BO WEBI4.1 Scheduled reports fails (error IES 10901) When SSO (Kerberos windows AD authentication) is enabled
Issue Summary: BO WEBI4.1 Scheduled reports fails (error IES 10901) When SSO (Kerberos windows AD authentication) is enabled
Error Message: Database error: (CS) “Java Exception: java.lang.RuntimeException: com.sap.db.jdbc.exceptions.jdbc40.SQLInvalidAuthorizationSpecException: : invalid username or password: ” (IES 10901)
Steps to reproduce the issue:
1.SSO Kerberos windows AD authentication is configured. Connection used in universe is configured as SSO.
SAP Business Objects BI Platform 4.1 Support Pack 1 Patch 1Version: 22.214.171.1242
SAP HANA Studio
Build id: 201402051727 388114
2. Create connection which uses Single Sign On to connect your HANA database. Create Universe using this connection based on HANA calculation view.
3. Create new WEBI report using Universe which uses SSO as Connection setting. Try to schedule report. It fails
Note: Schedule success when connection is set to use specific User Id/Password. Please refer 2 and 3 row in above screen shot.
Title: GL – Account Balance
Document Type: Microsoft Excel
Status Failed Owner: Pradeep.Mohite
Error Message: Database error: (CS) “Java Exception : java.lang.RuntimeException: com.sap.db.jdbc.exceptions.jdbc40.SQLInvalidAuthorizationSpecException: : invalid username or password: ” . (IES 10901)
SAP Note Found for the issue:
As per this note: SSO is NOT possible for any scheduled reports at any time.
Questions to SAP: What is resolution for this issue? We understand creating new Universe/Reports is one way, But this is overhead for
development and maintenance. Please advise.
Answer By SAP Representative:
Unfortunately you cannot use Kerberos to do what you want to accomplish. You would need to create a separate universe and report. I talked
to the authentication team and they told me since you are on BI 4.1, your other option is to implement SAML which is explained in kb 1900023.
Problem with Solution Proposed by SAP:
I I. Creating separate universe/reports just for scheduled reports will add maintenance over-head/cost.
I. II. As we already implemented Kerberos windows AD authentication changing this in last phase of project will add extra over-head/cost.
That being said we need alternative approach without any impact.
Work Around: Create Data Security Profile on universe for which you need to schedule reports, which override SSO HANA Relational Connection
with HANA Relational Connection (Which is set to use Specific user name/Password) You can use Generic Database user ID. Assign same
generic userID (who will schedule the report) to Data security profile. Save Data security Profile
Login in BI Launch with Generic User ID and schedule report which is using the universe on which you created Data Security profile.
Things to consider for this solution: If your company uses row level security, you need apply required security on generic user ID in HANA. So you get appropriate data in report. Another way is you create parameter for Row level security fields in report and pass appropriate values to parameters while scheduling.
For e.g. Your Company has implemented Row level security on Division, then create Division as parameter in report and pass appropriate value while scheduling report.
Step by Step Implementation:
o Please create relational HANA Connection (Say: SAP_ECC) with SSO Kerberos windows AD authentication is configured.
o Please create Universe using this connection (Data foundation , Business layer etc)
o Please create relational HANA Connection (Say: SAP_HANA_REMOTE) with specific user ID / password. Please make sure you use User ID thru which you want schedule report.
. 1. Open Information Design Tool
2. Go to >> Windows >>Security Editor
. 3. Click Universe /Profile
Select Universe for which you need to create Data Security Profile.
5. 4. Right Click Select Universe – and Insert Data Security Profile.
5. 5. On Connection Tab : Please configure Original Connection and Replacement Connection. As shown below screen shot
1 6. Click OK
7. Select newly Created Data Security Profile and Click on Users/Groups
8. Select User Group/ user to whom you want to provide access to this security profile. And click “<” Button
. 9. Save your data security Profile
. 10. Now login to BI with using user Id for which you have provided connection override access using above data security profile.
. 11. Schedule any WEBI report which is based on above universe.
. 12. Report should runs successfully.
Hope it works for you too! For Comments/Question please reach out to Pradeepkumar Mohite