Skip to Content

Whats this about?

This is an adjunct to Steve Fredell document in 1631734 – Configuring Active Directory Manual Authentication and SSO for BI4 in regard to manual authentication of SSO for BI4 which is tomcat centric.

However at a recent client there a similar use case required however was for deployment of the BO on NW7.31 >rather< than tomcat as the web application server.

There is also a worthwhile troubleshooting guide for tomcat here 1476374 – ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On

Background


I have been asked to configure AD authentication, following Steve Fredell’s “Configure Active Directory Manual Authentication and SSO for BI4” I could successfully get AD authentication working  fine with tomcat 🙂 , but got stuck with NW as the web application server.

After spending close to 1 day of my customers time attempting this I failed to get it to work and posted this forum message AD authentication for BI4.0 on NW7.3x portal

—————–  Forum Post —————————-

/wp-content/uploads/2015/11/tom_824117.png

However when I use the same BOE/CMC with imported early into portal I get the error:

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

/wp-content/uploads/2015/11/cmcprotal_824118.png

So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>

Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?

——————

Swapnil Yavalkar  responded saying he had been successful but without capturing any details, which was good news as at least it proved it was possible.

Unfortunately in the available notes there is almost zero about how to get NW7 working as the web application server, I placed a service call to SAP in regard to the problem. Days later I got the response that there is a unpublished internal note 1852377 that describes the solution to my problem, I had got 95% of the way there but had not performed the subnode configuration in NW config tool.

Whilst I cannot republish this note I will post my solution ( albeit sanitized of customer details) which fairly much covers the same trajectory as 1852377

Step 0. Ensure principle names for Kerberos

Find and ensure you have set principle names for the service running your NW (portal) web application server.
/wp-content/uploads/2015/11/portaluser_824123.png

You may need to setspn -A  to configure your principle names, however scope is beyond this blog for a start try here . However here is a sanitized list of principle names for the service owner ( which is more than needed)

/wp-content/uploads/2015/11/setspn_824124.png

Step 1. Create your kerberos configuration file

You will need a krb5.ini file as per notes above  into C:\windows, I copied mine from an existing tomcat configuration I had working.

/wp-content/uploads/2015/11/krb5_824125.png

Step 2. Add kerberos module to Netweaver Administrator

You will need to enable krb5 module to  NWA  http://theportalserver.com:50200/nwa

/wp-content/uploads/2015/11/portal1_824128.png

Configuration -> Authentication and Single Sign-On -> “Login Modules” tab

Create a module with the display name Krb5LoginModule with the class name of com.sun.security.auth.module.Krb5LoginModule

/wp-content/uploads/2015/11/portal2_824131.png

Then in tab “Components” tab create  a custom configuration called  com.businessobjects.security.jgss.initiate

/wp-content/uploads/2015/11/portal3_824132.png

Choose the lower authentication stack tab and then add the login module “krb5LoginModule” with the flag “REQUIRED

Dont forget to save 🙂

Step 3 Using SAP Java configuration tool we add Java options.

I found it is best to do this during downtime of the NW portal.

Call configtool.bat from usr\sap\<SID>\J<id>\j2ee\configtool

/wp-content/uploads/2015/11/conft1_824133.png

I normally choose expert mode.

/wp-content/uploads/2015/11/conft2_824142.png

Choose the instance then choose “VM Parameters” tab

/wp-content/uploads/2015/11/conft3_824141.png
Select sap from the vendor list and global from the platform list.

Choose the “system” tab and new.
Add Name java.security.krb5.conf and the value of C:\windows\krb5.ini

Create another parameter called javax.security.auth.useSubjectCredsOnly with the value “false
/wp-content/uploads/2015/11/conft4_824143.png

Choose File -> Apply changes.

/wp-content/uploads/2015/11/conft5_824147.png

Step 4. Adding sub-nodes for com.businessobjects.security.jgss.initiate policy.

Continuing with config tool

Choose Tools -> Configuration editor

/wp-content/uploads/2015/11/conft6_824148.png

Choose Edit mode.

/wp-content/uploads/2015/11/conft7_824149.png

Navigate to Configurations -> Security -> Configurations -> com.businessobjects.security.jgss.initiate -> security -> authentication.
/wp-content/uploads/2015/11/conft9_824157.png

Right click and choose “Create sub-node”
/wp-content/uploads/2015/11/conft8_824156.png

Choose “Value-Entry” name create_security_session with the value “false

Then apply changes again.
/wp-content/uploads/2015/11/conft10_824158.png

Step 5. Restart NW Portal

/wp-content/uploads/2015/11/restartnw_824162.png

Testing after 10 minutes system will restart and you should be able to authenticate with NW7.3 Web./wp-content/uploads/2015/11/loginok_824163.png

For me it just worked first time , so I don’t have any troubleshooting validation except check your syntax each time.

Tips:

a) Get it working with your tomcat server first as per the guide attached to note 1631734 use the troubleshooting guide 1476374

b) Then follow this blog or note 1852377

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply