SAP Mobile BI WinAD SSO – Kerberos

This blog will solely look at the integration of Mobile BI with a Kerberos SSO setup on a BI 4.2 SP02 environment.

Prerequisites:

– SAP BI 4.2 SP2 landscape

– SSO already setup

– MDM profile management in place

– If you need to implement the fix for Tomcat (check 1.4 below) make sure to stop/start the Tomcat server. The rest of MoBI can be stopped/started individually from Tomcat.

1     web.xml

You can find the web.xml file via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\web.xml

Ensuring that the following settings are marked as active in this file.

The items that are environment specific:

Ensure for the idm.realm to set <YOUR.FULL.DOMAINNAME> to your full DN.

Ensure for the idm.princ to set <BICMS/YOUR_BICMS_SPN_SETUP> to the BICMS corresponding to your services accounts SPN setup as was done for the initial SSO deployment.

Additional paramaters to be added to the original file!

The idm.keytab is currently NOT highlighted in the web.xml file and is not highlighted in the documentation! However you will need to add this for a successful deployment.

Make sure to add all 4 lines to your web.xml. Change the <THE_PATH_PLUS_FILE_NAME_TO_YOUR_KTPASS> to wherever you stored your KTPASS from your original Kerberos configuration!

e.g. C:\Windows\myenvironment.keytab

All these manual settings can be found in your original SSO deployment in the global.properties file:

<Installation Folder>\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties.

1.1   authscheme.properties

Copy the authscheme.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

Ensure to activate the KERBEROS line, no further changes required rather than removing the #

1.2   sso.properties

Copy the sso.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MobileBIService\WEB-INF\config\custom

There are four lines that need to be activated in this file with the identifier set in the first example:

First one is to identify your default CMS, which is not relevant if you are running a single box as then it will always be 1. This value is then used to activate the following lines as well.

Make sure to specify your full CMS name including the port e.g MyCMS:6400.

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV

IMPORTANT NOTE

This name needs to be identical to the name specified in the server.properties which will be mentioned below.

Specify the authentication type here to secWinAD.

Specify the authentication scheme to KERBEROS (mind you to use capital letters!)

1.3   server.properties

Copy the server.properties from the default to the custom folder via the following path (depending on your deployment of your installation):

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\default

TO

<Installation Folder>\SAP BusinessObjects\tomcat\webapps\MOBIServer\WEB-INF\config\custom

Activate your mobi connection by giving it a unique name, e.g. sso.

This will then need to be used onward for this specific connection setup.

This can be any given name that will reflect on the MobileApp as the connection name.

SSO_ENABLED needs to be set to true

SSO_TYPE needs to be set to Kerberos (mind you that this is in small letters!)

Fill in the URL that specifies your BI Server e.g. HTTP(S):MyBIServer:<PORT>

Fill in the CMS name the same way as setup in the sso.properties file, e.g. MyCMS:6400

In case you make use of clustering with a supporting clustering file, just fill in this name only e.g. @BI-DEV

1.4   Tomcat Configuration

Lastly you will need to add a line to your Tomcat configuration.

-Dorg.apache.catalina.core.ApplicationContext.GET_RESOURCE_REQUIRE_SLASH=true

Additional note!

This is only applicable if you run the SAP supplied version of Tomcat that was shipped with 4.2 (Apache Tomcat/8.0.21)

This issue is resolved in Apache Tomcat 8.0.29 onward (link)

Check your version otherwise this setting is NOT needed!

1.5   Setup connection on Mobile BI APP

Setup a new connection by calling the Import Connection option.

Now you select Configuration Server

In the URL box you log your BI Server name and port: e.g. HTTP(S):MyBIServer:<PORT>. Now select Import

Now the app will get the connection details from the server. On the connections you will see all the defined connections from the earlier set server.properties file. Select the desired connection.

You now see all the credentials as expected from the setup server.properties file. Select done.

Now the system will automatically try to establish a SSO connection to the server.

1.6   Known Errors

     1.6.1  MOB00929

This message comes up when you try to make an AD SSO attempt from MobileBI towards the SAP BI backend.

Full message: classcom.businessobjects.mobile.bi.server.logon.impl.KerberosSSO does not declare method ‘getEnterpriseSession’ with expected parameters (MOB00929)

Solution:

Ensure that you set the keytab entry in the web.xml file as well as to add the additional line into the Tomcat configuration as described above.