Skip to Content

Active Directory SSO for SAP BusinessObjects BI4

Please find below an SSO cheat sheet for BI4. I have used the latest KB note on AD SSO which is 1631734, written by Steve Fredell.

Please note that in this example below, I am assuming that Tomcat is being used for the web application server, and it is by default installed on the same instance as the BusinessObjects BI4 application.  In a distributed scenario, certain actions will take place on the Web App instance, and others on the BusinessObjects BI4 instance.

Instead of just letting you walk through the process yourself, I also wanted to give you a more visual guide. So below, please find a DSLayer special edition, video walkthrough of this guide:

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

  • Service Account: biservice (password: Password1)
  • Domain Controller: adserver.DOMAIN.INTERNAL
  • BusinessObjects Server: bi4server.DOMAIN.INTERNAL
  • BusinessObjects AD Group: DOMAIN\UserGroup

Step 1

Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.

On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.

Step 2

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

  • setspn -a BICMS/biservice.domain.internal biservice
  • setspn -a HTTP/bi4server biservice
  • setspn -a HTTP/bi4server.domain.internal biservice

Verify the SPNs have been created by running ‘setspn -l biservice’.

Step 3

Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

Step 4

Under the AD Authentication area in the Central Management Console, take the following actions:

  • Enable Windows Active Directory (AD)
  • AD Administration Name = DOMAIN\biservice
  • Default AD Domain: DOMAIN.INTERNAL
  • Add AD Group: DOMAIN\UserGroup
  • Use Kerberos Authentication
  • Service principal name = BICMS/biservice.domain.internal
  • Enable Single Sign On for selected authentication mode

Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.

Step 5

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.

Step 6

Test this by logging into Web Intelligence Rich Client by using an AD user who is part of the group. SSO should occur once you select ‘Windows AD’ authentication and click OK (no need to input your username or password).

Step 7

Create a file called ‘bscLogin.conf’, save it into C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad: { required debug=true;

Create a file called ‘krb5.ini’, save it into C:\Windows\ directory, and put the following content into it using Notepad:

default_realm = DOMAIN.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
default_domain = DOMAIN.INTERNAL

Verify this file is completed correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct.

Step 8

Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘’ with the following text:


Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:\windows\bscLogin.conf\windows\krb5.ini

Start Tomcat, then try and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’.

Step 9

Stop Tomcat. Modify C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘’ with the following text:


Open up Tomcat Options Add the following lines to Tomcat Java Options:


Delete logs in C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.

Start Tomcat, go to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser (not on the BusinessObjects server).

Step 10

Copy and from C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working.

Step 11

Create a keytab on the AD server by running the following command:

ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Copy this file to c:\windows of BOBJ server then stop Tomcat.

Add the following line to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\


Open up the Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.

Now check silent single sign on still operating correctly.

Step 12

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.


Hopefully this walkthrough gives you a good idea of what is required to get AD SSO working on BI4.

Don’t forget to look at SAP note 1631734.  Also included in the SAP note is troubleshooting assistance for each step.


Update 1 – fixed file path in Step 8

You must be Logged on to comment or reply to a post.
  • Hey. This is a great video. The problem we are having is we have our OWN web app and can not get it to work with BOE 4.0. It' works with 3.1.

    In 3.1 we set up our AD SSO environment (krb5.ini, -D options, etc) and put BO config in web.xml. Now it uses .properties files, and we put these everywhere in our web app, but BOE is not finding them or something. Our /BOE/ web app (Lanuch pad) works with AD SSO so it's configured correctly for the box and the .properties files and tomcat config are correct, at least for that app. We have a different app in the tomcat webapps dir.


    Here's the code. I have the 3.1 Credential Extractor commented out as it changed in 4.0 (So I'm told from the SAP forums)


    ISSOCredMgr credExtractor = VintelaCredMgrFactory.getFactory().makeVintelaCredMgr(request);

    // Uncomment for BO 3.1

    //            CredExtractor credExtractor = new CredExtractor(request);

    GSSCredential creds = credExtractor.GetCredential();

    GSSManager manager = credExtractor.GetManager();

    String host = request.getParameter("host");

    ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();

    request.getSession().setAttribute(ENTERPISE_SESSION, sessionMgr.logon(creds, manager, host, SECWINAD));


    I'm getting this error;

    com.crystaldecisions.sdk.exception.SDKException$ExceptionWrapper: A java.lang.Exception occurred; original exception message VSJ authentication was not performed for this request

    cause:java.lang.Exception: VSJ authentication was not performed for this request

    detail:A java.lang.Exception occurred; original exception message VSJ authentication was not performed for this request VSJ authentication was not performed for this request

              at com.businessobjects.sdk.credential.internal.VintelaCredMgr.<init>(


    It fails on the ISSOCredMgr line...this is supposedly the new BOE 4.0 Java API for AD SSO credential extraction. The problem is, this is a complete black box and doesn't output ANYTHING telling us what its trying to load, status, etc.

    • Hi Michael, thanks for your feedback. Could I suggest, to simplify troubleshooting, you deploy a Tomcat instance using the BI4 installer and get SSO running on that?  If you are using a Tomcat instance that has been around for a while for other purposes, or one that has been configured to run XI 3.1, there might be some config or versioning that gets in the way.


      Cheers, Josh

      • Hey Josh. Thanks for the response. This is the a clean, BI 4 install. I mentioned above AD SSO is working with the default installed BI4 app (launch pad).


        "Our /BOE/ web app (Lanuch pad) works with AD SSO so it's configured correctly for the box and the .properties files and tomcat config are correct, at least for that app. We have a different app in the tomcat webapps dir."


        The problem is, we deployed our own web app and it's not working. This same code, except ISSOCredMgr java class instead of CredExtractor, works in BOE 3.1 but it uses the web.xml, not properties files. The problem is, BOE's process of extracting the credentials is a black box. It just fails and I don't see why. I want to know what is missing. How do we set up the configuration for a separate java application/web app so the VintelaCredMgrFactory can find what it needs? The 'BOE' web app (Launch Pad) finds its configuration and ours is in the same tomcat server but NOT the same web app so I'm guessing it just can't find the properties files or something. Also, is there a way to turn some sort of debugging on so I can see what VintelaCredMgrFactory is doing?



  • [Best Practice Question]


    If we are looking to configure WinAD SSO for a number of different environments (eg. DEV, TEST, QAT and PROD) - is it better to create One (1) Service Account on the WinAD domain PER environment (BOBIServiceDev, BOBIServiceTest, etc) - or just have One (1) Common Service Account that is used for ALL of the deployments (BOBIService)...?


    Think about long-term support when the IT Operations and WinAD people are not part of the SAP BO support group in a big company.


    Any advice would be appreciated. Thanks!

    • Hi Mark,


      Great question.


      I would definitely recommend a separate service account for each system - this makes troubleshooting and maintenance a lot simpler, and 3 accounts instead of 1 shouldn't matter to the AD team.





      • Any substantial changes to this WinAD (Manual & SSO) configuration workflow in 4.1 release...?




        Heard some discussion that "for Active Directory – SIA ServiceAccount does NOT need to be member of local machine Administrators."  .... has this changed from previous releases...?



        Any other advice is appreciated - as we are just about to do our first WinAD set-up on a 4.1 DEV server running on Win2008. Thx!

  • Hello Josh,


    You're video is awesome

    Helped a lot !

    There's just one additional thing I needed to do: Create the Service user in the SQL Server Management Studio...without this, SIA refused to start with the service account.


    I now need to configure SSO with AD on a distributed environment with 3 servers:


    1. App server 1 & App server 2 (for load balancing)

    2. DB server


    Users access the BI launch pad using a load balancing DNS name.

    Hence, we have SIA & Tomcat running on both machines.


    So; in essence, I'll have to perform all 12 steps first on App Server 1 & then on App Server 2...correct ?


    Thank you !


    • Hi Saba,


      Yes if the Tomcat environments aren't clustered, you can do all the Tomcat steps independently. However as I'm assuming the BOBJ servers are clustered, the SIA steps will only need to be done the first time.


      Kind regards,



  • Hi Josh,


    Nice blog and nice presentation on the video. It really helps for administrator like me who has very minimal knowledge on System Admin/Server admin.


    Basically, i need another help from you. I am doing a migration from XI R2 to 3.1 and then to 4.0


    So, first thing is, what all things i need to ask our Windows Domain Administrator for this Business Objects AD with SSO setup?


    Secondly, do we have any similar document for 3.1 setup as i have to configure AD in 3.1 before content migration to 4.0. Please help and thank you so much!!

    • Hi Tilak,


      If you are not planning to stay on XI 3.1 for any duration (apart from the migration), I'd recommend not setting up SSO.


      That said, there are SAP notes available on the SMP that walkthrough how to configure XI 3.1 AD SSO. Unfortunately, the SMP is down right now so I can't find the note for you.





        • Yes - if you need to move across existing AD users with their docs, then definitely configure AD config on 3.1 - but not SSO if you won't be using it in Production.


          Then you can move from 3.1 to 4.0, with 4.0 configured with AD SSO.

          • Joshua,

            Our Windows Network Admin created the Service account and assigned the service principal name. However, i am not sure which group did he assign this Service account.


            Without that, i think i won't be able to add the service user into my CMC authentication and in turn i can't test the Windows AD while logging on.


            Do you know how to see the Win AD group name of the service user being on the BO box? Please help

          • Hi Tilak,


            You don't need to add the group for the Service Account - you specify this directly. The groups that get added into the CMC are for users who need access to login to BOBJ.


            Thanks, Josh

          • Thank you Josh for your quick help.

            But, i can't see this service user under "users or groups" tab or anywhere on CMC? Then, how the Windows AD authentication will happen? sorry, i am doing it for the first time that's why asking these basic questions. please don't mind.

          • It won't show up under the users, as the Service Account is only used to connect to AD to verify incoming users' credentials. It is the account that BOBJ uses to talk to AD, and that's all.

          • Josh, in that case i should still use "Administrator" as the user to login CMC right?

            I  logged into the remote BO server with the service account and now in order to test the Windows AD authentication i opened CMC and gave the service account as user and password was blank. After that i got a message "Account information not recognized".

            Am i trying something wrong?

          • Tilak, you need to login to the CMC as the Admin user, then specify the AD service account user and password in the Authentication > AD area of the CMC. I don't think blank passwords would be supported though.


            If in doubt, please refer to the video walkthrough. If you are still having issues, I would recommend logging a case with SAP support to assist.


            Kind regards,



          • Hi Josh,


            I exactly followed your video and completed the steps until STEP 6. I think that's what we need in order to ensure Windows AD with BI 4.

            But i am not sure, why i am unable to login to the CMS with the Service account, even though i have set that under Properties tab.


            Another finding is, when i run command setspn -l bi4admin1 (our service account name)

            i don't see the the BI 4 server alone registered for the bi service user though the FQN of our BI server is registered. Do you think, this could be the problem?

            • setspn -a HTTP/bi4server biservice



            I asked my Windows AD admin to run the above command, but they said the command failed with below message:

            C:\Windows\system32>setspn -a HTTP/ bointerim BOAdmin1

            Unknown parameter BOAdmin1.  Please check your usage.

            Usage: setspn [modifiers switch] [accountname]

              Where "accountname" can be the name or domain\name

              of the target computer or user account


            Not sure, what's going wrong. Could you please help. Sorry for the trouble.

          • Hi Tilak, please log a support ticket with SAP and resolve through that channel. I'm not able to provide support through SCN.


            Kind regards,



          • Thanks Josh. I will surely raise a support ticket. But to tell you, i think SCN works much better than AGS.

            Because, AGS just eats your time without a resolution. Also, we are more lucky to get expert advise through SCN which is more helpful as a quick solution.

  • Hi Josh,


    after step 5, I use webi rich client tool to test , the message "internal error" display,

    and I check the note 1620747,but still cannot resolve this issue, could you give me some suggestion, please!

  • Anyone having an issue with WinAD SSO for BOE 4.1 (SP3) Launchpad not working properly on Internet Explorer 11 on Windows-7...?


    Works fine from Windows-7 machines running Internet Explorer 8 --- but we are starting to test IE-11 for deployment, and getting a MANDATORY Windows Security prompt.


    I am assuming the problem is caused by a setting or permission within the "Internet Options" settings in IE-11, but these are Managed-Desktop Workstations (*locked profiles, etc) - so most of those settings are controlled by the Windows Administrators.


    I can get them to change the policy/permission - but I need some ideas as to which specific new IE-11 setting needs to be "tweaked".


    Thanks in advance for the advice.

    • Hi


      Goto IE Setting




      add you site to local sites

      thats all!

      From the document:

      Make sure the browser is setup properly for client side testing KBA 1379894 (IE) and KBA 1263764 (Firefox)

  • /
  • /
  • Hi Josh,


    Thanks for the great video and steps with which I could deploy SSO on all our BI 4.0 environments.


    Although I got the news from SAP Support that Windows AD SSO is not currently supported for IDT client tool.




  • Hi Josh,


    Thanks for your time & effort in writing this up & attaching the video as well. This has helped me a lot, and I'm sure it has helped many others.

    Couple of questions:

    • Do we really need to register an SPN with the  setspn -a BICMS/biservice.domain.internal biservice in the Step 2?
    • I see that we specify the spn BICMS/biservice.domain.internal in Step 4 under Service Principal Name, but, can use one of the spns with HTTP instead of this BICMS?

    Why I ask that is because, a colleague who works in a different department at my client, setup Windows AD SSO and didn't register or use BICMS spn, instead he used the HTTP/bi4server.domain.internal and it works just fine.


    Mahboob Mohammed



    • Hello,


      BICMS/biservice.domain.internal is needed if you want SSO for fat clients like UDT, IDT, WebI 2-tier...

      HTTP/bi4server.domain.internal is needed if you want SSO for web client (BILP portal...)


      Perhaps your colleague doesn't need SSO for fat clients ?



  • As far as the many guides and blogpost on how to enable SSO with Windows AD on a BusinessObjects Platform, this is far the best, and well described,


    If there is something that might not be that clear, then Joshua Fletcher explains it rather comprehensive in the video.


    I did get the SSO part to work beautifully, but for some strange reason log-on to the BI Launchpad or CMC using your Windows AD credentials does not work.

    2016-05-23 14_53_52-ad_login.png


    I am still looking into what I might have missed, as the strange part is, as I mentioned. SSO works fine, but manually login with AD credentials does not


    But my whoopsies aside, this is a great post!


    It have later come to my attention, that it is not possible to logon with AD on the server itself, once SSO is enabled - this error is apparently by design according to e.g. note 2190831.(

    But as mentioned in that note there is a workaround

    On the BI Launchpad you call the http://localhost:8080/BOE/BI/logonNoSso.jsp

    On the CMC side (is SSO is enabled there) it is a bit different here the url is: http://localhost:8080/BOE/CMC/logon.faces?skipSso=true

      • HI, despite the naming, it is only one stand-alone server, running BO 4.1 sp 7.


        All though, in this setup there is multiple domain controllers.

        • Hi Thomas,


          It's nice that you mentioned about having Multiple Domain Controllers, on that note, I assume you'll have to specify those multiple domain controllers (or their cluster name, I'm not sure if there usually is a cluster name for them) in krb5.ini file (in Step 7 in this blog).


          @Gurus: Can someone please confirm?



          Mahboob Mohammed