- After following the steps to setup AD SSO in KBA 2629070, older systems using KBA 1631734, on unix/linux KBA 1965433 users land on a logon screen or receive an error
- If looking at web/app tracing, vintela logs, tomcat stderr.log, or a packet scanner on the client, there are no clear errors to identify the cause of the failure
- A message shown in the web/app log that may also appear in the vintela.log or stderr.out "Message: idm.allowNTLM=false but client tried to do NTLM regardless"
- KBA's used to troubleshoot this 2820819, 2684843, or 1969914.
- A list of possible errors is below but note it may just fail with a logon screen or another error that hasn't been added to the list yet.
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type ##, KVNO ##, Principal HTTP/yyy.xxx.xxx.local using key: Principal:  service acount KVNO: ## EncType: ## Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?
KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Packet scan shows NTLMSSP_NEGOTIATE
SAP Businessobjects Business Intelligence Platform 4.x 4.1 4.2 4.3 (all versions or BI and patches)
emkba biauth single sign on automatic logon spnego negotiate kerberos active directory microsoft account workstation , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.