Hello,
I installed BO 4.0 SP6 on windows server 2008 and utilizing tomcat server.
I am having issue configuring manual login for multi domain in same forest.
Our environment set up is as follows...
Business object server is set up in A1.PARENT.COM domain.
Service account also uses A1.PARENT.COM domain
We have three domains in AD network
- A1.PARENT.COM
- A2.PARENT.COM
- A3.PARENT.COM
All Three domains are child to PARENT.COM forest.
So Users from A1.PARENT.COM can successfully login using manual and through Single Sign On.
Users from A2.PARENT.COM and A3.PARENT.COM can login through Single Sign On however manual login doesn’t work for users from A2.PARENT.COM and A3.PARENT.COM domains.
BO Error:
Account information not recognized: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department. (FWM 00005)
Tomcat Log:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: USER1@A2.PARENT.COM
Acquire TGT using AS Exchange
principal is USER1@A2.PARENT.COM
EncryptionKey: keyType=23 keyBytes (hex dump)=xxxx x x x x x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxx xx xx x xxxx
Commit Succeeded
After some research I found out it might have something to do with CAPATHS setting in krb5.ini settings. CAPATHS information is as below
[capaths]
A1.PARENT.COM = {
PARENT.COM = .
A3.PARENT.COM = PARENT.COM
}
A3.PARENT.COM = {
PARENT.COM = .
A1.PARENT.COM = PARENT.COM
}
A1.PARENT.COM = {
PARENT.COM = .
A2.PARENT.COM = PARENT.COM
}
A2.PARENT.COM = {
PARENT.COM = .
A1.PARENT.COM = PARENT.COM
}
May be I am doing something wrong with CAPATHS..
Please help…
Thanks,