SSO Vintela on a new SAP BO 4.1 SP3

i'm configuring SSO Vintela on a new SAP BO 4.1 SP3

I've got distributed installation

I'm also following the Steve Fredell at this link Active Directory SSO for SAP BusinessObjects BI4.

I've a trouble at the 9point; After executing this step my silent SSO doesn't work. I cant see‘credentials obtained’ in logs.

I can generate ticket with kinit

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>kinit Auto_EPMS-BASA_BO

Password for Auto_EPMS-BASA_BO@M****.****.COM:

New ticket is stored in cache file C:\Users\Denys_Telepenko\krb5cc_denys_telepenko

SPN's

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>setspn -l M****\Auto_E

PMS-BASA_BO

Registered ServicePrincipalNames for CN=Auto EPMS-BASA BO,OU=Auto Proccesses,OU=Service,DC=m***,DC=****,DC=com:

        BICMS/Auto_EPMS-BASA_BO.m****.****.com

        HTTP/evbyminsd1217.m****.****.com                               #### - WebTier

        HTTP/evbyminsd0118.m****.****.com                               #### - SIA server

        HTTP/evbyminsd0118

        HTTP/evbyminsd1217

there are  no SPN dublicates:

C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin>setspn -X

Checking domain DC=m****,DC=****,DC=com

Processing entry 93

found 0 group of duplicate SPNs.

global properties file :

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=M****.****.COM

idm.princ=Auto_EPMS-BASA_BO

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

krb5.ini :

[libdefaults]

default_realm = M****.****.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

****.****.COM = {

kdc = EPBYMINSA0014.M****.****.COM

default_domain = M****.****.COM

}

BIlaunchpad.properties

authentication.default=secWinAD

authentication.visible=true

sso.types.and.order=vintela

stdout.log

2014-06-04 15:44:45 Commons Daemon procrun stdout initialized

com.businessobjects.webpath.rebean3ws.Activator

stderr.log

It is huge one but I can see here that

Resolving KDC for realm: M***.****.COM

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: Available KDC found: /10.6.0.6:88

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: Sending message to KDC: /10.6.0.6:88

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: Sending TCP request: /10.6.0.6:88

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos:     connected;  sending length and request...

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos:     sent request;  reading response length...

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos:     read length;  reading 1438-byte response...

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: --- got 1438-byte response, initial byte = 0x6d

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: Message sent sucessfully to KDC: /10.6.0.6:88

[DEBUG] Wed Jun 04 09:32:07 VET 2014 jcsi.kerberos: ** credentials obtained .. **

Credential

client: Auto_EPMS-BASA_BO@M****.****.COM

Is it ok that I can see information in stderr instead og stdout ?

What I need to do to login successfuly to BI lauch pad without entering a credential?

My IE options "Enable Integrated Windows Authentication" is selected

best regards,

Denis