Skip to Content
Author's profile photo Former Member

Windows AD Authentication and SSO for only IS/DS and CMC no BI

I did not find any specific documentation for configuring Windows AD and SSO for only IS/DS components. Just thought of puttig all those steps together. I followed the below SAP Notes.


1631734 – Configuring Active Directory Manual Authentication and SSO for BI4


OS: Windows Server 2012

DB: MS SQL Server

Apps: IS/DS (Installed with IPS – Information Platform Service, no additional license required)


In our case we enabled SSO for InfoSteward and DS Designer. For DS console and CMC we are using Windows AD athentication only. But this article gives you steps to enable SSO for all components.



Section 1 – Planning your Service Account Configuration

Before configuring IS/DS for AD logins we must request AD service accounts. This service accounts should have 3 roles.

1.      Query AD

2.      Run the SIA/CMS and allow manual AD logins

3.      Allows SSO


Section 2 – Creating and preparing the service account

Instead for creating new AD account in Domain Controller, we decided to use already existing <sid>adm user as BI Service account.


Get it done these steps with the help of AD team:


It has been setup with “Password never expire” and “unlock”



Delegation for the Service Account


navigate to the properties of the service account and choose

Trust this user for delegation to any service (Kerberos only) under the Delegation tab.



Setspn Commands – Should be run on Domain controller server by AD team


setspn -a BICMS/<sid> <sid>adm

setspn -a HTTP/ <sid>adm

setspn -a HTTP/host <sid>adm


Once they run this commands you can view them from your IS/DS server by running below commands


setspn -l <sid>adm


Section 3 – Configure the AD Plugin Page in the CMC and map in AD groups

Login to CMC => Authentication => Windows AD


Check “Enable Windows Active Directory (AD)”


AD Administrator Name: Domain\<sid>adm

Default AD Domain:


Mapped AD Member Groups: We need to add the required AD groups here who needs access.


Authentication Options:

Use Kerberos authentication

Service principal name: BICMS/<sid>


Check “Enable Single Sign On for selected authentication mode.


New Alias options: Assign each new AD alias to an existing user account with the same name

Alias update options: Create new alias when alias update occurs

New User options: New users are created as concurrent users


On-demand AD update:

Update AD Groups and Alias now




Verifying users

Go to


CMC>Users and Groups>Group Hierarchy

and select the AD group you mapped to view the users for that group. This will generate a live query to AD (using the CMC query account) and display the current users in that group. It will also display any nested users in that group (users that belong to nested AD groups).


Do not proceed if users and/or groups are not mapping in properly!



Section 4 — Steps to start the SIA/CMS under the service account

In order for the service account to run the SIA there are specific operating system settings that need to be set.


      1. Add the service account to the local administrator‘s group on any server where the service account will be running a SIA/CMS.

          Open Computer Management > Local Users and Groups > Groups > Administrator > Properties > Add


      2. You should also grant the local policy Act as Part of the operating system as seen in the screenshot below.

          Open Local security Policy > Local Policies > User Rights Assignments > Act as part of operating system > Properties > Add User or Group


      3. After the above changes have been made the service account can now run the Server Intelligence Agent (SIA). Navigate to the Central Configuration Manager (CCM), stop the SIA and on the properties tab enter the account in domain\username format. And restart SIA.



1.   4. Verify the service account and AD logins are working


You should be able to login via DataServices Designer at this point. The next steps will test an AD login with the Central Configuration Manager‘s Manage Servers tool.

Add your user to Administrator group temporarily and login to server with your id and test it.

Add your user to Administrator group in CMC temporarily


      Open the DataServices Designer >

      System – host[:port]: host:6400

      User name: Blank

      Password: Blank

      Authentication: Windows AD

      Log on


      Then it should show the DS repositories.



Section 5 –Configuring Manual AD authentication to Java Application Servers


Two files need to be created when using java. These files need to be created from scratch and should be placed in the C:\windows\ directory on any windows application server.

Create the bscLogin.conf file

Note: Make sure the file is not a text file { required debug=true;




     Create the krb5.ini file




default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1




default_domain = DOMAIN.COM


Regfer OSS Note 1690665 – Unable to logon to BI Launchpad or CMC using Manual AD Authentication in BI 4.0 while creating krb5.ini file.


    Verify java can successfully receive a kerberos ticket


      1. From DOS command line navigate to the sapjvm\bin directory. By default this is:

E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin

2. Run

kinit username hit enter and type your password


kinit <sid>adm


If the KDC and other configurations in the krb5.ini are correct you should receive a ticket.


Section 6 – Configuring CMC for manual AD login


Create file with below lines





Point your application server to the bscLogin.conf and krb5.ini files.


Add the following lines to the tomcat java options. Tomcat must be restarted to test.\windows\bscLogin.conf\windows\krb5.ini


Restart the Tomcat


Verify the bscLogin.conf has been loaded by your application server


To verify the bscLogin.conf has been loaded by your application server attempt to logon to CMC (with AD selected in the drop down).

Check the sdtout.log in ..\


tomcat\logs folder and you should see “Commit succeed”


At this point you will be able to login InfoSteward, DataService Console & CMC with Windows AD logins.


Section 7 – Configuring Active Directory Single Sign On



Increase Tomcat’s maxHttpHeaderSize



Take the backup of existing server.xml and add the maxHttpHeaderSize=”65536″ in Connector Port 8080 tag


Create and configure a file




Create a file named with the following text inside:









For the values in bold above replace them with the values for your service account from Section 2 above.

Create and configure a file


Copy the file from ..\tomcat\webapps\BOE\WEB-INF\config\default to ..\tomcat\webapps\BOE\WEB-INF\config\custom folder and modify it





Add additonal parameters to file – Optional

If you want to configure SSO for CMC as well? you can create file with below text inside. But it is not a good idea to enable SSO for CMC. Because if SSO doesn’t work in order to troubleshoot you need to login to CMC first and also you might see security issues if some hacker get access to your domain.





sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie,

trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder



Refer OSS Note: 2190831 – How to enable CMC SSO in BI 4.1 SP6

Configuring the application server’s Java Options for AD Single Sign On

1. Add the following lines to the tomcat java options. Tomcat must be restarted to test.




The wedgetail.sso.password is the password for your service account from Section 2 above.

The DJCSI.kerberos.debug options will enable a start up trace of the vintela filter.


Configuring the Data Services for SSO

Take the backup of existing web.xml file and modify the parameters which you have put in global.properities file.








Uncomment the auth filters and update domain & service account details. Disable the content related to keytab. We need to enable it later


<!– start filter setting –>
















<!– End filter setting –>



Verify the vintela filter has loaded successfully

Stop Tomcat

Delete or backup the logs in below folders



Remove the folder ..\tomcat\work\Catalina\localhost\DataServices

Restart Tomcat


Open the sdterr.log file in tomcat\logs and look for lines


INFO: Server startup in ###### ms

jcsi.kerberos: ** credentials obtained .. **.

Testing AD Single Sign On

Note: Do not test SSO on Tomcat server, so you should check on different server. When we hit the URL on browser it should automatically make you login without user/password since we logged into the server where we are testing with domain user.


Testing AD Single Sign On for InfoSteward



Testing AD Single Sign On for DS Designer


Login to IS/DS server with your id and start DS Designer

Open DS Designer

System – host[:port]: host:6400

      User name: Blank

      Password: Blank

      Authentication: Windows AD

      Log on

Select the repository and click OK

You should login to that repository.

Note: You should have access to that repository on DB level.

Testing AD Single Sign On for DS Management Console




You should be able to login to DS console with your domain without prompting for user/password


Section 8 – Encrypting your service account password with a keytab

An alternative to hard-coding the service account‘s password in the java options we can encrypt the password in a keytab file.


We need to run the below command on AD server.


ktpass -out bosso.keytab -princ <BI Service Account> -pass

<password> -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT


Once you receive the file you need to perform the below steps


Copy the bosso.keytab to the C:\Windows\ directory of the IS/DS application server


Add the following line to ..\tomcat\webapps\BOE\WEB-INF\config\custom\


idm.keytab=C:/WINDOWS/bosso.keytab (note the FORWARD slashes)


Remove the wedgetail.passwords option from the application server‘s Tomcat java options.


Add the following lines to ..\tomcat\webapps\DataServices\WEB-INF\web.xml




Restart Tomcat and ensure you still see jcsi.kerberos: ** credentials obtained.. **. in the application server logs per the directions in the section above titled Verify the vintela filter has loaded successfully.


Test again SSO for IS, DS.


See KBA 1359035 to test the keytab separately if SSO stops working after these changes.


Disable debug mode in Tomcat java properites


Section 9 – Additional information and settings


Ensure your .properties files are not overwritten after a patch or redeploy

1. Copy the, and files from:



2. Paste the .properties files in the folder below:

SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom


3. Copy the web.xml file from



SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\DataServices\WEB-INF

Take the backup of existing file before copying it.

End of the Article


You can post your questions or comments here, so that I can clarify.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks for this!

      Author's profile photo Former Member
      Former Member


      Thx for this useful article.

      Please tell me which ports (Out & In) are used for manual AD auth. (without SSO) SAP Infromation Steward - MS AD?

      Author's profile photo Rodrigo Garcia Naranjo
      Rodrigo Garcia Naranjo

      Hi Aleksandr,

      As far as I know there are no specific port for manual AD, just AD server and BO/IS Server need to be reachable from one to another, then having the correspondig configuration done(Mentioned in this article) will make it. The communication will go through the Tomcat WAS within Tomcat Port configured.



      Author's profile photo Rodrigo Garcia Naranjo
      Rodrigo Garcia Naranjo

      Hello guys,

      I configured successfully the SSO for IS, now is there a "No SSO" link as for BI Launch Pad, like "http://<host>:<port>/BOE/BI/logonNoSso.jsp", I have tried using "http://<host>:<port>/BOE/InfoStewardApp/1801161954/ICCExplorer/logonNoSso.jsp" without luck, do you know what link I should use to avoid SSO functionality and get to the login page?

      Any feedback it's appreciated.