Greetings all!
I have a bit of a puzzler and I am hoping someone out there has an answer and can save me submitting a ticket to solve this issue.
I have AD configured on the server and enabled. I have specified the following settings:
Domain FQDN: DOMAIN1.COMPANY.NET
Domain: DOMAIN1
Service Account: DOMAIN1\service_BI4_PRD
SPN1: HTTP/SERVER
SPN2: HTTP/SERVER.DOMAIN1.COMPANY.NET
SPN3: HTTP/10.240.44.37
AD Group Name: DOMAIN1\Summary_Reports
krb5.ini:
[libdefaults]
default_realm = DOMAIN1.COMPANY.NET
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[domain_realm]
.domain1.company.net = DOMAIN1.COMPANY.NET
domain1.company.net = DOMAIN1.COMPANY.NET
.company.net = COMPANY.NET
company.net = COMPANY.NET
.domain2.company.net = DOMAIN2.COMPANY.NET
domain2.company.net = DOMAIN2.COMPANY.NET
[realms]
| DOMAIN2.COMPANY.NET | = { |
kdc = dc02.DOMAIN2.COMPANY.NET
kdc = dc01.DOMAIN2.COMPANY.NET
default_domain = DOMAIN2.COMPANY.NET
}
| COMPANY.NET = { |
kdc = PADR02.COMPANY.NET
kdc = cadr01.COMPANY.NET
kdc = CADR02.COMPANY.NET
kdc = CADR03.COMPANY.NET
kdc = ADR001.COMPANY.NET
default_domain = COMPANY.NET
}
DOMAIN1.COMPANY.NET = {
kdc = rdcdc001.DOMAIN1.COMPANY.NET
kdc = rdcdc002.DOMAIN1.COMPANY.NET
kdc = CHIEXDC001.DOMAIN1.COMPANY.NET
kdc = CHIEXDC002.DOMAIN1.COMPANY.NET
kdc = CHIEXDC003.DOMAIN1.COMPANY.NET
kdc = CHIEXDC006.DOMAIN1.COMPANY.NET
default_domain = DOMAIN1.COMPANY.NET
}
[capaths]
DOMAIN1.COMPANY.NET = {
| DOMAIN1.COMPANY.NET = . | |
| COMPANY.NET = . | |
| DOMAIN2.COMPANY.NET = COMPANY.NET |
}
DOMAIN2.COMPANY.NET = {
| CHI.COMPANY.NET = COMPANY.NET |
}
The SIA is running as the service account (which is a member of the local Administrators group and granted Logon As Service, Allow logon locally and Act as Operating System).
I have set Create new aliases when the Alias Update occurs.
Once I have the AD authentication plugin, the krb5.ini and bscLogin.conf all configured I can successfully run a kinit for my account and get a ticket. I can also add a group to the AD plugin, click the update button, and the group with change format in the group list window and display in the Users and Groups interface. However, the system will not update with the users from the AD group. I have tried this with several groups, but to no avail.
Additionally, the Schedule buttons in the AD plugin have the following error as well:
A java.lang.Exception occurred; original exception message Update cannot proceed because the authentication plugin is not enabled. The update attempt failed with error: {0}
I have validated that the AD authentication plug-in is enabled.
Any suggestions from anyone?