Skip to Content

This is the second part of the configuration steps to leverage SNC for client side authentication in combination with your BusinessObjects Enterprise system.

BusinessObjects Enterprise and client side SNC Part 1 of 2

 

BusinessObjects Enterprise – SNC Options in the Central Management Console

Before you can configure the SNC option in the Central Management Console you need to configure the user that you will use to setup the SAP entitlement system for SNC.

1. Start transaction SU01 on your SAP system.
2. Enter the username of the SAP account that you are going to use to setup the SAP Entitlement system  .
3. Select the menu USERS • CHANGE.
4. Select the tab SNC.
5. Enter the SNC account that you used to start the BusinessObjects services with the prefix “p:” into the field SNC NAME. Keep in mind that this account needs to be a domain account.
6. Save your changes.

With this configuration you configured the SAP account to be able to leverage the configured SNC account and in that way to authenticate against the SAP system. Now you need to navigate to the SNC options of your SAP Entitlement system in the Central Management console to finish the SNC configuration.

1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area AUTHENTICATION and select the SAP Authentication.
3. Navigate to the SNC OPTIONS tab and ensure your SAP system is the one that is selected as LOGICAL SYSTEM NAME.

4. Set the option ENABLE SECURE NETWORK COMMUNICATION (SNC).
5. Select AUTHENTICATION as QUALITY OF PROTECTION.
6. Enter the full path including the filename to the SNC library in the field SNC LIBRARY PATH.
7. Enter the Distinguished Name of your SAP system in the field MUTUAL AUTHENTICATION SETTINGS. In this case you need to add the prefix “p:”.
8. Navigate to the tab ENTITLEMENT SYSTEMS.
9. Enter the SNC account name in the field SNC NAME without any password. All other values should already be filled with the values you entered during the initial configuration.

Mapping Windows AD users to SAP users

Now that you configured the SNC options for your SAP Entitlement system you need to map the SAP credentials to your Windows AD credentials. The Windows AD user will become the primary account and the SAP account will act as secondary account.

1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area USERS AND GROUPS.
3. Click on USER LIST.
4. Click on the Windows AD user that will be configured with an SAP alias account.
5. Select the menu MANAGE • PROPERTIES

6. Click on the button ASSIGN ALIAS.
7. Select the SAP user from your entitlement system and add the user as alias to the Windows AD credentials.
8. Click OK.
9. Click SAVE & CLOSE.

With the XI 3.1 release in the registry you can find a setting which allows you to use a simplified user name (without a prefix from the SAP system) and in that way in case your Windows AD user and SAP users are identical the mapping will happen automatically.
The registry value can be found in the branch:
HKEY_LOCAL_MACHINESOFTWAREBusiness ObjectsSuite 12.0SAPAuthentication and is called SimpleUsernameFormat. It is a Yes / No value setting.

You can add multiple SAP users as an Alias to the Windows AD account and in that way achieve Single Sign-on to multiple SAP systems with a single account.

Now you should be able to logon with these Windows AD credentials to your BusinessObjects Enterprise system and still achieve Single Sign-On for content objects in your system.

 

Please remember that these steps are for the client side authentication part – not to confuse with the Server Side Trust configuration that is being used to create a publication with SAP security on your BusinessObjects Enterprise system.

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

      1. Raghavendra Barekere
        What if you have configured server side SNC and in the SAP connection for universe you are making use of connectivity through SSO. Then view & refresh will also use SSO.

        I am not talking about View, it should be View & refresh (View on Demand).

        (0) 
        1. Ingo Hilgefort Post author
          Hi,
          you need the SAP authentication to be configured on your BusinessObjects server and you need the Universe connection configured to leverage SSO.

          Ingo

          (0) 
              1. Artur Kroczak
                Note  1380267 – “Incomplete Logon Data” error during SAP role import in Business Objects Enterprise XI 3.1 when using SNC 

                Resolve problems with abap dumps incomplete logon data.

                Regards.

                (0) 
  1. Andreas Zigann
    Hello Ingo,

    I have no domain user to configure sso as you described. Can I use a local user account with same configuration to get sso between BO and SAP BW?
    How do I configure the user mapping, if I do not have a LDAP connection? Do I have to create a user in CMC with the same name as the Service User I am running the Server Intelligence Agent with?

    Regards
    Andreas

    (0) 

Leave a Reply