Whats this about?
This is an adjunct to Steve Fredell document in 1631734 – Configuring Active Directory Manual Authentication and SSO for BI4 in regard to manual authentication of SSO for BI4 which is tomcat centric.
However at a recent client there a similar use case required however was for deployment of the BO on NW7.31 >rather< than tomcat as the web application server.
There is also a worthwhile troubleshooting guide for tomcat here 1476374 – ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On
I have been asked to configure AD authentication, following Steve Fredell’s “Configure Active Directory Manual Authentication and SSO for BI4” I could successfully get AD authentication working fine with tomcat 🙂 , but got stuck with NW as the web application server.
After spending close to 1 day of my customers time attempting this I failed to get it to work and posted this forum message
—————– Forum Post —————————-
However when I use the same BOE/CMC with imported early into portal I get the error:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>
Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?
Unfortunately in the available notes there is almost zero about how to get NW7 working as the web application server, I placed a service call to SAP in regard to the problem. Days later I got the response that there is a unpublished internal note 1852377 that describes the solution to my problem, I had got 95% of the way there but had not performed the subnode configuration in NW config tool.
Whilst I cannot republish this note I will post my solution ( albeit sanitized of customer details) which fairly much covers the same trajectory as 1852377
Step 0. Ensure principle names for Kerberos
You may need to setspn -A to configure your principle names, however scope is beyond this blog for a start try here . However here is a sanitized list of principle names for the service owner ( which is more than needed)
Step 1. Create your kerberos configuration file
You will need a krb5.ini file as per notes above into C:\windows, I copied mine from an existing tomcat configuration I had working.
Step 2. Add kerberos module to Netweaver Administrator
You will need to enable krb5 module to NWA http://theportalserver.com:50200/nwa
Configuration -> Authentication and Single Sign-On -> “Login Modules” tab
Create a module with the display name Krb5LoginModule with the class name of com.sun.security.auth.module.Krb5LoginModule
Then in tab “Components” tab create a custom configuration called com.businessobjects.security.jgss.initiate
Choose the lower authentication stack tab and then add the login module “krb5LoginModule” with the flag “REQUIRED“
Dont forget to save 🙂
Step 3 Using SAP Java configuration tool we add Java options.
I found it is best to do this during downtime of the NW portal.
Call configtool.bat from usr\sap\<SID>\J<id>\j2ee\configtool
I normally choose expert mode.
Choose the instance then choose “VM Parameters” tab
Choose the “system” tab and new.
Add Name java.security.krb5.conf and the value of C:\windows\krb5.ini
Choose File -> Apply changes.
Step 4. Adding sub-nodes for com.businessobjects.security.jgss.initiate policy.
Continuing with config tool
Choose Tools -> Configuration editor
Choose Edit mode.
Choose “Value-Entry” name create_security_session with the value “false“
Step 5. Restart NW Portal
For me it just worked first time , so I don’t have any troubleshooting validation except check your syntax each time.
b) Then follow this blog or note 1852377