Skip to Content
Author's profile photo Former Member

Windows AD Authentication and SSO for only IS/DS and CMC no BI

I did not find any specific documentation for configuring Windows AD and SSO for only IS/DS components. Just thought of puttig all those steps together. I followed the below SAP Notes.

 

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4

 

OS: Windows Server 2012

DB: MS SQL Server

Apps: IS/DS (Installed with IPS – Information Platform Service, no additional license required)

 

In our case we enabled SSO for InfoSteward and DS Designer. For DS console and CMC we are using Windows AD athentication only. But this article gives you steps to enable SSO for all components.

_____________________________________________________________________________________________________________________________________

 

Section 1 – Planning your Service Account Configuration

Before configuring IS/DS for AD logins we must request AD service accounts. This service accounts should have 3 roles.

1.      Query AD

2.      Run the SIA/CMS and allow manual AD logins

3.      Allows SSO

 

Section 2 – Creating and preparing the service account

Instead for creating new AD account in Domain Controller, we decided to use already existing <sid>adm user as BI Service account.

 

Get it done these steps with the help of AD team:

 

It has been setup with “Password never expire” and “unlock”

 

 

Delegation for the Service Account

 

navigate to the properties of the service account and choose

Trust this user for delegation to any service (Kerberos only) under the Delegation tab.

 

 

Setspn Commands – Should be run on Domain controller server by AD team

 

setspn -a BICMS/<sid>adm.domain.com <sid>adm

setspn -a HTTP/host.domain.com <sid>adm

setspn -a HTTP/host <sid>adm

 

Once they run this commands you can view them from your IS/DS server by running below commands

 

setspn -l <sid>adm

 

Section 3 – Configure the AD Plugin Page in the CMC and map in AD groups

Login to CMC => Authentication => Windows AD

 

Check “Enable Windows Active Directory (AD)”

 

AD Administrator Name: Domain\<sid>adm

Default AD Domain: Domain.com

 

Mapped AD Member Groups: We need to add the required AD groups here who needs access.

 

Authentication Options:

Use Kerberos authentication

Service principal name: BICMS/<sid>adm.domain.com

 

Check “Enable Single Sign On for selected authentication mode.

 

New Alias options: Assign each new AD alias to an existing user account with the same name

Alias update options: Create new alias when alias update occurs

New User options: New users are created as concurrent users

 

On-demand AD update:

Update AD Groups and Alias now

 

Update

 

Verifying users

Go to

 

CMC>Users and Groups>Group Hierarchy

and select the AD group you mapped to view the users for that group. This will generate a live query to AD (using the CMC query account) and display the current users in that group. It will also display any nested users in that group (users that belong to nested AD groups).

 

Do not proceed if users and/or groups are not mapping in properly!

 

 

Section 4 — Steps to start the SIA/CMS under the service account

In order for the service account to run the SIA there are specific operating system settings that need to be set.

1.    

      1. Add the service account to the local administrator‘s group on any server where the service account will be running a SIA/CMS.

          Open Computer Management > Local Users and Groups > Groups > Administrator > Properties > Add

 

      2. You should also grant the local policy Act as Part of the operating system as seen in the screenshot below.

          Open Local security Policy > Local Policies > User Rights Assignments > Act as part of operating system > Properties > Add User or Group

 

      3. After the above changes have been made the service account can now run the Server Intelligence Agent (SIA). Navigate to the Central Configuration Manager (CCM), stop the SIA and on the properties tab enter the account in domain\username format. And restart SIA.

  

   

1.   4. Verify the service account and AD logins are working

 

You should be able to login via DataServices Designer at this point. The next steps will test an AD login with the Central Configuration Manager‘s Manage Servers tool.

Add your user to Administrator group temporarily and login to server with your id and test it.

Add your user to Administrator group in CMC temporarily

    

      Open the DataServices Designer >

      System – host[:port]: host:6400

      User name: Blank

      Password: Blank

      Authentication: Windows AD

      Log on

 

      Then it should show the DS repositories.

 

    

Section 5 –Configuring Manual AD authentication to Java Application Servers

 

Two files need to be created when using java. These files need to be created from scratch and should be placed in the C:\windows\ directory on any windows application server.

Create the bscLogin.conf file

Note: Make sure the file is not a text file

 

com.businessobjects.security.jgss.initiate {

 

com.sun.security.auth.module.Krb5LoginModule required debug=true;

 

};

 

     Create the krb5.ini file

 

 

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

DOMAIN.COM = {

kdc = DCHOSTNAME.DOMAIN.COM

default_domain = DOMAIN.COM

}

Regfer OSS Note 1690665 – Unable to logon to BI Launchpad or CMC using Manual AD Authentication in BI 4.0 while creating krb5.ini file.

 

    Verify java can successfully receive a kerberos ticket

 

      1. From DOS command line navigate to the sapjvm\bin directory. By default this is:

E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin

2. Run

kinit username hit enter and type your password

 

kinit <sid>adm

 

If the KDC and other configurations in the krb5.ini are correct you should receive a ticket.

 

Section 6 – Configuring CMC for manual AD login

 

Create CmcApp.properties file with below lines

 

authentication.visible=true

authentication.default=secWinAD

 

Point your application server to the bscLogin.conf and krb5.ini files.

 

Add the following lines to the tomcat java options. Tomcat must be restarted to test.

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

 

Restart the Tomcat

 

Verify the bscLogin.conf has been loaded by your application server

 

To verify the bscLogin.conf has been loaded by your application server attempt to logon to CMC (with AD selected in the drop down).

Check the sdtout.log in ..\

 

tomcat\logs folder and you should see “Commit succeed”

 

At this point you will be able to login InfoSteward, DataService Console & CMC with Windows AD logins.

 

Section 7 – Configuring Active Directory Single Sign On

 

 

Increase Tomcat’s maxHttpHeaderSize

 

..\tomcat\conf

Take the backup of existing server.xml and add the maxHttpHeaderSize=”65536″ in Connector Port 8080 tag

 

Create and configure a global.properties file

 

 

..\tomcat\webapps\BOE\WEB-INF\config\custom

Create a file named global.properties with the following text inside:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=DOMAIN.COM

idm.princ=<sid>adm

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

 

For the values in bold above replace them with the values for your service account from Section 2 above.

Create and configure a ICCExplore.properties file

 

Copy the ICCExplore.properties file from ..\tomcat\webapps\BOE\WEB-INF\config\default to ..\tomcat\webapps\BOE\WEB-INF\config\custom folder and modify it

 

authentication.default=secWinAD

cms.default=host:6400

 

Add additonal parameters to CmcApp.properties file – Optional

If you want to configure SSO for CMC as well? you can create CmcApp.properties file with below text inside. But it is not a good idea to enable SSO for CMC. Because if SSO doesn’t work in order to troubleshoot you need to login to CMC first and also you might see security issues if some hacker get access to your domain.

 

cms.default=host:6400

authentication.visible=true

cms.visible=true

sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie,

trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order=vintela

authentication.default=secWinAD

Refer OSS Note: 2190831 – How to enable CMC SSO in BI 4.1 SP6

Configuring the application server’s Java Options for AD Single Sign On

1. Add the following lines to the tomcat java options. Tomcat must be restarted to test.

-Dcom.wedgetail.idm.sso.password=password

-Djcsi.kerberos.debug=true

 

The wedgetail.sso.password is the password for your service account from Section 2 above.

The DJCSI.kerberos.debug options will enable a start up trace of the vintela filter.

 

Configuring the Data Services for SSO

Take the backup of existing web.xml file and modify the parameters which you have put in global.properities file.

..\tomcat\webapps\DataServices\WEB-INF

 

authentication.default=secWinAD

siteminder.enabled=false

vintela.enabled=true

sso.enabled=true

 

Uncomment the auth filters and update domain & service account details. Disable the content related to keytab. We need to enable it later

 

<!– start filter setting –>
<filter>
<filter-name>authFilter</filter-name>
<filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>
<init-param>
<param-name>idm.realm</param-name>
<param-value>DOMAIN.COM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>sidadm</param-value>
</init-param>

 

<!–
<init-param>
<param-name>idm.keytab</param-name>
<param-value>/path/to/keytab</param-value>
</init-param>
–>

 

<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>

<param-value>simple</param-value>

</init-param>

<init-param>

<param-name>idm.logger.props</param-name>

<param-value>error-log.properties</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>authFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<!– End filter setting –>

 

 

Verify the vintela filter has loaded successfully

Stop Tomcat

Delete or backup the logs in below folders

..\tomcat\logs

C:\SBOPWebapp_CMC_10.66.94.147_8080

Remove the folder ..\tomcat\work\Catalina\localhost\DataServices

Restart Tomcat

 

Open the sdterr.log file in tomcat\logs and look for lines

 

INFO: Server startup in ###### ms

jcsi.kerberos: ** credentials obtained .. **.

Testing AD Single Sign On

Note: Do not test SSO on Tomcat server, so you should check on different server. When we hit the URL on browser it should automatically make you login without user/password since we logged into the server where we are testing with domain user.

 

Testing AD Single Sign On for InfoSteward

http://host:8080/BOE/InfoSteward

 

Testing AD Single Sign On for DS Designer

 

Login to IS/DS server with your id and start DS Designer

Open DS Designer

System – host[:port]: host:6400

      User name: Blank

      Password: Blank

      Authentication: Windows AD

      Log on

Select the repository and click OK

You should login to that repository.

Note: You should have access to that repository on DB level.

Testing AD Single Sign On for DS Management Console

 

http://host:8080/DataServices

 

You should be able to login to DS console with your domain without prompting for user/password

 

Section 8 – Encrypting your service account password with a keytab

An alternative to hard-coding the service account‘s password in the java options we can encrypt the password in a keytab file.

 

We need to run the below command on AD server.

 

ktpass -out bosso.keytab -princ <BI Service Account> -pass

<password> -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

 

Once you receive the file you need to perform the below steps

 

Copy the bosso.keytab to the C:\Windows\ directory of the IS/DS application server

 

Add the following line to ..\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

 

idm.keytab=C:/WINDOWS/bosso.keytab (note the FORWARD slashes)

 

Remove the wedgetail.passwords option from the application server‘s Tomcat java options.

 

Add the following lines to ..\tomcat\webapps\DataServices\WEB-INF\web.xml

 

<init-param>
<param-name>idm.keytab</param-name>
<param-value>C:/WINDOWS/bosso.keytab</param-value>
</init-param>

 

Restart Tomcat and ensure you still see jcsi.kerberos: ** credentials obtained.. **. in the application server logs per the directions in the section above titled Verify the vintela filter has loaded successfully.

 

Test again SSO for IS, DS.

 

See KBA 1359035 to test the keytab separately if SSO stops working after these changes.

 

Disable debug mode in Tomcat java properites

 

Section 9 – Additional information and settings

 

Ensure your .properties files are not overwritten after a patch or redeploy

1. Copy the BIlaunchpad.properties, global.properties and ICCExplorer.properties files from:

SAPBusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom

 

2. Paste the .properties files in the folder below:

SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom

 

3. Copy the web.xml file from

SAPBusinessObjects\tomcat\webapps\DataServices\WEB-INF

To

SAPBusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\DataServices\WEB-INF

Take the backup of existing file before copying it.

End of the Article

 

You can post your questions or comments here, so that I can clarify.

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks for this!

      Author's profile photo Former Member
      Former Member

       

      Thx for this useful article.

      Please tell me which ports (Out & In) are used for manual AD auth. (without SSO) SAP Infromation Steward - MS AD?

      Author's profile photo Rodrigo Garcia Naranjo
      Rodrigo Garcia Naranjo

      Hi Aleksandr,

      As far as I know there are no specific port for manual AD, just AD server and BO/IS Server need to be reachable from one to another, then having the correspondig configuration done(Mentioned in this article) will make it. The communication will go through the Tomcat WAS within Tomcat Port configured.

      Regards!

      Roy

      Author's profile photo Rodrigo Garcia Naranjo
      Rodrigo Garcia Naranjo

      Hello guys,

      I configured successfully the SSO for IS, now is there a "No SSO" link as for BI Launch Pad, like "http://<host>:<port>/BOE/BI/logonNoSso.jsp", I have tried using "http://<host>:<port>/BOE/InfoStewardApp/1801161954/ICCExplorer/logonNoSso.jsp" without luck, do you know what link I should use to avoid SSO functionality and get to the login page?

      Any feedback it's appreciated.

      Thanks!

      Roy