Lessons learned setting up End-2-End SSO with Kerberos between BI and HANA

Just coming back from an onsite visit where we had to find and resolve some tricky parts in the whole SSO configuration. I thought some of you might want to configure Kerberos Single-Sign-On between SAP BusinessObjects BI 4.0 and SAP HANA.

What you absolutely need to read and follow:

->General knowledge

Business Intelligence Platform Administrator Guide – http://help.sap.com/bobip40

SAP HANA Administration Guides – http://help.sap.com/hana_platform

->Specific guides

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 – http://scn.sap.com/docs/DOC-36305

1837331 – HOWTO HANA DB SSO Kerberos/ Active Directory

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4  (PDF ATTACHED)

Additional information when you get stuck:

1813724 – HANA SSO/Kerberos: create keytab and validate conf (PYTHON SCRIPT AND GSSCHECKER TOOL)

1767687 – HANA issues with Kerberos SSO, error while parsing protocol

1727859 – How to trace the HANA jdbc driver on a client?

1869952 – Requirements and troubleshooting steps when setting up kerberos SSO to the database

1853668 – How to find the KVNO version of your keytab file

1811398 – How to setup BI components to login to hana via AD kerberos SSO (HANASSO.PDF)

1586166 – How to enable tracing for BI4.0 client applications

1734523 – AD Authenticaion working in IDT only on one Machine

1621106 – How to configure Information Design Tool (IDT) for manual AD Login to BI 4.0

1476374 – ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On

1871302 – No TGS requests were sent from any server attempting to perform SSO to hana via kerberos

The tricky parts or better what helped us:

– Use the latest HANA JDBC driver (comes with HANA Client 1.0 from Service Marketplace) locally and on BI landscape

– Check that the Keytab on all involved machines is NOT generated with KVNO 255 but without and has the same KVNO everywhere

– Enable attribute “Trust this user for delegation to any service (Kerberos only)” on AD for the service users (-> not a requirement from HANA but from BI)

– Make sure you have the correct REALM everywhere, this can be very tricky in a multidomain environment

– Check if you defined the SPN value you get back from the command “setspn -l <AD ACCOUNT>@DOMAIN” in bscLogin.conf and CMC (case sensitive!)

– Test your HANA SSO configuration with hdbsql and GSSChecker.jar (attached to SP note 1813724) from a client machine

– SAP note 1813724 has a Python script attached which verifies your HANA configuration

– SAP note 1476374 provides troubleshooting for BI SSO

Hope this will help you!

Best,

Frank

SAP AG

Customer Solution Adoption (CSA)