I would like to share my recent experience on configuring Windows AD and SSO on a new SAP BI 4.1 BOBJ server. I used to follow the traditional way of using Kerberos Key tab file; this time went for the plain password technique. Thanks to SAP Support for clarifying the different approaches.
Below are the steps followed in my configuration… :smile:
Service Account Setup
1.1 Creation of New Account
· To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller.
· To register the service, on the Domain Controller, open the Active Directory Users and Computers snap in.
· Click the Users folder to display a list of users and on the Action menu, click New and then click User.
· Enter a name and logon name for the new service, and then click Next.
· On the next screen, enter a password for the service. Ensure that the User must change password at next logon option is not selected.
· Click Next and then click Finish.
· Right-click the user you have entered in the User folder list, and then click Properties.
· Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from expiring, which would cause Kerberos errors.
· If your Domain Controller is running in a lower Domain Functional Level (lower than Windows 2003 Domain), view the Account properties for the user you created in step 2, and select Use DES encryption types for this account.
If you enable this for later versions, you may get "Internal error" while you login to CCM using Windows AD account. :cry:
· Note: In Windows 2003 and 2008, Domain Functional Level RC4 is used by default.
· Click OK.
1.2 Settings to be done on the User Account
· Ensure the Password Never Expires option is enabled in the User Account Properties à Account Tab
1.3 To grant the service account rights
· Logon to BOBJ server and perform the below steps
· Click Start > Control Panel > Administrative Tools > Local Security Policy.
· Expand Local Policies, and then click User Rights Assignment.
· Double-click Act as part of the operating system.
· Click Add.
· Enter the name of the service account BOserviceaccount, and then click OK.
· Ensure that the Local Policy Setting check box is selected, and click OK
· Ensure the service account BOserviceaccount has the following System Rights enabled on the BOBJ Server
* Act as part of Operating System
* Log on as a Batch Job
* Log on as a service
* Replace a process level Token
1.1 To add an account to the Administrator's group
· Logon to BOBJ Server and perform the below steps
· Right-click My Computer and click Manage.
· Go to System Tools > Local Users and Groups > Groups.
· Right-click Administrators, then click Add to Group.
· Click Add and type the logon name BOserviceaccount of the service account.
· Click Check Names to ensure that the account resolves.
· Click OK, and then click OK again.
2.0 SPN
Steps to set SPN .
In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:
· Login to the Domain Controller Server
· Use the setspn -a command to add the HTTP service principal names to the service account which was created earlier
a) setspn -a HTTP/BOBJServerName BOserviceaccount
b) setspn -a HTTP/BOBJServerName.Domain.COM BOserviceaccount
c) setspn -a HTTP/IP address of BOBJ Server BOserviceaccount
d) setspn -a ServicePrincipalName BOserviceaccount
Verify the Service Account Properties and it should similar to the below screenshot.
· Go to the Delegation Tab on the Properties of the Service Account Created and Enable the option “Trust this user for delegation to any service (Kerberos only) on the Service Account” as denoted in the below screenshot
· Run setspn -l BOserviceaccount to verify that the HTTP service principal names were added to the service account.
3.0 Expected Output
At the end of the set of activities performed as denoted in the sections
· Service Principal Name
· Domain Controller IP address and its FDQN
· Service Account
· Service Account Password
4.0 Adding Entries for AD Configuration
· Create a file bscLogin.conf & Krb5.ini in the BOBJ Installation Directory
· Add the below entry in the bscLogin.conf in case of Tomcat Web Application Server
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
};
· Add the below entry in the Krb5.ini file. Ensure the entry kdc=<Domain Controller Server Name>.DOMAIN.COM
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.COM = {
kdc = Domain Controller Server nme. DOMAIN.COM
default_domain = DOMAIN.COM
}
Make sure this file is saved correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BOBJ server, and execute ‘kinit BOserviceaccount’ in a command prompt. If a new ticket is stored, the file is correct. :smile: :razz:
· Open the Tomcat Configuration and add the below command lines to the Java Option
-Djava.security.auth.login.config=C:\BO\WinAD\bscLogin.conf
-Djava.security.krb5.conf=C:\BO\WinAD\Krb5.ini
· Update the server.xml located in the directory C:\BO\Tomcat\conf search for Connector String and ensure the Connector entry is similar to that of entries mentioned below
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" compression="on" URIEncoding="UTF-8" acceptCount="100" debug="0" disableUploadTimeout="true" enableLookups="false" maxSpareThreads="75" maxThreads="150" maxHttpHeaderSize=" 65536" minSpareThreads="25" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json" />
4.1 Active Directory SSO Configuration
· The active directory SSO configuration involves creation of .properties file in the Tomcat WebApps folder where the BOE .war file is deployed
· Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the BIlaunchpad.properties file and add the following entries in that file.
authentication.default=secWinAD
authentication.visible=true
· Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the global.properties file and add the following entries in that file.
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=DOMAIN.COM
idm.princ=ServicePrincipalName
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.allowS4U=true
Note that we are not keeping key tab file path in global file.
· Open Tomcat Options Add the following lines to Tomcat Java Options:
-Dcom.wedgetail.idm.sso.password=<Password of BOServiceaccount>
-Djcsi.kerberos.debug=true
Start Tomcat, go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log has ‘credentials obtained’ shown.
Test single-sign-on is now working in a browser on any client system (not on the BOBJ server).
➕ In order to avoid SSO stops working on patch upgrades,
We can copy the BIlaunchpad.properties and global.properties from C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom to C:\BO\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
ℹ
Hope this helps.. :smile:
Thanks and Regards
Sandeep Chandran
- SAP Managed Tags:
20 Comments
