Configuration of Active Directory Manual Authentication BI4 for Netweaver NW

Whats this about?

This is an adjunct to Steve Fredell document in 1631734 – Configuring Active Directory Manual Authentication and SSO for BI4 in regard to manual authentication of SSO for BI4 which is tomcat centric.

However at a recent client there a similar use case required however was for deployment of the BO on NW7.31 >rather< than tomcat as the web application server.

There is also a worthwhile troubleshooting guide for tomcat here 1476374 – ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On

Background

I have been asked to configure AD authentication, following Steve Fredell’s “Configure Active Directory Manual Authentication and SSO for BI4” I could successfully get AD authentication working  fine with tomcat 🙂 , but got stuck with NW as the web application server.

After spending close to 1 day of my customers time attempting this I failed to get it to work and posted this forum message AD authentication for BI4.0 on NW7.3x portal

—————–  Forum Post —————————-

However when I use the same BOE/CMC with imported early into portal I get the error:

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>

Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?

——————

Swapnil Yavalkar  responded saying he had been successful but without capturing any details, which was good news as at least it proved it was possible.

Unfortunately in the available notes there is almost zero about how to get NW7 working as the web application server, I placed a service call to SAP in regard to the problem. Days later I got the response that there is a unpublished internal note 1852377 that describes the solution to my problem, I had got 95% of the way there but had not performed the subnode configuration in NW config tool.

Whilst I cannot republish this note I will post my solution ( albeit sanitized of customer details) which fairly much covers the same trajectory as 1852377

Step 0. Ensure principle names for Kerberos

Find and ensure you have set principle names for the service running your NW (portal) web application server.

You may need to setspn -A  to configure your principle names, however scope is beyond this blog for a start try here . However here is a sanitized list of principle names for the service owner ( which is more than needed)

Step 1. Create your kerberos configuration file

You will need a krb5.ini file as per notes above  into C:\windows, I copied mine from an existing tomcat configuration I had working.

Step 2. Add kerberos module to Netweaver Administrator

You will need to enable krb5 module to  NWA  http://theportalserver.com:50200/nwa

Configuration -> Authentication and Single Sign-On -> “Login Modules” tab

Create a module with the display name Krb5LoginModule with the class name of com.sun.security.auth.module.Krb5LoginModule

Then in tab “Components” tab create  a custom configuration called  com.businessobjects.security.jgss.initiate

Choose the lower authentication stack tab and then add the login module “krb5LoginModule” with the flag “REQUIRED“

Dont forget to save 🙂

Step 3 Using SAP Java configuration tool we add Java options.

I found it is best to do this during downtime of the NW portal.

Call configtool.bat from usr\sap\<SID>\J<id>\j2ee\configtool

I normally choose expert mode.

Choose the instance then choose “VM Parameters” tab

Select sap from the vendor list and global from the platform list.

Choose the “system” tab and new.
Add Name java.security.krb5.conf and the value of C:\windows\krb5.ini

Create another parameter called javax.security.auth.useSubjectCredsOnly with the value “false“

Choose File -> Apply changes.

Step 4. Adding sub-nodes for com.businessobjects.security.jgss.initiate policy.

Continuing with config tool

Choose Tools -> Configuration editor

Choose Edit mode.

Navigate to Configurations -> Security -> Configurations -> com.businessobjects.security.jgss.initiate -> security -> authentication.

Right click and choose “Create sub-node”

Choose “Value-Entry” name create_security_session with the value “false“

Then apply changes again.

Step 5. Restart NW Portal

Testing after 10 minutes system will restart and you should be able to authenticate with NW7.3 Web.

For me it just worked first time , so I don’t have any troubleshooting validation except check your syntax each time.

Tips:

a) Get it working with your tomcat server first as per the guide attached to note 1631734 use the troubleshooting guide 1476374

b) Then follow this blog or note 1852377