Skip to Content

SSO for BI Launchpad

 

Reference Note:

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4

 

Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”

 

 

On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.

 

Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.

 

 

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)

 

Note: Make sure domain.com is replaced with your domain name value

 

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”

 

Login to CMC with Administrator user with Enterprise

 

Under the AD Authentication area in the Central Management Console and configure following…

 

Enable Windows Active Directory (AD)

AD Administration Name = DOMAIN\ServiceAccount

Default AD Domain: DOMAIN.COM

Add AD Group: DOMAIN\UserGroup

Use Kerberos Authentication

Service principal name = BOCMS/ServiceAccount.domain.com

Enable Single Sign On for selected authentication mode

 

Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.

 

 

Stop SIA through “Central Configuration Manager”

 

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.

 

Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};

 

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

 

 

 

Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor

 

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

 

 

 

 

Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”

 

If a new ticket is stored, the file is correct.

 

 

Stop Tomcat through “Central Configuration Manager”

 

 

Create file “BIlaunchpad.properties” at X:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom

Add following in to file using Notepad editor

 

authentication.visible = true
authentication.default = secWinAD

authentication.visible = true

authentication.default = secWinAD

 

 

 

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

 

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini

Djava.security.auth.login.config=c:\windows\bscLogin.conf

Djava.security.krb5.conf=c:\windows\krb5.ini

 

 

Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

 

 

 

Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor

 

sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

 

 

 

Open up Tomcat Options Add the following lines to Tomcat Java Options:

 

Note: Clear Text Password is your ServiceAccount password

 

-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true

Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

Djcsi.kerberos.debug=true

 

 

 

 

Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC

 

Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..

 

 

Create a keytab on the AD server by running the following command:

 

ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

ktpass -out bosso.keytabprinc ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

 

File created as below

 

 

Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.

 

 

Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

 

idm.keytab = C:/Windows/bosso.keytab

idm.keytab = C:/Windows/bosso.keytab

 

Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.

 

 

debug=true

 

 

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

 

Start Tomcat and check SSO for BI Launchpad is working and allowing you to login without entering credentials.

 

 

SSO for CMC

 

Referance SAP Notes:

2190831 – How to enable SSO for CMC in BI 4.1 SP6

2190487 – Is SSO for CMC supported in BI 4.1 with Vintela (AD SSO)?

 

 

Create “CmcApp.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

and add following to it with notepad editor

 

cms.default = CMSHOST:PORT
authentication.visible = true
cms.visible = true
sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder
sso.types.and.order = vintela
authentication.default = secWinAD

cms.default = CMSHOST:PORT

authentication.visible = true

cms.visible = true

sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order = vintela

authentication.default = secWinAD

Note: For NON SSO in CMC you can use URL as shown below

http://HOST:PORT/BOE/CMC/logon.faces?skipSso=true

Open CMC page of your BI server and it will allow you to login without entering credentials

 

 

I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  Joshua Fletcher

 

Thank you for reading

Yogesh Patel

To report this post you need to login first.

62 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I’m currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.

    Thanks again

    Rene

    (0) 
      1. Former Member

        Thanks Yogesh for quick reply. Reason I was asking is that you’re still using SETSPN -A command and parameter.

        For Windows Server 2012 the -A parameter is no longer available…

        Unless of course you’re using the command on an older Windows Server (prob domain controller)?

        Thx

        R

        (0) 
    1. Former Member

      Hello Rene!

      I´m facing the same problem with BO42 SP3 on Windows Server 2012, the SSO does not pass through automatically.

      I have no see any problems in the tomcat logs and the AD groups/users were replicated successfully.

      How do you fixed your problem ? Could you share it please ?

       

      Regards,

      Rodrigo Silveira.

      (0) 
  2. Brian Kudera

    Hello, I’m not seeing “credentials obtained” in stderr.log
    Suggestions on what to try for troubleshooting?
    I already have AD working (ticket produced), but trying to add SSO.

    (0) 
  3. Former Member

    Hi,

    We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO  is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.

    We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.

    Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.

    Any help is much Appreciated.

    (0) 
    1. Stefan Backhaus

      Hi!

      We face same issue under same configuration.

      In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.

      Any ideas how to overcome this.

      Many thanks!

      Stefan

       

       

      While debugging we can find this error message:

      -timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: KDC can’t fulfill requested option
      KrbError:
      Error code: 13
      Error message: null
      Client name: null
      Client realm: null
      Client time: null
      Server name: BICMS/serviceuser.host.domain
      Server realm: DOMAIN
      Server time: timestamp)

      (0) 
    2. Former Member

      Dear,

      we discovered the same issue. We never had issues on W7 but in W10 it was not working with Credential Guard turned on.

      Solution: enable Contrained Delegation on the Service Account in Windows Active Directory

      Note 2182400 – Setting up constrained delegation in BI 4.x
      https://blogs.sap.com/2015/12/07/kerberos-single-sign-on-in-mobi-ios/
      Note 1184989 – Error: “An error has occurred: java.lang.NullPointerException” logging on to InfoView with Vintela Single Sign-On after setting constrained delegation

      For AO (dswsbobje URL), we had to set an additional parameter described in note 1730540 – Error: “An error occurred while logging on. (LO 02040)” while logging in to Live Office using AD SSO in BI 4.0

      (0) 
  4. Stefan Zumbühl

    Hi Yogesh

    If we configure the sso for the CMC, is there also a URL that we can logon without sso?

    For the BI launchpad is this URL: http://<FQDN&gt;:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?

     

    Regards Stefan

    (0) 
    1. Tim Ziemba

      It looks to be there on 4.2 SP5 but it wasn’t there initially when CMC SSO was added on 4.1 I don’t know when they added it.

      (0) 
  5. Tobias Spägele

    Hi Yogesh

    Just trying to process you process the steps in the post.
    We’ve installed BIP 4.2. SP 3 Patch 6 (with Tomcat 8.0.36).

    When adding the Java Parameter (p.e.–Djava.security.auth.login.config=xxxx) in Tomcat It’s not possible to start the tomcat.
    The stderr.log has the following message: “Unrecognized option: –Djava.security.auth.login.config = c:\windows\bscLogin.conf”
    Did we something wrong ?

    regards
    Tobias

     

     

    (0) 
  6. Former Member

    This guide works the same for BO 4.2 and 4.1 ?

    I’m currently running SAP BusinessObjects BI Platform 4.1 Support Pack 5 Patch 5 and planning to enable SSO

    (0) 
  7. Former Member

    I just notice my landscape is not using TomCat, we use netweaver. So for the folder configuration I found a similar path under config/custom that I can use, but when stopping the tomcat and edit the java options I don’t know how to translate that into my netweaver.

    I there a similar good guide like this to do it on NetWeaver?

    (0) 
  8. Former Member

    Hi, I follow all this steps.. everything works fine.. but!

    I add the AD Group, but the group is empty altought in the former systems (synthetically I have two server BO: the former with BI 4.1 SP5 where the AD Group is imported and works and the new with BI 4.2 SP4 where the AD Group hasn’t any user inside) everything works fine.

    What can I check?

    Thanks

     

    (0) 
  9. Former Member

    Hi –

    I’m working on configuring Windows AD on a distributed landscape and wanted to know on which server should i create the BscLogin and Krb5 files? Is just the web tier enough or do i also have to create on intelligence or processing tier servers as well? I have configured Windows AD on a standalone system and is working fine. Thanks in advance!

     

    (0) 
  10. Former Member

     

    Hi Yogesh,

    we are on “SAP BusinessObjects BI Platform 4.2 SP4 Patch 3 update

    the “CMC -> Authentication -> Windows AD, select “Create new aliases when the Alias Update occurs”.” are not updating with any new users added to the AD Group. I have deleted a group and re-added now the existing users also disappeared.

    any pointer are much appreciated.

    thanks,

    Naveen Jain

    (0) 
    1. Yogesh Patel Post author

      Hello Naveen,

      We faced same issue in our environment.

      Our SAP security team was able to get it fixed. Let me ping them to find out what they did. I will get back to you on this.

      -Yogesh

      (0) 
  11. James Chapman

     

    Hello, Yogesh.

    I find my way to these forums looking for solutions and advice. I am one of the Enterprise Admins specializing in the care and feeding of Active Directory and all it associated services.

    I have been recent introduced to an issue with SSO and Business Objects BI Launch Pad (SAP Business Objects BI Platform 4.2 Support Pack 3 Patch 3 Version 14.2.3.2277) and I’m hope for some assistance or advice.

    Originally we had a single forest single domain, and the existing SSO with BOP was setup (before my time) and follows pretty much your process above. I spent most of yesterday reviewing and confirming our setup, (well written).

    Last year we purchased a company with it’s own forest and domain, the powers at be right now want to keep them separate but authorized a full forest trust between the two forest\domains.

    Most systems seem to be fine, and for the most part no issues accessing systems on either side of the trust. Except when thy wanted staff from the new domain to start accessing  BI Launch Pad using SSO. It fails miserably, it doesn’t work via SSO or using prompted credentials…

    My investigation so far has shown than BOP login has no idea where to authenticate these alternate forest\domain users…

    As far as my knowledge goes this seems to work for a single domain or multiple domains in the same forest. Is there any reference material or experience setting something like this up for the situation I hopefully explained correctly above?

    Thanks in advance for all or any feedback or information.

    Cheers,

    James Chapman

     

    (0) 
    1. Tim Ziemba

      it’s all detailed here https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391

      to note it’s not BI looking for the other forest it’s the browser and DNS is missing the required info created by a forest trust.

       

       

      -Tim

      (1) 
      1. James Chapman

         

        Hi Tim,

        Thanks for your reply, unfortunately in do not have access to the link you included. I see the Symptoms section and then Read more… When I click on the Read more hyper-link I get prompted for a logon to https://apps.support.sap.com/sap/support/knowledge/mimes/call.htm?number=1323391 which doesn’t allow me to login using my existing credentials.

        I am AD Support, I do not have not access to the BI configuration, they showed me a Windows Active Directory screen that had our Default Primary Domain only, no place to add additional info. As far as I can tell the Forest Trust and DNS info are correct, but I will review.

         

         

         

        (0) 
        1. Tim Ziemba

          well more to the point of why kerberos SSO will not work without a forest trust is this Microsoft article https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/

          One-way forest trust support cross forest Kerberos and NTLM authentication while external trust only support NTLM (Kerberos authentication is the preferred method in SOEasy, NTLM is provided for backward compatibility)

          A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction.

          Now an additional complication is that BI CMS must also read users/groups from the other forest, and while this might not require a forest trust, the forest trust is by far the easiest way of accomplishing this. So SSO kerberos must have 1 way forest trust and BI group mapping should have one in the other direction, or some equivalent that will allow a remote server to query all the domains using Microsoft API’s .

           

          -Tim

          (0) 
  12. Maarten Kuivenhoven

    Hello Yogesh,

     

    Thanks for your post.

    Single signon is working but we get kerberos errors

    example:

    I searched the internet for a solution but haven’t found the right one yet.

    Can you help me fixing this problem ?

    solutions from others are welcome as wel.

     

    regards

    Maarten Kuivenhoven

    (0) 
    1. Joe Peters

      Looks like there is a problem with your keytab file.  Either it’s missing, incorrect, is for the wrong ID, or the path to the file is incorrect.

      (0) 
  13. Former Member

    Did you do the portion where it mentions increasing the HTTP header size in the server.xml file?

    I’ve seen wedgetail errors when a user is in so many AD groups that info gets cut off if that max size isn’t increased. Just guessing here. Otherwise as mentioned in earlier posts above, has the password of the service acct been changed? Because if so then you need to regenerate the keytab file with updated embedded pwd.

    (0) 
  14. Former Member

    We have this working in our environment (has been working for a few years now). We now want to change the KDC value. Is this just a simple change in the KRB5 file or is there more to it than that?

    (0) 
  15. Shota Nakai

    Thank you for great information, i am trying this procedure tom implement SSO on my environment.

    I have a question:

    Can i link Quality BO server and Production BO server to one Active Directory??

    I guess I change this registering SPNs procedure from above to following:

        > setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

        > setspn -a HTTP/ QualityBOserver HostName ServiceAccount

        > setspn -a HTTP/ QualityBOserver HostName.domain.com ServiceAccoun

        > setspn -a HTTP/ ProductionBOserverHostNamerHostName ServiceAccount

        > setspn -a HTTP/ ProductionBOserverHostName.domain.com ServiceAccoun

     

    (0) 
  16. Punniyamurthy Sunderam

     

    Hi Guys,

    I have configured Windows AD in 4.2 Environment and trying to log into the Windows AD Authentication getting the following error.

     

    Account information not recognized: An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.

     

    Please let me know what is causing this error?. Configuring SSO first time, your help is greatly appreciated.

     

    Server OS: 2012 R12

    SAP BO Version: 4.2 SP5

     

    Thanks

    Sunder

     

    (0) 
  17. Punniyamurthy Sunderam

     

    Hi Yogesh,

    I do researched not found any solution for my issue, also working with SAP support still no luck. So I thought of trying out in community blog.

     

    Thanks

    Sunder

     

    (0) 
  18. Chinmayee Rout

    Hi Yogesh Patel

     

    This blog seems to be really helpful on my scenario!! Currently my BI platform is running on windows 12 and i am trying to enable SSO for my application that runs on the same machine.

    But i am not sure how to create a AD account as my DOMAIN name is GLOBAL which is managed by accounts .sap.com.

     

    Your suggestion will be really helpful.

     

    Regards,

    Chinmayee

     

     

    (0) 

Leave a Reply