Skip to Content

Issue:

While logging into the BI launchpad after configuring the BOBJ server, it throws the below error.

Error message:

HTTP Status 500 – com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException:
Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException:
Successfully matched service principal “XXXXXX”  but not key type (18) + KVNO (4) in this entry: Principal: [1] XXXXXX
TimeStamp: Thu Jan 01 01:00:00 GMT 1970 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [97 34 3b e6 82 44 5f fc cf 24 a3 a8 d2 c8 f1 94] )

Scenario:

The BOBJ server was a image copy of another BOBJ server and hence the SPN and Kerbros keytab files were already configured with SSO. But in the new system since the SPN and keytab entries are not set up, these old entries along with SSO enabled set up will not work. It will always throw this error, when we try to launch BI launchpad.

Solution:

Need to set SSO.Enabled=false in Global.Properties file at installation directory\tomcat\webapps\BOE\WEB-INF\config\custom .

After setting , need to restart Tomcat to get the changes in effect.

Hope this helps..

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Hagit Naveh

    We had this on a new installation of BI4.1 SP05, and we could not find anything wrong with the configuration.

    It did the trick! It’s working now.

    Thank, that’s amazing!

    (0) 
  2. Hagit Naveh

    Hi Manna,

    From my experience, the HTTP 500 error may come from a kind of a “time out” of Tomcat trying to get the delegation for the SSO user. If you have a large domain, make sure to add the maxHttpHeaderSize parameter into Tomcat’s server.xml. Also, if you have many DC’s, that are spread in different physical sites, add the idm.ad.site   to Tomcat’s global.properties and -Djcsi.kerberos.site to Tomcat’s Java options. Last – make sure all setspn you have for HTTP sites are correct. I once had this issue with misspelled domain name in the machine’s FQDM.

    Hope this helps, Hagit

    (0) 

Leave a Reply