Skip to Content
Author's profile photo Sandeep Chandran

Making Windows AD Configuration & SSO easy on SAP BI 4.1

I would like to share my recent experience on configuring Windows AD and SSO on a new SAP BI 4.1 BOBJ server. I used to follow the traditional way of using Kerberos Key tab file; this time went for the plain password technique. Thanks to SAP Support for clarifying the different approaches.

Below are the steps followed in my configuration… 🙂

Service Account Setup

1.1    Creation of New Account

·         To set up user authentication for a service, you must register the service as a user in AD on the Domain Controller.

·         To register the service, on the Domain Controller, open the Active Directory Users and Computers snap in.

·         Click the Users folder to display a list of users and on the Action menu, click New and then click User.

·         Enter a name and logon name for the new service, and then click Next.

·         On the next screen, enter a password for the service. Ensure that the User must change password at next logon option is not selected.

·         Click Next and then click Finish.

·         Right-click the user you have entered in the User folder list, and then click Properties.

·         Click the Account tab and then select Account is trusted for delegation and Password never expires. This prevents the service account from expiring, which would cause Kerberos errors.

·         If your Domain Controller is running in a lower Domain Functional Level (lower than Windows 2003 Domain), view the  Account properties for the user you created in step 2, and select Use DES encryption types for this account.

If you enable this for later versions, you may get “Internal error” while you login to CCM using Windows AD account. 😥

·         Note: In Windows 2003 and 2008, Domain Functional Level RC4 is used by default.

·         Click OK.

1.2      Settings to be done on the User Account

·         Ensure the Password Never Expires option is enabled in the User Account Properties à Account Tab

1.3     To grant the service account rights

·         Logon to BOBJ server and perform the below steps

·         Click Start > Control Panel > Administrative Tools > Local Security Policy.

·         Expand Local Policies, and then click User Rights Assignment.

·         Double-click Act as part of the operating system.

·         Click Add.

·         Enter the name of the service account BOserviceaccount, and then click OK.

·         Ensure that the Local Policy Setting check box is selected, and click OK

·         Ensure the service account BOserviceaccount has the following System Rights enabled on the BOBJ Server

   *  Act as part of Operating System

   *  Log on as a Batch Job

   *  Log on as a service

   *  Replace a process level Token

1.1     To add an account to the Administrator’s group

·         Logon to BOBJ Server and perform the below steps

·         Right-click My Computer and click Manage.

·         Go to System Tools > Local Users and Groups > Groups.

·         Right-click Administrators, then click Add to Group.

·         Click Add and type the logon name BOserviceaccount of the service account.

·         Click Check Names to ensure that the account resolves.

·         Click OK, and then click OK again.

    2.0  SPN

Steps to set  SPN .

In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:

·         Login to the Domain Controller Server

·         Use the setspn -a command to add the HTTP service principal names to the service account which was created earlier

a)     setspn -a HTTP/BOBJServerName  BOserviceaccount

                              b)     setspn -a HTTP/BOBJServerName.Domain.COM BOserviceaccount

                              c)     setspn -a HTTP/IP address of BOBJ Server BOserviceaccount

                              d)     setspn -a ServicePrincipalName  BOserviceaccount

Verify the Service Account Properties and it should similar to the below screenshot.

/wp-content/uploads/2014/09/serviceaccountprop1_543898.png

·         Go to the Delegation Tab on the Properties of the Service Account Created and Enable the option “Trust this user for delegation to any service (Kerberos only) on the Service Account” as denoted in the below screenshot

/wp-content/uploads/2014/09/serviceaccountprop2_543920.png

·         Run setspn -l BOserviceaccount to verify that the HTTP service principal names were added to the service account.

      3.0     Expected Output

      At the end of the set of activities performed as denoted in the sections

·         Service Principal Name

·         Domain Controller IP address and its FDQN

·         Service Account

·         Service Account Password

      4.0     Adding Entries for AD Configuration

·         Create a file bscLogin.conf & Krb5.ini in the BOBJ Installation Directory

·         Add the below entry in the bscLogin.conf in case of Tomcat Web Application Server

                              com.businessobjects.security.jgss.initiate {
                              com.sun.security.auth.module.Krb5LoginModule required;
                                                  };

·         Add the below entry in the Krb5.ini file. Ensure the entry kdc=<Domain Controller Server Name>.DOMAIN.COM

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.COM = {
kdc = Domain Controller Server nme. DOMAIN.COM
default_domain = DOMAIN.COM
}

Make sure this file is saved correctly by navigating to C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BOBJ server, and execute ‘kinit BOserviceaccount’ in a command prompt. If a new ticket is stored, the file is correct. 🙂 😛

·         Open the Tomcat Configuration and add the below command lines to the Java Option

-Djava.security.auth.login.config=C:\BO\WinAD\bscLogin.conf
-Djava.security.krb5.conf=C:\BO\WinAD\Krb5.ini

·         Update the server.xml located in the directory C:\BO\Tomcat\conf search for Connector String and ensure the Connector entry is similar to that of entries mentioned below

<Connector port=”8080 protocol=”HTTP/1.1 connectionTimeout=”20000 redirectPort=”8443 compression=”on URIEncoding=”UTF-8 acceptCount=”100 debug=”0 disableUploadTimeout=”true enableLookups=”false maxSpareThreads=”75 maxThreads=”150 maxHttpHeaderSize=” 65536 minSpareThreads=”25 compressionMinSize=”2048 noCompressionUserAgents=”gozilla, traviata compressableMimeType=”text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json” />

4.1     Active Directory SSO Configuration

  ·         The active directory SSO configuration involves creation of .properties file in the Tomcat WebApps folder where the BOE .war file is deployed

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the BIlaunchpad.properties file and add the following entries in that file.

                     authentication.default=secWinAD
               authentication.visible=true

·      Go to the location C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom and create the global.properties file and add the following entries in that file.

                     sso.enabled=true
               siteminder.enabled=false
               vintela.enabled=true
               idm.realm=DOMAIN.COM
               idm.princ=ServicePrincipalName
               idm.allowUnsecured=true
               idm.allowNTLM=false
               idm.logger.name=simple
               idm.logger.props=error-log.properties
               idm.allowS4U=true

Note that we are not keeping key tab file path in global file.

·         Open Tomcat Options Add the following lines to Tomcat Java Options:

                       -Dcom.wedgetail.idm.sso.password=<Password of BOServiceaccount>

                       -Djcsi.kerberos.debug=true

Start Tomcat, go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log  has ‘credentials obtained’ shown.

Test single-sign-on is now working in a browser on any client system (not on the BOBJ server).

➕ In order to avoid SSO stops working on patch upgrades,

We can copy the BIlaunchpad.properties and global.properties from C:\BO\Tomcat\webapps\BOE\WEB-INF\config\custom to C:\BO\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom

Hope this helps.. 🙂

Thanks and Regards

Sandeep Chandran

Assigned Tags

      20 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Kailas Kurup
      Kailas Kurup

      This will definitely help. Thanks

      Author's profile photo Titto Antony
      Titto Antony

      Thanks sandeep for sharing valuable info for  BO admin's...

      Author's profile photo Former Member
      Former Member

      Sweet easy steps with detailed information at each step for any layman.

      Great Job Sandeep. Looking forward for such detailed information.

      Author's profile photo Andreas J A Schneider
      Andreas J A Schneider

      And for troubleshooting refer to the command KINIT

      Author's profile photo Former Member
      Former Member

      This is really helpful....Thanks for sharing

      Author's profile photo Former Member
      Former Member

      Very useful info Sandeep, good job...

      Author's profile photo Former Member
      Former Member

      Very Useful

      Author's profile photo Onkar Velhal
      Onkar Velhal

      Awesome post Sandeep.

      Extremely useful for noob.

      Keep up the good work!

      Author's profile photo Jason Xu
      Jason Xu

      Hi Sandeep

      Thanks for your article.

      And I want to translate this article to Chinese, and share it to Chinese customer.

      Could I do it?

      Thanks,

      Jason

      Author's profile photo Sandeep Chandran
      Sandeep Chandran
      Blog Post Author

       

      Yes..You can do it.. Sorry for the late reply 🙂

      Author's profile photo Former Member
      Former Member

      Hi Sandeep,

      Your steps are different from SAP BO 4.1 Administrator Guide.

      Will this work in a BO 4.1 clustered configuration (5-6machines in a cluster named BO4STAGE) Environment consists  like 3-4 tomcat servers running behind a loadbalanacer. There are 6 SIA Nodes in the Cluster. Then what should we use. Any response will be appreciated.

      Author's profile photo Sandeep Chandran
      Sandeep Chandran
      Blog Post Author

      I have not done this on a clustered environment yet, but I think this will work, but take extra care while configuring each tomcat servers .

      Author's profile photo Shaheen Makandar
      Shaheen Makandar

      This is very neat and to the point. Thanks for sharing this.

      Author's profile photo Former Member
      Former Member

      Hello,

      Nice tutorial but...

      For today's reader, in 2016, don't use RC4 as Kerberos encryption algorithm !

      See:

      Kerberos(SSO): throw RC4 away, adopt AES !

      Regards,

      Stéphane;

      Author's profile photo Former Member
      Former Member

      Hi Stephane ,

      i tried  to  use  the another  encryption algorithm you  sent  in link  ,  but  not  work  only  the RC4 AES worked .

      Regards

      Hosseini

      Author's profile photo Pantry Coupon
      Pantry Coupon

      This very helpful,
      Thanks

      Author's profile photo Anshul Tiwari
      Anshul Tiwari

      Hi

      Manual AD authentication is working for me on BI 4.2 however SSO is not working. BI lauchpad ask for credetials and does not silent sign on.

      Have performed all steps mentioned

      Thanks

      Ansh

      Author's profile photo Sandeep Chandran
      Sandeep Chandran
      Blog Post Author

       

      Hello Anshul,

      Have you checked the log file?

      go to C:\BO\SAP BusinessObjects\Tomcat\logs\, check stdout.log  has ‘credentials obtained’ shown.

      If not, please re-visit your configurations

      Thanks

      Sandeep Chandran

      Author's profile photo Erik Sabol
      Erik Sabol

      Hi Sandeep,

      does the BO server needs to be added to domain before starting the whole procedure of configuring AD SSO?

      Thanks.

      Erik

      Author's profile photo Former Member
      Former Member

      Hello All,

      We have SAP BO 4.2 and web service running on IBM WAS. We are able to enable AD authentication and could login. However SSO is not working, any help on this is much appreciated.

      SAP BO: 4.2 SP2 Patch 6 deployed on Windows 2008

      WAS : IBM WAS 8.5.5.12.

      thank you

      Chandan K P