_error 41 Message stream modified (41) Message stream modified
KrbException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
        at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)
     at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)
     at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
     at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
     at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
My problem is failed to logon CMC and infoview and got error message at below:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.
Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?
Ken.

Advertisement

Replay

if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.
So the problem is likely with the java portion (krb5/bsclogin or java options)
If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username
then enter and password/enter again
Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)
kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.
also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section
libdefaults
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
Regards,
Tim

View 12 Replies

Tags:

  1. FcffairBigDataResource
  2. ive-w530 pairing issue blackberry
  3. twmporary segment 정리
  4. launchctl command not found
  5. fb02 sales order
  6. BAPI_PO_CREATE1 WBS
  7. E317
  8. expression58a
  9. larged77
  10. surprise6bi
Copyrights 2019 Fcffair BigData Resource, All rights reserved