Written by I know that its been a little while since Ive posted anything about anything on this site. Im hoping that this little tidbit of information can help some of you overcome obstacles when attempting to use kerberos login with AD 2008 and BO 3.1.
We recently upgraded our two domain controllers to Windows Server 2008 R2. The actual server upgrade went off with out a hitch (well, aside from some space issues). Where we ran into problems was logging into Business Objects. We received a cryptic error message that the “plugin could not log you in to Active Directory at this time”.
After digging around for a few hours on the web, trying just about every possible “fix” out there, we stumbled upon a simple fix that solved our problems in seconds. As it turns out Microsoft turned off encryption for use with kerberos. So the first step is to setup your SPN in active directory. To do this I followed these instructions: http://neverknewthat.wordpress.com/2009/05/14/kerberos/
I came up with this command on the domain controller
SETSPN.exe -A BOBJCentralMS/BOEServer CMSUser
After the SPN is setup, all that is left to do is go into Active Directory Users and Computers. Find the CMSUser account and go into Properties. Click the Account tab and scroll down in the scroll box to the checkbox “Use Kerberos DES encryption types for this account.” Un-check the checkbox and all your problems should be solved.
That should be it. Hopefully know all that you need to do is reset your Server Intelligence Agent and Tomcat server.
