Skip to Content

Kerberos is an Authentication mechanism wherein no passwords are transmitted over the network. The server depends on a trusted ticket issued by a Ticket granting server, which the client sends in the request from the client to the server.

In order to enable Kerberos based authentication for the Mobi iOS application a few simple steps are to be done both on the iOS device and the Mobile server. Below we outline what these steps are and how they are to be done.

 

Supported on SAP BusinessObject Mobile 6.3 onwards(iOS only)

Supported on SAP BI Platform 4.1 (SP07 onwards) and 4.2(SP02 onwards)

 

(Note: This entire document is written assuming that the BI Platform is configured for Kerberos based Authentication. Kerberos SSO is supported only for normal BOE Connections from mobile. Connections involving SUP and SMP are not supported)

 

Configuring the WinAD Machine

Starting with iOS 10 only Constrained Credential Delegation is supported . We need to make sure the WinAD machine is configured to support the same. So if your organization has users using iOS 10 enabled devices then this step is mandatory.

A point to note is that Constrained Credential Delegation works with iOS 9 as well. So it is best to make sure you set it up even if there are no iOS 10 users.

* Open Active Directory Users and Computers.
* Choose the SAP Business Object service account. Right-click and open “properties”
* Open the “Delegation” tab from properties.

* By default option selected would be “Trust this user for delegation to any service(Kerberos      only)”.Change to the 3rd option : “Trust this user for delegation to specified services    only”Choose option “Use Kerberos Only “ under the above option.
Now click on “Add” button to add the specified service types.

* In the “Add Services” window, Click on button “Users or Computers”

* Enter the service account name in the text area “Enter object names to select” and click on button    “Check Names”. This will add the service account name in the below format. Finish by clicking  “ok”Format: service_account_name(logon name for service account)

* Click on “Select All” and “Ok”. This will choose all service types for specified “User/Computers”

* Finally “Apply” and “Ok” to apply the changes on the service account.

THE ABOVE STEPS WOULD CHANGE THE DELEGATION TO CONSTRAINED DELEGATION FOR THE SERVICE ACCOUNT)

Configuring the iOS Device

 

On iOS Kerberos is controlled by a configuration profile which guides iOS framework so as to how Kerberos tickets should be handled. This profile can be installed from any MDM tool.  If you do not have an MDM tool then you can host the file on any application server and access the link on the safari browser. iOS will automatically detect it as a Kerberos SSO profile and will come up with the installation screen.The configuration profile should have a .mobileconfig extension. Let us look at a sample Configuration profile and check what values we are supposed to update.

 

  1. <?xml version=“1.0” encoding=“UTF-8”?> 
  2. <!DOCTYPE plist PUBLIC “-//Apple/DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd> 
  3. <plist version=“1.0”> 
  4. <dict> 
  5.   <key>PayloadContent</key> 
  6.   <array> 
  7.     <dict> 
  8.       <key>PayloadDisplayName</key> 
  9.       <string>SSO Settings</string> 
  10.       <key>PayloadType</key> 
  11.       <string>com.apple.sso</string> 
  12.       <key>PayloadVersion</key> 
  13.       <integer>1</integer> 
  14.       <key>PayloadUUID</key> 
  15.       <string>d3fe4709-0cc6-4f51-afed-839c6ab1451c</string> 
  16.       <key>PayloadIdentifier</key> 
  17.       <string>com.sap.example.sso</string> 
  18.       <key>Name</key> 
  19.       <string>username@EXAMPLE.COM</string> 
  20.       <key>Kerberos</key> 
  21.       <dict> 
  22.         <key>PrincipalName</key> 
  23.         <string>username</string> 
  24.         <key>Realm</key> 
  25.         <string>EXAMPLE.COM</string> 
  26.         <key>URLPrefixMatches</key> 
  27.         <array> 
  28.           <string>https://example.com/</string> 
  29.           <string>https://example.com:443/</string> 
  30.         </array> 
  31.         <key>AppIdentifierMatches</key> 
  32.         <array> 
  33.           <string>com.apple.mobilesafari</string> 
  34.           <string>com.sap.*</string> 
  35.         </array> 
  36.       </dict> 
  37.     </dict> 
  38.   </array> 
  39.   <key>PayloadOrganization</key> 
  40.   <string>SAP</string> 
  41.   <key>PayloadDisplayName</key> 
  42.   <string>SSO for SAP</string> 
  43.   <key>PayloadVersion</key> 
  44.   <integer>1</integer> 
  45.   <key>PayloadUUID</key> 
  46.   <string>f4544183-fc96-495f-a384-435cdb66e5b9</string> 
  47.   <key>PayloadIdentifier</key> 
  48.   <string>com.sap.example.sso.profile</string> 
  49.   <key>PayloadDescription</key> 
  50.   <string>SSO Configuration profile</string> 
  51.   <key>PayloadType</key> 
  52.   <string>Configuration</string> 
  53. </dict> 
  54. </plist>

 

 

Attribute Value
PayloadDisplayName Do not modify this string. Leave it as it is
PayloadType Do not modify this string. Leave it as it is.
PayloadVersion Do not modify this string. Leave it as it is.
PayloadUUID

This should be a unique Id which can be generated from the following website

                              https://guidgenerator.com/

PayloadIdentifier

This should be modified so that it reflects your company domain.

                                    Example: com.<your company name>.mobi.sso

Name Any name for the Profile which you are creating
PrincipalName Principal name the winAD user name with which the Kerberos login happens.
Realm

This should be the Kerberos Realm. In the case of Active Directory, that’s usually going to be an AD domain.

URLPrefixMatches

This is the URL to which iOS will append the service ticket. It can have multiple entries. Of these entries at least one of them should be of the following format.

http://<Host Name FQDN>:<Port> of the Mobile Server

FQDN is the fully qualified domain name.

AppIdentifierMatches This is the list of applications which are eligible to use Kerberos based Authentication. No changes are to be made here since we already have com.sap.* which includes the Mobi iOS application for which the app id is com.sap.mobi
PayloadOrganization Your organization name.
PayloadDisplayName Name for this SSO payload. Any string can be given here
PayloadVersion Do not modify this string. Leave it as it is
PayloadUUID

This should be a unique id which can be generated from the following website

                              https://guidgenerator.com/

PayloadIdentifier

This should be modified so that it reflects your company domain.

                                    Example: com.<your company name>.mobi.sso.profile

PayloadDescription Any description of the payload profile.
PayloadType Do not modify this string. Leave it as it is.

 

 

This configuration profile must be modified carefully before deploying since this is the single source which tells iOS how and when to append the Kerberos service ticket. Utmost care should be taken while providing values for Name, PrincipalName, Realm and URLPrefixMatches.

 

 

Configuring the Import Connection Server

SSO connections in SAP BusinessObjects Mobile can be setup only using Import server URL. Following connection configuration need to be done on MOBI configuration server (MOBIServer) in the server.properties file.

Import_censored.jpg

SSO_Kerberos.DisplayName – This can be any string which will be your connection name

SSO_Kerberos.BOBJ_MOBILE_URL – This is the mobile server url. The url given here and the url given in the URLPrefixMatches of the iOS configuration profile prescribed in the previous section must be the same. (URL’s should be FQDN*)

SSO_Kerberos.BOBJ_MOBILE_CMS – This should be CMS cluster name or FQDN hostname running the BI Platform CMS.

SSO_Kerberos.BOBJ_MOBILE_SSO_ENABLED – Do not change the value! Let it be true

SSO_Kerberos.BOBJ_MOBILE_SSO_TYPE– Do not change the value. Let it be kerberos.

 

Configuring the Mobile Server

Last but not the least the mobile server must be enabled for kerberos based authentication. You will be required to carry the following three steps in order

*Stop tomcat server

*Modify sso.properties, authscheme.properties and web.xml

*Clean start tomcat server.

Let us see the changes to be made for the three files mentioned above.

 

Changes for sso.properties

 

/wp-content/uploads/2015/12/sso_properties_censored_804515.jpg

  1. Uncomment default.cms.identifier and assign it the value 1
  2. Uncomment aliases and give it the value which you gave for SSO_Kerberos.BOBJ_MOBILE_CMS described in the previous section.
  3. Uncomment authentication.scheme and assign it the value KERBEROS.

 

Changes for authscheme.properties

/wp-content/uploads/2015/12/authescheme_802836.png

Uncomment the KERBEROS property as highlighted in the above image. 

Configuring web.xml

Replace the Web.xml which exists in MobileBIService with the attached web.xml file! ( Make sure you pick the right XML which is suitable for you. We have one for 4.1 and one for 4.2)  A few parameters mentioned below should be provided with values which are specific to your environment.

    <init-param>
                  <param-name>sso.enabled</param-name>
                  <param-value>true</param-value>
    </init-param>

     <init-param>
                  <param-name>siteminder.enabled</param-name>
                  <param-value>false</param-value>
     </init-param>

     <init-param>
                  <param-name>vintela.enabled</param-name>
                  <param-value>true</param-value>
     </init-param>

     <init-param>
            <param-name>idm.realm</param-name>
            <param-value>{your-realm-name-here}</param-value>
     </init-param>

     <init-param>
                  <param-name>idm.princ</param-name>
                  <param-value>{your-principal-name-here}</param-value>
     </init-param>

     <init-param>
                  <param-name>idm.allowUnsecured</param-name>
                  <param-value>true</param-value>
     </init-param>

     <init-param>
                 <param-name>idm.allowNTLM</param-name>
                 <param-value>false</param-value>
     </init-param>

     <init-param>
                  <param-name>idm.logger.name</param-name>
                  <param-value>simple</param-value>
     </init-param>

     <init-param>
                  <param-name>idm.logger.props</param-name>
                  <param-value>error-log.properties</param-value>
     </init-param>

The values for each of these keys can be found in global.properties which would be created when setting up BI Platform with kerberos. global.properties can be found under installation folder\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.
Note: If you have made the changes described in the first section of the blog to enable Constrained Credential Delegation then you must add the following configuration to the web.xml as well to make sure mobile server can work with your WinAD machine.

<init-param>
      <param-name>idm.allowS4U</param-name>
      <param-value>true</param-value>
</init-param>

 

Changes to Web.xml for Lumira 2.0 add on

If you have installed the Lumira 2.0 add on then we need a few more modifications to the attached web.xml (Irrespective of whether the xml is for 4.1 or 4.2)

  1. Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenMobiServlet</servlet-class>
  2. Find the line “<servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>” and replace with “<servlet-class>com.businessobjects.lumirastudio.mobi.ZenUI5ResourceProxyServlet</servlet-class>
  3. Add the following at the end of the xml file just before the </web-app> tag

    <servlet-mapping>

            <servlet-name>LumxNativeServlet</servlet-name>

            <url-pattern>/lumx</url-pattern>

        </servlet-mapping>

        <servlet>

            <servlet-name>LumxNativeServlet</servlet-name>

            <servlet-class>com.sap.teamserver.mobile.addon.LimoRequestHandler</servlet-class>

        </servlet>

        <servlet-mapping>

            <servlet-name>LumiraHTMLServlet</servlet-name>

            <url-pattern>/zen/view.do</url-pattern>

        </servlet-mapping>

        <servlet>

            <servlet-name>LumiraHTMLServlet</servlet-name>

            <servlet-class>com.businessobjects.lumirastudio.mobi.LumiraHTMLMobiServlet</servlet-class>

        </servlet>

        <servlet-mapping>

            <servlet-name>PJSServlet</servlet-name>

            <url-pattern>/sap/lumira/prompt</url-pattern>

        </servlet-mapping>

        <servlet-mapping>

            <servlet-name>PJSServlet</servlet-name>

            <url-pattern>/sap/service/*</url-pattern>

        </servlet-mapping>

        <servlet>

            <servlet-name>PJSServlet</servlet-name>

            <servlet-class>com.businessobjects.teamserver.servlet.DispatcherServlet</servlet-class>

        </servlet>

        <servlet-mapping>

            <servlet-name>VizExtBundleServlet</servlet-name>

            <url-pattern>/sap/vizext/*</url-pattern>

        </servlet-mapping>

        <servlet>

            <servlet-name>VizExtBundleServlet</servlet-name>

            <servlet-class>com.businessobjects.teamserver.servlet.VizExtBundleServlet</servlet-class>

        </servlet>

Troubleshooting and Help

       https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

 

  • Kerberos SSO does not seem to work on iPad – This might be due to a variety of reasons

But it would be good to check the following few things on the device before investigating further

 

User’s DNS server settings details must be included from where the ticket-granting

server needs to provide the ticket to iPad. This includes adding the entries in DNS

and Search Domains Under the IP address settings of the Wi-Fi network connected.

 

 

               If you get a Username/Password Authentication popup while trying to connect to a

               kerberos connection try restarting the iPad since the profile installed on the iPad

               requires a restart at times.

 

 

Attachments

4.1 Web.xml

<?xml version="1.0" encoding="utf-8"?>
<web-app  id="MobileBIService" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>MobileBIService</display-name>
    <context-param>
        <description>This is The Version of Mobile Server</description>
        <param-name>internal.version</param-name>
        <param-value>4.0</param-value>
    </context-param>
     <context-param>
        <param-name>enable.pnr</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <param-name>mobile.server.configuration.location</param-name>
        <param-value>boe</param-value>
    </context-param>
    
    <filter>
        <filter-name>RequestResponseFilter</filter-name>
        <filter-class>com.businessobjects.mobilebi.server.filters.RequestResponseFilter</filter-class>
    </filter>
    <!-- 
    <filter>
        <filter-name>CustomFilter</filter-name>
        <filter-class>com.businessobjects.mobilebi.server.filters.CustomFilter</filter-class>
    </filter> 
    -->
    <filter>
        <filter-name>AuthFilter</filter-name>
        <filter-class>com.businessobjects.mobilebi.server.filters.AuthFilter</filter-class>
    </filter>
	<filter>
		<filter-name>CompressionFilter</filter-name>
		<filter-class>com.businessobjects.datadiscovery.web.servletfilters.CompressionFilter</filter-class>
		<init-param>
			<param-name>ignoredContentType</param-name>
			<param-value>flash</param-value>
		</init-param>
	</filter>
	<filter>
    <filter-name>KerberosFilter</filter-name>
    <filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>
    <init-param>
    	<param-name>sso.enabled</param-name>
    	<param-value>true</param-value>
    </init-param>
      <init-param>
    	<param-name>siteminder.enabled</param-name>
    	<param-value>false</param-value>
    </init-param>
      <init-param>
    	<param-name>vintela.enabled</param-name>
    	<param-value>true</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.realm</param-name>
    	<param-value>CIETEAM.COM</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.princ</param-name>
    	<param-value>biservice02224</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.allowUnsecured</param-name>
    	<param-value>true</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.allowNTLM</param-name>
    	<param-value>false</param-value>
    </init-param>
     <init-param>
    	<param-name>idm.logger.name</param-name>
    	<param-value>simple</param-value>
    </init-param>
     <init-param>
    	<param-name>idm.logger.props</param-name>
    	<param-value>error-log.properties</param-value>
    </init-param>
  </filter>
    <filter-mapping>
   <filter-name>KerberosFilter</filter-name>
    <servlet-name>VintelaServlet</servlet-name>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
   </filter-mapping>
    <filter-mapping>
        <filter-name>RequestResponseFilter</filter-name>
        <servlet-name>MobiServlet</servlet-name>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    <!-- 
    <filter-mapping>
        <filter-name>CustomFilter</filter-name>
        <servlet-name>MobiServlet</servlet-name>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
    -->
    <filter-mapping>
        <filter-name>AuthFilter</filter-name>
        <servlet-name>MobiServlet</servlet-name>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>
	<filter-mapping>
		<filter-name>CompressionFilter</filter-name>
		<servlet-name>ExplorerServlet</servlet-name>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>

    <listener>
        <listener-class>com.businessobjects.mobilebi.server.listeners.MobiListener</listener-class>
	</listener>
	<listener>
		<listener-class>com.businessobjects.datadiscovery.web.listeners.LoggingConfigurationListener</listener-class>
	</listener>
	<listener>
		<listener-class>com.businessobjects.datadiscovery.web.listeners.DataDiscoveryHttpSessionListener</listener-class>
    </listener>
   	<listener>
        <listener-class>com.sap.xcelsius.mobi.server.listener.XcelsiusListener</listener-class>
    </listener>

    <servlet>
        <servlet-name>MessageServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.controller.MessageServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>MobiServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.http.MobiServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>SupServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.http.SUPHandlerServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>AgnosticServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.addon.AgnosticServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
	<servlet>
        <servlet-name>ZenServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>LIMAServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyLimaServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>ResourceServlet</servlet-name>
        <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>XcelsiusServlet</servlet-name>
        <servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>XcelsiusFileServlet</servlet-name>
        <servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusFileServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>ExplorerServlet</servlet-name>
		<servlet-class>com.businessobjects.datadiscovery.web.servlets.CommandDispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>ICrystalServlet</servlet-name>
        <servlet-class>com.sap.crystalreports.web.CrystalReportWebServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
 	<servlet>
    <servlet-name>LumiraServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.LumiraProxyServlet</servlet-class>
  	</servlet>
  	 <servlet>
    <description>HandleKerberosLogon</description>
    <servlet-name>VintelaServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.http.VintelaServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>MessageServlet</servlet-name>
        <url-pattern>/MessageHandlerServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>SupServlet</servlet-name>
        <url-pattern>/SUP/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>MobiServlet</servlet-name>
        <url-pattern>/mobi</url-pattern>
	</servlet-mapping>
	<servlet-mapping>
        <servlet-name>AgnosticServlet</servlet-name>
        <url-pattern>/agnostic</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>ZenServlet</servlet-name>
        <url-pattern>/zen</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
	    <servlet-name>ZenServlet</servlet-name>
        <url-pattern>/zen/*</url-pattern>
	</servlet-mapping>    
    <servlet-mapping>
        <servlet-name>ZenServlet</servlet-name>
        <url-pattern>/int.do</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>ZenServlet</servlet-name>
        <url-pattern>/ZenServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>ZenServlet</servlet-name>
        <url-pattern>/ZenMobiServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>LIMAServlet</servlet-name>
        <url-pattern>/lima</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
	    <servlet-name>LIMAServlet</servlet-name>
        <url-pattern>/lima/*</url-pattern>
	</servlet-mapping>    
	 <servlet-mapping>
        <servlet-name>ResourceServlet</servlet-name>
        <url-pattern>/resources/*</url-pattern>
    </servlet-mapping>
	<servlet-mapping>
        <servlet-name>XcelsiusServlet</servlet-name>
        <url-pattern>/xcelsius</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>XcelsiusFileServlet</servlet-name>
        <url-pattern>/xcelsius/mxp/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>ExplorerServlet</servlet-name>
        <url-pattern>/explorer</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>ICrystalServlet</servlet-name>
        <url-pattern>/icrystal</url-pattern>
    </servlet-mapping>
	<servlet-mapping>
    <servlet-name>LumiraServlet</servlet-name>
    <url-pattern>/lumira</url-pattern>
  	</servlet-mapping>
  	  <servlet-mapping>
    <servlet-name>VintelaServlet</servlet-name>
    <url-pattern>/VintelaServlet</url-pattern>
  </servlet-mapping>
    <session-config>
        <session-timeout>60</session-timeout>
    </session-config>
</web-app>


4.2 Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:javaee="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" id="MobileBIService" version="2.4">
  <display-name>MobileBIService</display-name>
  <context-param>
    <description>This is The Version of Mobile Server</description>
    <param-name>internal.version</param-name>
    <param-value>4.0</param-value>
  </context-param>
  <context-param>
    <param-name>mobile.server.configuration.location</param-name>
    <param-value>boe</param-value>
  </context-param>
  <context-param>
    <param-name>enable.pnr</param-name>
    <param-value>false</param-value>
  </context-param>
  <filter>
    <filter-name>RequestResponseFilter</filter-name>
    <filter-class>com.businessobjects.mobilebi.server.filters.RequestResponseFilter</filter-class>
  </filter>
  <filter>
    <filter-name>AuthFilter</filter-name>
    <filter-class>com.businessobjects.mobilebi.server.filters.AuthFilter</filter-class>
  </filter>
  <filter>
    <filter-name>CompressionFilter</filter-name>
    <filter-class>com.businessobjects.datadiscovery.web.servletfilters.CompressionFilter</filter-class>
    <init-param>
      <param-name>ignoredContentType</param-name>
      <param-value>flash</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>KerberosFilter</filter-name>
    <filter-class>com.businessobjects.mobilebi.server.filters.KerberosFilter</filter-class>
    
      
    <init-param>
    	<param-name>sso.enabled</param-name>
    	<param-value>true</param-value>
    </init-param>
    <init-param>
    	<param-name>siteminder.enabled</param-name>
    	<param-value>false</param-value>
    </init-param>
      <init-param>
    	<param-name>vintela.enabled</param-name>
    	<param-value>true</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.realm</param-name>
    	<param-value>CIETEAM.COM</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.princ</param-name>
    	<param-value>BOEXI40SIADEWDFWADEPT1514/bo.service.CIETEAM.COM</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.allowUnsecured</param-name>
    	<param-value>true</param-value>
    </init-param>
      <init-param>
    	<param-name>idm.allowNTLM</param-name>
    	<param-value>false</param-value>
    </init-param>
     <init-param>
    	<param-name>idm.logger.name</param-name>
    	<param-value>simple</param-value>
    </init-param>
	<init-param>
    	<param-name>idm.logger.props</param-name>
    	<param-value>error-log.properties</param-value>
    </init-param> 
    
  </filter>
  <filter-mapping>
   <filter-name>KerberosFilter</filter-name>
    <servlet-name>VintelaServlet</servlet-name>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
	<dispatcher>INCLUDE</dispatcher>
   </filter-mapping>
   <filter-mapping>
    <filter-name>RequestResponseFilter</filter-name>
    <servlet-name>MobiServlet</servlet-name>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>
  <filter-mapping>
    <filter-name>AuthFilter</filter-name>
    <servlet-name>MobiServlet</servlet-name>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CompressionFilter</filter-name>
    <servlet-name>ExplorerServlet</servlet-name>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
  </filter-mapping>
  <listener>
    <listener-class>com.businessobjects.mobilebi.server.listeners.MobiListener</listener-class>
  </listener>
  <listener>
    <listener-class>com.businessobjects.datadiscovery.web.listeners.LoggingConfigurationListener</listener-class>
  </listener>
  <listener>
    <listener-class>com.businessobjects.datadiscovery.web.listeners.DataDiscoveryHttpSessionListener</listener-class>
  </listener>
  <listener>
    <listener-class>com.sap.xcelsius.mobi.server.listener.XcelsiusListener</listener-class>
  </listener>
  <servlet>
    <servlet-name>MessageServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.controller.MessageServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>MobiServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.http.MobiServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>SupServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.http.SUPHandlerServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>AgnosticServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.AgnosticServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>ZenServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyZenServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>LIMAServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyLimaServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>ResourceServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.ProxyUI5ResourceServlet</servlet-class>
  </servlet>
  <servlet>
    <servlet-name>XcelsiusServlet</servlet-name>
    <servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>XcelsiusFileServlet</servlet-name>
    <servlet-class>com.sap.xcelsius.mobi.server.http.XcelsiusFileServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>ExplorerServlet</servlet-name>
    <servlet-class>com.businessobjects.datadiscovery.web.servlets.CommandDispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>ICrystalServlet</servlet-name>
    <servlet-class>com.sap.crystalreports.web.CrystalReportWebServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
    <servlet-name>LumiraServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.addon.LumiraProxyServlet</servlet-class>
  </servlet>
  <servlet>
    <servlet-name>PushNotificationServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.pushnotification.controller.PushNotificationServlet</servlet-class>
  </servlet>
   <servlet>
    <servlet-name>VintelaServlet</servlet-name>
    <servlet-class>com.businessobjects.mobilebi.server.http.VintelaServlet</servlet-class>
   </servlet>
  <servlet-mapping>
    <servlet-name>PushNotificationServlet</servlet-name>
    <url-pattern>/push</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>MessageServlet</servlet-name>
    <url-pattern>/MessageHandlerServlet</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>SupServlet</servlet-name>
    <url-pattern>/SUP/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>MobiServlet</servlet-name>
    <url-pattern>/mobi</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>AgnosticServlet</servlet-name>
    <url-pattern>/agnostic</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ZenServlet</servlet-name>
    <url-pattern>/zen</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ZenServlet</servlet-name>
    <url-pattern>/zen/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ZenServlet</servlet-name>
    <url-pattern>/int.do</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ZenServlet</servlet-name>
    <url-pattern>/ZenServlet</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ZenServlet</servlet-name>
    <url-pattern>/ZenMobiServlet</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>LIMAServlet</servlet-name>
    <url-pattern>/lima</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>LIMAServlet</servlet-name>
    <url-pattern>/lima/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ResourceServlet</servlet-name>
    <url-pattern>/resources/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>XcelsiusServlet</servlet-name>
    <url-pattern>/xcelsius</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>XcelsiusFileServlet</servlet-name>
    <url-pattern>/xcelsius/mxp/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ExplorerServlet</servlet-name>
    <url-pattern>/explorer</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>ICrystalServlet</servlet-name>
    <url-pattern>/icrystal</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
    <servlet-name>LumiraServlet</servlet-name>
    <url-pattern>/lumira</url-pattern>
  </servlet-mapping>
 <servlet-mapping>
    <servlet-name>VintelaServlet</servlet-name>
    <url-pattern>/VintelaServlet</url-pattern>
  </servlet-mapping>
  <session-config>
    <session-timeout>60</session-timeout>
  </session-config> 
</web-app>
To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

        1. Karthik Kanniyappan

          Adding to Pavan’s reply, Kerberos tokens in iOS devices are inter-operable between apps, which means Say for App-1 having kerberos auth enabled,  you have already signed in and if the kerberos token is still valid(Whatever ben  set by Admin on WinAD) , the same token can be used in App-2 but this time, its a direct SSO without Auth challenge. That;s the beauty of Kerberos and well implemented in iOS and apps consumption.

          (0) 
      1. tatab355 tatab

        Hi,

        I am trying to setup this feature but I have a question (the guide document is not clear).

        in the mobileconfig file I put the windows ad username for the user so I should create a mobileconfig for each user ? or I put the princ mentionned in global.properties.

        Regads

        (0) 
        1. Karthik Kanniyappan

          If you leave the  username empty in mobile.config file , then  in your iOS device, It will prompt for the username as well along with password when first time kerberos expects username/Password

          (0) 

Leave a Reply