Additional Blogs by Members
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Please find below an SSO cheat sheet for BI4. I have used the latest KB note on AD SSO which is 1631734, written by Steve Fredell.

Please note that in this example below, I am assuming that Tomcat is being used for the web application server, and it is by default installed on the same instance as the BusinessObjects BI4 application.  In a distributed scenario, certain actions will take place on the Web App instance, and others on the BusinessObjects BI4 instance.

Instead of just letting you walk through the process yourself, I also wanted to give you a more visual guide. So below, please find a DSLayer special edition, video walkthrough of this guide:

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

  • Domain Name: DOMAIN (FQDN: DOMAIN.INTERNAL)
  • Service Account: biservice (password: Password1)
  • Domain Controller: adserver.DOMAIN.INTERNAL
  • BusinessObjects Server: bi4server.DOMAIN.INTERNAL
  • BusinessObjects AD Group: DOMAIN\UserGroup

Step 1

Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.

On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.

Step 2

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

  • setspn -a BICMS/biservice.domain.internal biservice
  • setspn -a HTTP/bi4server biservice
  • setspn -a HTTP/bi4server.domain.internal biservice

Verify the SPNs have been created by running ‘setspn -l biservice’.

Step 3

Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

Step 4

Under the AD Authentication area in the Central Management Console, take the following actions:

  • Enable Windows Active Directory (AD)
  • AD Administration Name = DOMAIN\biservice
  • Default AD Domain: DOMAIN.INTERNAL
  • Add AD Group: DOMAIN\UserGroup
  • Use Kerberos Authentication
  • Service principal name = BICMS/biservice.domain.internal
  • Enable Single Sign On for selected authentication mode

Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.

Step 5

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.

Step 6

Test this by logging into Web Intelligence Rich Client by using an AD user who is part of the group. SSO should occur once you select ‘Windows AD’ authentication and click OK (no need to input your username or password).

Step 7

Create a file called ‘bscLogin.conf’, save it into C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad:

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

Create a file called ‘krb5.ini’, save it into C:\Windows\ directory, and put the following content into it using Notepad:

[libdefaults]
default_realm = DOMAIN.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
DOMAIN.INTERNAL ={
kdc = ADSERVER.DOMAIN.INTERNAL
default_domain = DOMAIN.INTERNAL
}

Verify this file is completed correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct.

Step 8

Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘BIlaunchpad.properties’ with the following text:

authentication.visible=true
authentication.default=secWinAD

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini

Start Tomcat, then try and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’.

Step 9

Stop Tomcat. Modify C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

Navigate to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘global.properties’ with the following text:

sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=DOMAIN.INTERNAL
idm.princ=biservice
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties

Open up Tomcat Options Add the following lines to Tomcat Java Options:

-Dcom.wedgetail.idm.sso.password=Password1
-Djcsi.kerberos.debug=true

Delete logs in C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.

Start Tomcat, go to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser (not on the BusinessObjects server).

Step 10

Copy BIlaunchpad.properties and global.properties from C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working.

Step 11

Create a keytab on the AD server by running the following command:

ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Copy this file to c:\windows of BOBJ server then stop Tomcat.

Add the following line to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties

idm.keytab=C:/WINDOWS/bosso.keytab

Open up the Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.

Now check silent single sign on still operating correctly.

Step 12

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

Conclusion

Hopefully this walkthrough gives you a good idea of what is required to get AD SSO working on BI4.

Don’t forget to look at SAP note 1631734.  Also included in the SAP note is troubleshooting assistance for each step.

----------

Update 1 - fixed file path in Step 8

47 Comments