BO WEBI4.1 Scheduled reports fails (error IES 10901) When SSO (Kerberos windows AD authentication) is enabled

Issue Summary: BO WEBI4.1 Scheduled reports fails (error IES 10901)  When SSO (Kerberos windows AD authentication) is enabled

Error Message: Database error: (CS) “Java Exception: java.lang.RuntimeException: com.sap.db.jdbc.exceptions.jdbc40.SQLInvalidAuthorizationSpecException: [10]: invalid username or password: ” (IES 10901)

Steps to reproduce the issue:

1.       Pre-requisite

    1.SSO Kerberos windows AD authentication is configured. Connection used in universe is configured as SSO.

    SAP Business Objects BI Platform 4.1 Support Pack 1 Patch 1Version: 14.1.1.1072

   Version: 14.1.1.1072

        SAP HANA Studio

        Version: 1.0.6903

        Build id: 201402051727 388114

2. Create connection which uses Single Sign On to connect your HANA database. Create Universe using this connection based on HANA calculation view.

                              3. Create new WEBI report using Universe  which uses SSO as Connection setting. Try to schedule report. It fails

Note: Schedule success when connection is set to use specific User Id/Password. Please refer 2 and 3 row in above screen shot.

Failed Description

Title: GL – Account Balance

Document Type: Microsoft Excel

Status          Failed Owner:                Pradeep.Mohite

Parameters:                    10;2013;0L;1;16;0010 

Error Message:              Database error: (CS) “Java Exception : java.lang.RuntimeException: com.sap.db.jdbc.exceptions.jdbc40.SQLInvalidAuthorizationSpecException: [10]: invalid username or password: ” . (IES 10901)

SAP Note Found for the issue:

https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361706E6F7465735F6E756D6265723D3138363939353226

                    As per this note:  SSO is NOT possible for any scheduled reports at any time.

                    Questions to SAP:  What is resolution for this issue?  We understand creating new Universe/Reports is one way, But this is overhead for

                   development and maintenance. Please advise.

                    Answer By SAP Representative:

                    Unfortunately you cannot use Kerberos to do what you want to accomplish. You would need to create a separate universe and report. I talked

                   to the authentication team and they told me since you are on BI 4.1, your other option is to implement SAML which is explained in kb 1900023.

                   Problem with Solution Proposed by SAP:

I                        I. Creating separate universe/reports just for scheduled reports will add maintenance over-head/cost.

I.                      II. As we already implemented Kerberos windows AD authentication changing this in last phase of project will add extra over-head/cost.

That being said we need alternative approach without any impact.

     Work Around: Create Data Security Profile on universe for which you need to schedule reports, which override SSO HANA Relational Connection

                      with HANA Relational Connection (Which is set to use Specific user name/Password) You can use Generic  Database user ID.  Assign same

                      generic userID (who will schedule the report) to Data security profile. Save Data security Profile

Login in BI Launch with Generic User ID and schedule report which is using the universe on which you created Data Security profile.

Things to consider for this solution: If your company uses row level security, you need apply required security on generic user ID in HANA. So you get appropriate data in report.  Another way is you create parameter for Row level security fields in report and pass appropriate values to parameters while scheduling.

For e.g.  Your Company has implemented Row level security on Division, then create Division as parameter in report and pass appropriate value while scheduling report.

            Step by Step Implementation:

                             Pre-requisite –

o   Please create relational HANA Connection (Say: SAP_ECC) with SSO Kerberos windows AD authentication is configured.

o   Please create Universe using this connection (Data foundation , Business layer etc)

o   Please create relational HANA Connection (Say: SAP_HANA_REMOTE) with specific user ID / password. Please make sure you use User ID thru which you want schedule report.

.                         1.   Open Information Design Tool

                           2.    Go to >> Windows >>Security Editor

               .    3.   Click Universe /Profile

                          Select Universe for which you need to create Data Security Profile.

5.                   4. Right Click Select Universe – and Insert Data Security Profile.

5.             5. On Connection Tab : Please configure Original Connection and Replacement Connection.  As shown below screen shot

1                                                 6. Click OK

                             7. Select newly Created Data Security Profile and Click on Users/Groups

                8.      Select User Group/ user to whom you want to provide access to this security profile. And click “<” Button

     .      9.  Save your data security Profile

.         10.  Now login to BI with using user Id for which you have provided connection override access using above data security profile.

.         11.  Schedule any WEBI report which is based on above universe.

.         12.  Report should runs successfully.

Hope it works for you too! For Comments/Question please reach out to Pradeepkumar Mohite

Thank you!