Windows AD Authentication and SSO for only IS/DS and CMC no BI
I did not find any specific documentation for configuring Windows AD and SSO for only IS/DS components. Just thought of puttig all those steps together. I followed the below SAP Notes.
1631734 – Configuring Active Directory Manual Authentication and SSO for BI4
OS: Windows Server 2012
DB: MS SQL Server
Apps: IS/DS (Installed with IPS – Information Platform Service, no additional license required)
In our case we enabled SSO for InfoSteward and DS Designer. For DS console and CMC we are using Windows AD athentication only. But this article gives you steps to enable SSO for all components.
_____________________________________________________________________________________________________________________________________
Section 1 – Planning your Service Account Configuration
Before configuring IS/DS for AD logins we must request AD service accounts. This service accounts should have 3 roles.
1. Query AD
2. Run the SIA/CMS and allow manual AD logins
3. Allows SSO
Section 2 – Creating and preparing the service account
Instead for creating new AD account in Domain Controller, we decided to use already existing <sid>adm user as BI Service account.
Get it done these steps with the help of AD team:
It has been setup with “Password never expire” and “unlock”
Delegation for the Service Account
navigate to the properties of the service account and choose
Trust this user for delegation to any service (Kerberos only) under the Delegation tab.
Setspn Commands – Should be run on Domain controller server by AD team
setspn -a BICMS/<sid>adm.domain.com <sid>adm
setspn -a HTTP/host.domain.com <sid>adm
setspn -a HTTP/host <sid>adm
Once they run this commands you can view them from your IS/DS server by running below commands
setspn -l <sid>adm
Section 3 – Configure the AD Plugin Page in the CMC and map in AD groups
Login to CMC => Authentication => Windows AD
Check “Enable Windows Active Directory (AD)”
AD Administrator Name: Domain\<sid>adm
Default AD Domain: Domain.com
Mapped AD Member Groups: We need to add the required AD groups here who needs access.
Authentication Options:
Use Kerberos authentication
Service principal name: BICMS/<sid>adm.domain.com
Check “Enable Single Sign On for selected authentication mode.
New Alias options: Assign each new AD alias to an existing user account with the same name
Alias update options: Create new alias when alias update occurs
New User options: New users are created as concurrent users
On-demand AD update:
Update AD Groups and Alias now
Update
Verifying users
Go to
CMC>Users and Groups>Group Hierarchy
and select the AD group you mapped to view the users for that group. This will generate a live query to AD (using the CMC query account) and display the current users in that group. It will also display any nested users in that group (users that belong to nested AD groups).
Do not proceed if users and/or groups are not mapping in properly!
Section 4 — Steps to start the SIA/CMS under the service account
In order for the service account to run the SIA there are specific operating system settings that need to be set.
1.
1. Add the service account to the local administrator‘s group on any server where the service account will be running a SIA/CMS.
Open Computer Management > Local Users and Groups > Groups > Administrator > Properties > Add
2. You should also grant the local policy Act as Part of the operating system as seen in the screenshot below.
Open Local security Policy > Local Policies > User Rights Assignments > Act as part of operating system > Properties > Add User or Group
3. After the above changes have been made the service account can now run the Server Intelligence Agent (SIA). Navigate to the Central Configuration Manager (CCM), stop the SIA and on the properties tab enter the account in domain\username format. And restart SIA.
1. 4. Verify the service account and AD logins are working
You should be able to login via DataServices Designer at this point. The next steps will test an AD login with the Central Configuration Manager‘s Manage Servers tool.
Add your user to Administrator group temporarily and login to server with your id and test it.
Add your user to Administrator group in CMC temporarily
Open the DataServices Designer >
System – host[:port]: host:6400
User name: Blank
Password: Blank
Authentication: Windows AD
Log on
Then it should show the DS repositories.
Section 5 –Configuring Manual AD authentication to Java Application Servers
Two files need to be created when using java. These files need to be created from scratch and should be placed in the C:\windows\ directory on any windows application server.
Create the bscLogin.conf file
Note: Make sure the file is not a text file
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Create the krb5.ini file
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
DOMAIN.COM = {
kdc = DCHOSTNAME.DOMAIN.COM
default_domain = DOMAIN.COM
}
Regfer OSS Note 1690665 – Unable to logon to BI Launchpad or CMC using Manual AD Authentication in BI 4.0 while creating krb5.ini file.
Verify java can successfully receive a kerberos ticket
1. From DOS command line navigate to the sapjvm\bin directory. By default this is:
E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin
2. Run
kinit username hit enter and type your password
kinit <sid>adm
If the KDC and other configurations in the krb5.ini are correct you should receive a ticket.
Section 6 – Configuring CMC for manual AD login
Create CmcApp.properties file with below lines
authentication.visible=true
authentication.default=secWinAD
Point your application server to the bscLogin.conf and krb5.ini files.
Add the following lines to the tomcat java options. Tomcat must be restarted to test.
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
Restart the Tomcat
Verify the bscLogin.conf has been loaded by your application server
To verify the bscLogin.conf has been loaded by your application server attempt to logon to CMC (with AD selected in the drop down).
Check the sdtout.log in ..\
tomcat\logs folder and you should see “Commit succeed”
At this point you will be able to login InfoSteward, DataService Console & CMC with Windows AD logins.
Section 7 – Configuring Active Directory Single Sign On
Increase Tomcat’s maxHttpHeaderSize
..\tomcat\conf
Take the backup of existing server.xml and add the maxHttpHeaderSize=”65536″ in Connector Port 8080 tag
Create and configure a global.properties file
..\tomcat\webapps\BOE\WEB-INF\config\custom
Create a file named global.properties with the following text inside:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=DOMAIN.COM
idm.princ=<sid>adm
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
For the values in bold above replace them with the values for your service account from Section 2 above.
Create and configure a ICCExplore.properties file
Copy the ICCExplore.properties file from ..\tomcat\webapps\BOE\WEB-INF\config\default to ..\tomcat\webapps\BOE\WEB-INF\config\custom folder and modify it
authentication.default=secWinAD
cms.default=host:6400
Add additonal parameters to CmcApp.properties file – Optional
If you want to configure SSO for CMC as well? you can create CmcApp.properties file with below text inside. But it is not a good idea to enable SSO for CMC. Because if SSO doesn’t work in order to troubleshoot you need to login to CMC first and also you might see security issues if some hacker get access to your domain.
cms.default=host:6400
authentication.visible=true
cms.visible=true
sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie,
trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder
sso.types.and.order=vintela
authentication.default=secWinAD
Refer OSS Note: 2190831 – How to enable CMC SSO in BI 4.1 SP6
Configuring the application server’s Java Options for AD Single Sign On
1. Add the following lines to the tomcat java options. Tomcat must be restarted to test.
-Dcom.wedgetail.idm.sso.password=password
-Djcsi.kerberos.debug=true
The wedgetail.sso.password is the password for your service account from Section 2 above.
The DJCSI.kerberos.debug options will enable a start up trace of the vintela filter.
Configuring the Data Services for SSO
Take the backup of existing web.xml file and modify the parameters which you have put in global.properities file.
..\tomcat\webapps\DataServices\WEB-INF
authentication.default=secWinAD
siteminder.enabled=false
vintela.enabled=true
sso.enabled=true
Uncomment the auth filters and update domain & service account details. Disable the content related to keytab. We need to enable it later
<!– start filter setting –>
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>DOMAIN.COM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>sidadm</param-value>
</init-param>
<!–
<init-param>
<param-name>idm.keytab</param-name>
<param-value>/path/to/keytab</param-value>
</init-param>
–>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!– End filter setting –>
Verify the vintela filter has loaded successfully
Stop Tomcat
Delete or backup the logs in below folders
..\tomcat\logs
C:\SBOPWebapp_CMC_10.66.94.147_8080
Remove the folder ..\tomcat\work\Catalina\localhost\DataServices
Restart Tomcat
Open the sdterr.log file in tomcat\logs and look for lines
INFO: Server startup in ###### ms
jcsi.kerberos: ** credentials obtained .. **.
Testing AD Single Sign On
Note: Do not test SSO on Tomcat server, so you should check on different server. When we hit the URL on browser it should automatically make you login without user/password since we logged into the server where we are testing with domain user.
Testing AD Single Sign On for InfoSteward
http://host:8080/BOE/InfoSteward
Testing AD Single Sign On for DS Designer
Login to IS/DS server with your id and start DS Designer
Open DS Designer
System – host[:port]: host:6400
User name: Blank
Password: Blank
Authentication: Windows AD
Log on
Select the repository and click OK
You should login to that repository.
Note: You should have access to that repository on DB level.
Testing AD Single Sign On for DS Management Console
You should be able to login to DS console with your domain without prompting for user/password
Section 8 – Encrypting your service account password with a keytab
An alternative to hard-coding the service account‘s password in the java options we can encrypt the password in a keytab file.
We need to run the below command on AD server.
ktpass -out bosso.keytab -princ <BI Service Account> -pass
<password> -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Once you receive the file you need to perform the below steps
Copy the bosso.keytab to the C:\Windows\ directory of the IS/DS application server
Add the following line to ..\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
idm.keytab=C:/WINDOWS/bosso.keytab (note the FORWARD slashes)
Remove the wedgetail.passwords option from the application server‘s Tomcat java options.
Add the following lines to ..\tomcat\webapps\DataServices\WEB-INF\web.xml
<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
</init-param>
Restart Tomcat and ensure you still see jcsi.kerberos: ** credentials obtained.. **. in the application server logs per the directions in the section above titled Verify the vintela filter has loaded successfully.
Test again SSO for IS, DS.
See KBA 1359035 to test the keytab separately if SSO stops working after these changes.
Disable debug mode in Tomcat java properites
Section 9 – Additional information and settings
Ensure your .properties files are not overwritten after a patch or redeploy
1. Copy the BIlaunchpad.properties, global.properties and ICCExplorer.properties files from:
SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom
2. Paste the .properties files in the folder below:
SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
3. Copy the web.xml file from
SAPBusinessObjects\tomcat\webapps\DataServices\WEB-INF
To
SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\DataServices\WEB-INF
Take the backup of existing file before copying it.
End of the Article
You can post your questions or comments here, so that I can clarify.
Thanks for this!
Thx for this useful article.
Please tell me which ports (Out & In) are used for manual AD auth. (without SSO) SAP Infromation Steward - MS AD?
Hi Aleksandr,
As far as I know there are no specific port for manual AD, just AD server and BO/IS Server need to be reachable from one to another, then having the correspondig configuration done(Mentioned in this article) will make it. The communication will go through the Tomcat WAS within Tomcat Port configured.
Regards!
Roy
Hello guys,
I configured successfully the SSO for IS, now is there a "No SSO" link as for BI Launch Pad, like "http://<host>:<port>/BOE/BI/logonNoSso.jsp", I have tried using "http://<host>:<port>/BOE/InfoStewardApp/1801161954/ICCExplorer/logonNoSso.jsp" without luck, do you know what link I should use to avoid SSO functionality and get to the login page?
Any feedback it's appreciated.
Thanks!
Roy