Skip to Content
Author's profile photo Former Member

BI 4 64 bit- Configuring Trusted Authentication using IIS – Tomcat Bridge with Apache Jakarta Isapi




BI 4 has the ability to Single Sign On using Trusted Authentication.This feature will allow the user to log into InfoView without being prompted for username and

password. Using Trusted Authentication we can do Single Sign On for any user in Enterprise (Enterprise/Windows NT/Windows AD/LDAP).

Single Sign-on Configuration Tasks

1. Go to the Authentication management area of the CMC, and then doubleclick
Enterprise, check Trusted Authentication is enabled and click update.

2. Click New Shared Secret button. Click download shared secret button and save
the “TrustedPrincipal.conf” file in the “D:\SAP BusinessObjects\SAP
BusinessObjects Enterprise XI 4.0\win32_x86” location on web application servers(tomcat)
NOTE: if the folder ”win32_x86” does not exists then create a folder called
“win32_x86” and copy the file

3. Copy the, and files from “D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\default” to “D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom” folder on web application servers(tomcat)

4. Modify the following parameters in the file (“D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom”) on web
application server

5. Verify/Update the below properties in and files (“D:\SAP
BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom”) on web
application server
cms.default=”Appropriate CMS Name with Port number”

6. Add “tomcatAuthentication=”false” property to AJP connector section in
server.xml located in “D:\SAP BusinessObjects\Tomcat6\conf” on web application
tomcat server and uncomment that property.

7. Configuration of “Jakarta isapi_redirect-1.2.28” 64-bit version of Windows
2008 on all web application servers:
Create Connector folder under “D:\SAP
BusinessObjects\Tomcat6” location on Web App server

Connector folder should contain 3 sub folders

a) bin – ( In the bin folder place the following file:


     NOTE: In this example I am choosing the isapi_redirect from version 1.2.28 for a

    64-bit version of Windows 2008.)

b) conf  –  ( Download the JK 1.2.28 Source Release zip (e.g. Windows)    1.2.28/

      In this zip folder copy and from the config folder in this zip to our config folder)

c)  log – (write log files to this location)

8. Edit/Update the ‘” property in file
located “D:\SAP BusinessObjects\Tomcat6\Connector\conf” with ip address of web
application server
# Defining a worker named ajp13w and of type ajp13
# Note that the name and the type do not have to match.
worker.ajp13w.type=ajp13 Address of web application server)

9. Make sure “/*=wlb” entry is added to file located in
“D:\SAP BusinessObjects\Tomcat6\Connector\conf” folder on web application
# – IIS
# This file provides sample mappings for example wlb
# worker defined in
# The general syntax for this file is:
# [URL]=[Worker name]

10. In notepad copy/paste the below information and save it as jakarta.reg

Right click on jakarta.reg and choose merge

NOTE: Take a backup of existing registry editor before performing this
merger activity



[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi







11. On web application server
Make sure that the below keys are present in registry editor after the step 20
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta
Isapi Redirector]
[HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta
Isapi Redirector\1.0]
“log_file”=”D:\\SAP BusinessObjects\\Tomcat6\\Connector\\logs\\isapi.log”

12. On web application server
Add the jakarta Virtual Directory in IIS
Start | run | inetmgr
Expand to Default Web Site, right click and choose Add Virtual Directory
Name the virtual directory “jakarta” (this must be same as your extension_uri in
the registry) and point to “isapi_redirect.dll” file located in “D:\SAP
BusinessObjects\Tomcat6\Connector\bin” folder

13. On web application server
Edit the jakarta Virtual directory handler mappings in IIS:
Highlight the “jakarta” virtual directory under Default website and double click the
“handler mappings” icon in the right pane. In the Handler Mappings window click
Edit Feature Permissions in the action pane. In the Edit Feature Permissions
pop-up ensure Read, Script and Execute are all checked
and press OK.

14. On web application server
Add the ISAPI filter to default web site in IIS:
Highlight Default Web Site and choose the ISAPI Filters icon. Click Add in the
top right, name the filter jakarta and point to the “D:\SAP

15. On web application server
Set the ISAPI restrictions for the IIS7 server:
Highlight server name and double click ISAP and CGI Restrictions. Choose Add
then provide the path to “D:\SAP
BusinessObjects\Tomcat6\Connector\bin\isapi_redirect.dll” and give description
of “jakarta”. Check the box for Allow extension path to execute

16. On web application server
Reset IIS and Test
Reset IIS with Start | run | iisreset

17. Configure IIS7 for REMOTE_USER Trusted Authentication
In IIS, highlight Default Web Site and choose the Authentication icon. Disable
Anonymous Authentication and enable Windows Authentication

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member


      this is very useful document as we are just upgraded to BI 4.1 in dev. But based on the document, looks like I have to install JK isapi_redirector.exe file, Which version should the exe file be? I cound not find the isapi_redirect-1.2.28.exe file. There is a hotfix for isapi_redirect-1.2.28.exe in fpt watch file. I don't know what is that. And also I can't file jakarta.reg file. In the Reg edit, when I right click a file under the directory reg edit, there is no Merge option.

      Please help.


      Author's profile photo Denis Konovalov
      Denis Konovalov

      Proper SSO AD/LDAP via Tomcat is more secure and easier to configure, what would the benefits of using trusted auth with IIS be ?

      Author's profile photo Former Member
      Former Member

      Our company domain control team neither give anyone outside of their team the right to run scripts nor we provide the scripts to let them run on the domain control server. In the past, we always use Tomcat bridge with Aprache Jakarta ISPI.

      Author's profile photo Former Member
      Former Member

      does anyone knows why after I finished step 10 in the above document, but I can not see the reg keys I created?