SAP Netweaver Business Intelligence BI / BW

Symptom
How do I configure my krb5.ini fileWhat information should be in my krb5.ini file
Reproducing the Issue
XIR2 RTM introduced java AD – the ability to login to infoview with active directory accounts (mapped into BO)All versions of XIR2 and XI 3.x will require a krb5.ini file for manual logon to CMC, Infoview and some java client tools such as Report Conversion Tool (RCT)Any tool that requires the java SDK to login to AD will be dependant on the information provided by the krb5.ini
Cause
Java AD requires kerberos to be enabled which requires a krb5.ini for the Sun java SDK
Resolution
KRB5 Defaults?
The krb5 is a configuration file for java (i.e. we preinstall JDK 1.4.2.08 with XIR2) The JDK needs a krb5 if logging into a JAS (java application server) such as tomcat.Most JDK’s will look for the krb5 in the default c:\winnt\ directory
KRB5 Testing
After the krb5 has been configured it can be tested with kinit from the JDK\bin directoryDefault path for this would be C:\program files\business objects\j2sdk1.4.2_08\binXIR2Default path for this would be C:\program files\business objects\javasdk\bin XI 3.xWhen testing the krb5 it will auth append the default realm to the username if no realm is specifiedFor instance if user1 is typed and the default domain is DOMAIN1.COM then the logon attempt will submituser1@DOMAIN1.COM
KRB5 KDC’s
Multiple KDC’s may be listed under each domain, simply keep adding KDC’s for redundance. The JDK will access them in round-robin format.When making requests to the KDC the JDK will usually attempt using default port 88. You may enter this port number in the krb5When entering the KDC verify the FQDN (you can usually do this with ping -a ip.ip.ip.ip)KDC = MYDC.MYDOMAIN.COM:88Make sure there is a space before and after the =Make sure the KDC is in all CAPSPort #’s燼re usually optional and not needed
KRB5 Usage
The krb5.ini is not used during infoview SSO with vintela, vintela will resolve the KDC via DNS.The krb5.ini is used for manual java AD via JAS (tomcat, websphere, weblogic, oracle application server, etc)
KRB5 Multiple Domains
The krb5 can be used to specify multiple domains, but there can only be 1 default domain (see爐esting section above)Each domain will need to be specified in the REALMS section of the krb5.ini like this[realms]MYDOMAIN1.COM = {kdc = MYDCHOSTNAME.MYDOMAIN.COMdefault_domain = MYDOMAIN1.COM}燤YCHILD1.MYDOMAIN1.COM = {kdc = MYDCHOSTNAME.MYCHILD1.MYDOMAIN1.COMdefault_domain = MYCHILD1.MYDOMAIN1.COM}燯sers from MYCHILD1 cannot login with their username or MYCHILD1\username they MUST login with theirusername@FQDNDNSDOMAIN.COMi.e. username@MYCHILD1.MYDOMAIN1.COM?
KRB5 and Transitive Trusts
When logging into Infoview (or CMC in XI 3.x) the krb5.ini file is used to verify transitive trusts in ADIf your user accounts are in a child domain for instance CHILD2.DOMAIN1.COM AND YOUR cms is in CHILD1.DOMAIN1.COM then unless a direct 2-way transitive trust exists between CHILD1 and CHILD2 you would need to add the parent domain to the krb5,ini as wellBased on the example above the minimal configuration usually required to allow login from both CHILD1 and CHILD2 would be[realms]MYDOMAIN1.COM = {kdc = MYDCHOSTNAME.MYDOMAIN.COMdefault_domain = MYDOMAIN1.COM}燤YCHILD1.MYDOMAIN1.COM = {kdc = MYDCHOSTNAME.MYCHILD1.MYDOMAIN1.COMdefault_domain = MYCHILD1.MYDOMAIN1.COM}MYCHILD2.MYDOMAIN1.COM = {kdc = MYDCHOSTNAME.MYCHILD2.MYDOMAIN1.COMdefault_domain = MYCHILD=2.MYDOMAIN1.COM}　
Keywords
modify krb5 krb5.ini java AD, kerberos JDK java development kit Sun jrocket IBM WAS websphere weblogic oracle application server WAS OAS JAS