Skip to Content

I have seen frequently the question about using SNC in combination with BusinessObjects Enterprise and the BusinessObjects Integration for SAP Solutions. Most customers use SNC to combine the user authentication of for example Windows AD with the SAP credentials.

To configure BusinessObjects Enterprise to use SNC you the following tasks are needed:
– Configuring BusinessObjects Enterprise servers to start and run under an appropriate user account
– Configure the SAP system to trust your BusinessObjects Enterprise system
– Configure the SNC settings in the Central Management Console of BusinessObjects Enterprise
– Map SAP users as aliases to Windows AD users.

In this part we will look at the first two steps of these 4 items. In the following steps we will use the Microsoft NTLM implementation for SNC.

Some of the outlined steps might require different values depending on the SNC implementation software you are using but the general steps should help you to follow along.

 

BusinessObjects Enterprise services

As a technical pre-requisite your SAP server needs to be setup for SNC and the SNC library needs to be deployed on your BusinessObjects system. For client SNC to work properly in your BusinessObjects Enterprise system some services of your landscape need to be started with a user account which his configured for SNC.

 

For your SAP server the following profile parameters need to be configured (transaction RZ10):

Profile Paramater Value
snc/enable Set this parameter to the value 1 to activate SNC on the application server
sec/libsapsecu  Enter the full path including the file name to the SNC library on your SAP server
ssf/ssfapi_lib  Enter the full path including the file name to the SNC library on your SAP server
snc/gssapi_lib  Enter the full path including the file name to the SNC library on your SAP server
snc/identity/as Enter the Distinguished Name (DN) for your SAP system.

To configure your SAP system for example with Microsoft Kerberos you can find the complete details here.

 

On the BusinessObjects server you then also need to deploy the SNC library and create an environment variable entry called SNC_LIB that points to the complete path including the file name of the SNC library on your BusinessObjects Enterprise system.

 

Now for client side SNC, your application server (by default Tomcat), your Central Management Server and your processing tier (for example Crystal Reports Job server and Crystal Reports Processing server) needs to be run under a configured SNC account.

The processing tier is not a necessity for a client SNC configuration to work, but when you want to leverage the full functionality of your BusinessObjects platform the processing tier needs to be configured to leverage the established trust between your SAP and BusinessObjects system.

To setup those services to leverage the SNC account there are different options. In the following example we will use a single Server Intelligent Agent and configure it to use the SNC account. Another option would be to add a second Server Intelligent Agent and assign specific services to only that Server Intelligent Agent.

The SNC account that you setup needs to be a domain user.

  1. Start the Central Configuration Manager of your BusinessObjects Enterprise system (START • PROGRAMS • BUSINESSOBJECTS XI RELEASE 3.1 • BUSINESSOBJECTS ENTERPRISE • CENTRAL CONFIGURATION MANAGER).
  2. Select your Server Intelligence Agent (SIA) and stop the service.
  3. Select the Server Intelligence Agent and click on PROPERTIES.
  4. Uncheck the option LOG ON AS SYSTEM ACCOUNT and enter the SNC account in the syntax DOMAIN\USER. In my example the account is SAP_ALL\IHILGEFORT.
  5. Click OK and start the Server Intelligence Agent service.
  6. Now you need to follow the same steps and configure your application server to use the SNC account. In our example the application server is Tomcat.
  7. Select Tomcat in the Central Configuration Manager and stop the service.
  8. Click on PROPERTIES.
  9. Uncheck the option LOG ON AS SYSTEM ACCOUNT and enter the SNC account.
  10. Click OK and start your application service.

You now need to create a system ID in transaction SNC0 and configure it with your SNC account.

1. Logon to your SAP system and start transaction SNC0.
2. Click the button NEW ENTRIES.
3. Enter the name of your BusinessObjects system as System ID.
4. Enter the SNC account with the prefix “p:” into the SNC name field.
5. Select the options ENTRY FOR RFC ACTIVATED and ENTRY FOR EXT ID ACTIVATED.

6. Click SAVE

 

This covers the first two steps and in the next part we will continue to configure the SNC options on the BusinessObjects Enterprise server.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Tim Alsop
    I noticed in your example, you suggest using a domain user account. This works, but it means that when the BO software starts it will get credentials from AD and these credentials have a lifetime, so will eventually expire (e.g. after 1 weeek). I am working on a way to avoid the need to restart the BO software, but I need you to help. Can you please explain where the SNC configuration is stored, so we can add SNC_MYNAME= parameter to the RFC connection string ?

    Thanks,
    Tim

    (0) 
    1. Ingo Hilgefort Post author
      hi Tim,

      you need a domain account to leverage SNC.
      in case there are questions I would suggest you create the entry in the forums.

      Ingo

      (0) 
  2. Wei-Shang Ku
    What I want to do is allow a user (BI40)
    1. Login PC with his/her own AD domain user/pwd
    2. Open IE and click link to BI launchPad
       and get to the welcome page w/o pwd
    3. Click on a crystal report (UNX source)
       deployed via BW and can “view” and
       “view last inst.” w/o being prompt for pwd.
    NOTE:Each user has an AD domain account as well as
         an BW account (not necessary w/ same name)

    Then I found this

    1396213 – How-To: Access BusinessObjects documents based on SAP data sources without providing SAP username and/or password

    Then now I found your blog here

    Hum…. CLIENT SNC OR SERVER SNC ?????
    Are you guys talking abount different things ?

    (0) 

Leave a Reply