Symptom
- AD authentication configured per KBA 2629070 (in this case only manual AD not SSO)
- Receive internal error logging into the CCM (central configuration manager) with AD
- Switching to NTLM login worked for CCM
- Receive FWM 00005 error logging into fiori or CMC with AD (see also KBA 1199118)
- Packet scan showed etype not supported kdc_err_etype_notsupp on CCM login
- Packet scan showed no errors on login through fiori or CMC
Environment
BusinessObjects Business Intelligence Platform 4.3 (could be 4.2 or any version as the issue was with AD)
Reproducing the Issue
Setup BI AD authentication per KBA 2629070
Cause
- The actual cause is unknown but due to environmental setup of customer environment AES checkboxes were required on the BI service account or logins on the BI server sent an incorrect and unsupported encryption (this is usually not required).
- To note if domain policy and local policy are not in agreement then the CCM which uses Microsoft API's can fail to login because the local server is attempting to use an encryption that is not supported on the domain controller.
- By default encryption should be controlled in Microsoft domain policy, and all members (servers, workstations, etc) follow that policy. In that case KBA 2629070 will work whether the policy is RC4 or AES.
- When the policy is not setup correctly, a situation like in this KBA occurs, and we can potentially hack around the bad policy by forcing AES on the BI service account.
- This may have other repercussions because then the krb5.ini (for manual logon) and keytab (for SSO) will also need to attempt to force AES. If a client attempt to SSO into BI that doesn't support AES then the checkboxes on the BI service account will make it fail.
Resolution
If receiving this error when the service account is setup properly per KBA 2629070 it usually indicates policy conflict on the BI server. the best work around is following KBA 2954049
Another temporary work around would be below. This will likely break SSO as per KBA 3312900. So the proper solution is to address the policy issue
- Ensure the AD account used to start the SIA has check boxes enabling AES
- AD account properties > account tab select >"This account supports Kerberos AES 256 bit encryption"
TO NOTE if the service account already has the AES checkboxes ticked (receiving internal error on CCM login) then the solution would be to remove them
See Also
KBA 1199118 as the issue could also affect the setup of tomcat
Keywords
KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem