Configure CRS2008 to using AD and Kerberos with Java application servers.

Advertisement
November 30

Hi All,
I have configure CRS2008 to using AD and Kerberos with Java application servers. Domain Controller is installed on W2K3 Server. In addition, CRS2008 is installed on another W2k3 Server.
I have create service account in domain controller: CMSACC
I have create two user account: CRuser1 and CRuser2
I have create domain group: CRSGroup
After I had run the setspn in domain controller,I got the message at below:
Registered ServicePrincipalNames for CN=CMSACC, OU=TEST, DC=BD, DC=com:
    BOBJCentralMS/BDMGTSRV.BD.com
CMC Setting:
AD Administration Name: BD\administrator
Default AD Domain: BD.com
Add AD Group(Domain\Group): secWinAD:CN=CRSGroup,OU=TEST,D=BD,DC=com
Service principal name:BOBJCentralMS/CMSACCatBD.com
I have create a WINNT folder in root directory.Moreover and save bcsLognin.conf and Krb5.ini at here.
bscLogin.conf:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
krb5.ini:
[libdefaults]
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
forwardable = true
BD.com = {
default_domain = BD.com
kdc = BDMGTSRV.BD.com
I have tested the Kerberos,using kinit CMSACCatBD.com password, and got error message at below:
Exception: krb_error 41 Message stream modified (41) Message stream modified
KrbException: Message stream modified (41)
        at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
        at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:486)
     at sun.security.krb5.KrbAsRep.getReply(KrbAsRep.java:444)
     at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
     at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
     at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
My problem is failed to logon CMC and infoview and got error message at below:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserNameatDNS_DomainName, and then try again.
Actually, I am sucessful to logon Business View manager with CRuser1. However, I fail to logon CMC and infoview and got the above error. Have you any suggestion to solve this problem?
Ken.

Advertisement

Replay

if you can logon with client tools then that should be an indication that the service account running the CMS IS working! Good news.
So the problem is likely with the java portion (krb5/bsclogin or java options)
If the files are in c:\winnt\ (if not copy them there) and perform c:\program files\business objects\javasdk\bin\kinit username
then enter and password/enter again
Probably get the same message. To note in your krb5.ini all domain info must be in CAPS (the .com appears to be in lower case)
kinit works with just the krb5.ini, java SDK and AD (removing BO config and the service account from the picture). Once that works if your java options are specified properly you should be able to login to CMC/infoview.
also 1 last point. Add udp_preference_limit = 1 to the krb5 lib defaults section
libdefaults
default_realm = BD.com
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
Regards,
Tim

View 12 Replies

Tags:

  1. anything
  2. mac g5 x800 xt linux
  3. cfl on pdf text box in sap
  4. sattellite l650 1mm system unit psk1 je
  5. rfbibl00 newko
  6. sap configure ke24
  7. CL_SQL_RESULT_SET=============CP
  8. KG7B
  9. usefule1m
  10. suni4m
Copyrights 2019 Fcffair BigData Resource, All rights reserved