Skip to Content

I would like to share my recent experience on configuring Windows AD and SSO on a new SAP BI 4.1 BOBJ server. I used to follow the traditional way of using Kerberos Key tab file; this time went for the plain password technique. Thanks to SAP Support for clarifying the different approaches.

Below are the steps followed in my configuration… 🙂

Service Account Setup

1.1    Creation of New Account

·         To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller.

·         To register the service, on the Domain Controller, open the Active Directory Users and Computers snap in.

·         Click the Users folder to display a list of users and on the Action menu, click New and then click User.

·         Enter a name and logon name for the new service, and then click Next.

·         On the next screen, enter a password for the service. Ensure that the User must change password at next logon option is not selected.

·         Click Next and then click Finish.

·         Right-click the user you have entered in the User folder list, and then click Properties.

·         Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from expiring, which would cause Kerberos errors.

·         If your Domain Controller is running in a lower Domain Functional Level (lower than Windows 2003 Domain), view the  Account properties for the user you created in step 2, and select Use DES encryption types for this account.

If you enable this for later versions, you may get “Internal error” while you login to CCM using Windows AD account. 😥

·         Note: In Windows 2003 and 2008, Domain Functional Level RC4 is used by default.

·         Click OK.

1.2      Settings to be done on the User Account

·         Ensure the Password Never Expires option is enabled in the User Account Properties à Account Tab

1.3     To grant the service account rights

·         Logon to BOBJ server and perform the below steps

·         Click Start > Control Panel > Administrative Tools > Local Security Policy.

·         Expand Local Policies, and then click User Rights Assignment.

·         Double-click Act as part of the operating system.

·         Click Add.

·         Enter the name of the service account BOserviceaccount, and then click OK.

·         Ensure that the Local Policy Setting check box is selected, and click OK

·         Ensure the service account BOserviceaccount has the following System Rights enabled on the BOBJ Server

   *  Act as part of Operating System

   *  Log on as a Batch Job

   *  Log on as a service

   *  Replace a process level Token

1.1     To add an account to the Administrator’s group

·         Logon to BOBJ Server and perform the below steps

·         Right-click My Computer and click Manage.

·         Go to System Tools > Local Users and Groups > Groups.

·         Right-click Administrators, then click Add to Group.

·         Click Add and type the logon name BOserviceaccount of the service account.

·         Click Check Names to ensure that the account resolves.

·         Click OK, and then click OK again.

    2.0  SPN

Steps to set  SPN .

In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:

·         Login to the Domain Controller Server

·         Use the setspn -a command to add the HTTP service principal names to the service account which was created earlier

a)     setspn -a HTTP/BOBJServerName  BOserviceaccount

                              b)     setspn -a HTTP/BOBJServerName.Domain.COM BOserviceaccount

                              c)     setspn -a HTTP/IP address of BOBJ Server BOserviceaccount

                              d)     setspn -a ServicePrincipalName  BOserviceaccount

Verify the Service Account Properties and it should similar to the below screenshot.

/wp-content/uploads/2014/09/serviceaccountprop1_543898.png

·         Go to the Delegation Tab on the Properties of the Service Account Created and Enable the option “Trust this user for delegation to any service (Kerberos only) on the Service Account” as denoted in the below screenshot

/wp-content/uploads/2014/09/serviceaccountprop2_543920.png

·         Run setspn -l BOserviceaccount to verify that the HTTP service principal names were added to the service account.

      3.0     Expected Output

      At the end of the set of activities performed as denoted in the sections

·         Service Principal Name

·         Domain Controller IP address and its FDQN

·         Service Account

·         Service Account Password

      4.0     Adding Entries for AD Configuration

·         Create a file bscLogin.conf & Krb5.ini in the BOBJ Installation Directory

·         Add the below entry in the bscLogin.conf in case of Tomcat Web Application Server

                              com.businessobjects.security.jgss.initiate {
                              com.sun.security.auth.module.Krb5LoginModule required;
                                                  };

·         Add the below entry in the Krb5.ini file. Ensure the entry kdc=<Domain Controller Server Name>.DOMAIN.COM

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.COM = {
kdc = Domain Controller Server nme. DOMAIN.COM
default_domain = DOMAIN.COM
}

Make sure this file is saved correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BOBJ server, and execute ‘kinit BOserviceaccount’ in a command prompt. If a new ticket is stored, the file is correct. 🙂 😛

·         Open the Tomcat Configuration and add the below command lines to the Java Option

-Djava.security.auth.login.config=C:\BO\WinAD\bscLogin.conf
-Djava.security.krb5.conf=C:\BO\WinAD\Krb5.ini

·         Update the server.xml located in the directory C:\BO\Tomcat\conf search for Connector String and ensure the Connector entry is similar to that of entries mentioned below

<Connector port=”8080 protocol=”HTTP/1.1 connectionTimeout=”20000 redirectPort=”8443 compression=”on URIEncoding=”UTF-8 acceptCount=”100 debug=”0 disableUploadTimeout=”true enableLookups=”false maxSpareThreads=”75 maxThreads=”150 maxHttpHeaderSize=” 65536 minSpareThreads=”25 compressionMinSize=”2048 noCompressionUserAgents=”gozilla, traviata compressableMimeType=”text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json” />

4.1     Active Directory SSO Configuration

  ·         The active directory SSO configuration involves creation of .properties file in the Tomcat WebApps folder where the BOE .war file is deployed

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the BIlaunchpad.properties file and add the following entries in that file.

                     authentication.default=secWinAD
               authentication.visible=true

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the global.properties file and add the following entries in that file.

                     sso.enabled=true
               siteminder.enabled=false
               vintela.enabled=true
               idm.realm=DOMAIN.COM
               idm.princ=ServicePrincipalName
               idm.allowUnsecured=true
               idm.allowNTLM=false
               idm.logger.name=simple
               idm.logger.props=error-log.properties
               idm.allowS4U=true

Note that we are not keeping key tab file path in global file.

·         Open Tomcat Options Add the following lines to Tomcat Java Options:

                       -Dcom.wedgetail.idm.sso.password=<Password of BOServiceaccount>

                       -Djcsi.kerberos.debug=true

Start Tomcat, go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log  has ‘credentials obtained’ shown.

Test single-sign-on is now working in a browser on any client system (not on the BOBJ server).

➕ In order to avoid SSO stops working on patch upgrades,

We can copy the BIlaunchpad.properties and global.properties from C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom to C:\BO\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom

Hope this helps.. 🙂

Thanks and Regards

Sandeep Chandran

To report this post you need to login first.

18 Comments

You must be Logged on to comment or reply to a post.

  1. Jason Xu

    Hi Sandeep

    Thanks for your article.

    And I want to translate this article to Chinese, and share it to Chinese customer.

    Could I do it?

    Thanks,

    Jason

    (1) 
  2. Vishal Gautam

    Hi Sandeep,

    Your steps are different from SAP BO 4.1 Administrator Guide.

    Will this work in a BO 4.1 clustered configuration (5-6machines in a cluster named BO4STAGE) Environment consists  like 3-4 tomcat servers running behind a loadbalanacer. There are 6 SIA Nodes in the Cluster. Then what should we use. Any response will be appreciated.

    (1) 
    1. MAHMOUD Elhosseini

      Hi Stephane ,

      i tried  to  use  the another  encryption algorithm you  sent  in link  ,  but  not  work  only  the RC4 AES worked .

      Regards

      Hosseini

      (1) 
  3. Anshul Tiwari

    Hi

    Manual AD authentication is working for me on BI 4.2 however SSO is not working. BI lauchpad ask for credetials and does not silent sign on.

    Have performed all steps mentioned

    Thanks

    Ansh

    (0) 
    1. Sandeep Chandran Post author

       

      Hello Anshul,

      Have you checked the log file?

      go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log  has ‘credentials obtained’ shown.

      If not, please re-visit your configurations

      Thanks

      Sandeep Chandran

      (0) 

Leave a Reply