Skip to Content
Technical Articles

SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

SSO for BI Launchpad


Reference Note:

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4


Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”



On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.


Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.



Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)


Note: Make sure is replaced with your domain name value


setspn -a BOCMS/ ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ ServiceAccount

setspn -a BOCMS/ ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ ServiceAccount


Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”


Note: If you are using Microsoft’s new version of browser please look at SAP note : 2182400 – Setting up constrained delegation in BI 4.x

You need to setup AD account as below


You also need to add idm.allowS4U=true in the file and restart your sap business object system including OS



Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”


Login to CMC with Administrator user with Enterprise


Under the AD Authentication area in the Central Management Console and configure following…


Enable Windows Active Directory (AD)

AD Administration Name = DOMAIN\ServiceAccount

Default AD Domain: DOMAIN.COM

Add AD Group: DOMAIN\UserGroup

Use Kerberos Authentication

Service principal name = BOCMS/

Enable Single Sign On for selected authentication mode


Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.



Stop SIA through “Central Configuration Manager”


Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.


Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor { required debug = true;
}; { required debug = true;





Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor


default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
default_domain = DOMAIN.COM


default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true




default_domain = DOMAIN.COM






Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”


If a new ticket is stored, the file is correct.



Stop Tomcat through “Central Configuration Manager”



Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:\Windows\bscLogin.conf\Windows\krb5.ini\windows\bscLogin.conf\windows\krb5.ini



Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.




Create new file called “” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor


sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false = simple
idm.logger.props =

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false = simple

idm.logger.props =




Open up Tomcat Options Add the following lines to Tomcat Java Options:


Note: Clear Text Password is your ServiceAccount password








Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC


Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..



Create a keytab on the AD server by running the following command:


ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

ktpass -out bosso.keytabprincServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1


File created as below



Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.



Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\


idm.keytab = C:/Windows/bosso.keytab

idm.keytab = C:/Windows/bosso.keytab


Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.






Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

Note: For NON SSO in CMC you can use URL as shown below


Open CMC page of your BI server and it will allow you to login without entering credentials



I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  Joshua Fletcher

Thank you for reading

Yogesh Patel

You must be Logged on to comment or reply to a post.
  • Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I'm currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.

    Thanks again


      • Thanks Yogesh for quick reply. Reason I was asking is that you're still using SETSPN -A command and parameter.

        For Windows Server 2012 the -A parameter is no longer available...

        Unless of course you're using the command on an older Windows Server (prob domain controller)?



    • Hello Rene!

      I´m facing the same problem with BO42 SP3 on Windows Server 2012, the SSO does not pass through automatically.

      I have no see any problems in the tomcat logs and the AD groups/users were replicated successfully.

      How do you fixed your problem ? Could you share it please ?



      Rodrigo Silveira.

  • Hello, I'm not seeing "credentials obtained" in stderr.log
    Suggestions on what to try for troubleshooting?
    I already have AD working (ticket produced), but trying to add SSO.

  • Hi,

    We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO  is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.

    We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.

    Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.

    Any help is much Appreciated.

    • Hi!

      We face same issue under same configuration.

      In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.

      Any ideas how to overcome this.

      Many thanks!




      While debugging we can find this error message:

      -timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: KDC can’t fulfill requested option
      Error code: 13
      Error message: null
      Client name: null
      Client realm: null
      Client time: null
      Server name: BICMS/
      Server realm: DOMAIN
      Server time: timestamp)

    • Dear,

      we discovered the same issue. We never had issues on W7 but in W10 it was not working with Credential Guard turned on.

      Solution: enable Contrained Delegation on the Service Account in Windows Active Directory

      Note 2182400 - Setting up constrained delegation in BI 4.x
      Note 1184989 - Error: "An error has occurred: java.lang.NullPointerException" logging on to InfoView with Vintela Single Sign-On after setting constrained delegation

      For AO (dswsbobje URL), we had to set an additional parameter described in note 1730540 - Error: "An error occurred while logging on. (LO 02040)" while logging in to Live Office using AD SSO in BI 4.0

  • Hi Yogesh

    If we configure the sso for the CMC, is there also a URL that we can logon without sso?

    For the BI launchpad is this URL: http://<FQDN>:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?


    Regards Stefan

  • Hi Yogesh

    Just trying to process you process the steps in the post.
    We've installed BIP 4.2. SP 3 Patch 6 (with Tomcat 8.0.36).

    When adding the Java Parameter (p.e.– in Tomcat It's not possible to start the tomcat.
    The stderr.log has the following message: "Unrecognized option: – = c:\windows\bscLogin.conf"
    Did we something wrong ?




  • This guide works the same for BO 4.2 and 4.1 ?

    I'm currently running SAP BusinessObjects BI Platform 4.1 Support Pack 5 Patch 5 and planning to enable SSO

  • I just notice my landscape is not using TomCat, we use netweaver. So for the folder configuration I found a similar path under config/custom that I can use, but when stopping the tomcat and edit the java options I don't know how to translate that into my netweaver.

    I there a similar good guide like this to do it on NetWeaver?

  • Hi, I follow all this steps.. everything works fine.. but!

    I add the AD Group, but the group is empty altought in the former systems (synthetically I have two server BO: the former with BI 4.1 SP5 where the AD Group is imported and works and the new with BI 4.2 SP4 where the AD Group hasn't any user inside) everything works fine.

    What can I check?



  • Hi –

    I’m working on configuring Windows AD on a distributed landscape and wanted to know on which server should i create the BscLogin and Krb5 files? Is just the web tier enough or do i also have to create on intelligence or processing tier servers as well? I have configured Windows AD on a standalone system and is working fine. Thanks in advance!



    Hi Yogesh,

    we are on "SAP BusinessObjects BI Platform 4.2 SP4 Patch 3 update"

    the "CMC -> Authentication -> Windows AD, select “Create new aliases when the Alias Update occurs”." are not updating with any new users added to the AD Group. I have deleted a group and re-added now the existing users also disappeared.

    any pointer are much appreciated.


    Naveen Jain

    • Hello Naveen,

      We faced same issue in our environment.

      Our SAP security team was able to get it fixed. Let me ping them to find out what they did. I will get back to you on this.


      • Hi Yogesh,

        it's been reported for BI 4.2 SP3 "2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3" -

        but I could not find any solution or work around, would definitely be helpful if you can find more details.


        Naveen Jain



    Hello, Yogesh.

    I find my way to these forums looking for solutions and advice. I am one of the Enterprise Admins specializing in the care and feeding of Active Directory and all it associated services.

    I have been recent introduced to an issue with SSO and Business Objects BI Launch Pad (SAP Business Objects BI Platform 4.2 Support Pack 3 Patch 3 Version and I'm hope for some assistance or advice.

    Originally we had a single forest single domain, and the existing SSO with BOP was setup (before my time) and follows pretty much your process above. I spent most of yesterday reviewing and confirming our setup, (well written).

    Last year we purchased a company with it's own forest and domain, the powers at be right now want to keep them separate but authorized a full forest trust between the two forest\domains.

    Most systems seem to be fine, and for the most part no issues accessing systems on either side of the trust. Except when thy wanted staff from the new domain to start accessing  BI Launch Pad using SSO. It fails miserably, it doesn't work via SSO or using prompted credentials...

    My investigation so far has shown than BOP login has no idea where to authenticate these alternate forest\domain users...

    As far as my knowledge goes this seems to work for a single domain or multiple domains in the same forest. Is there any reference material or experience setting something like this up for the situation I hopefully explained correctly above?

    Thanks in advance for all or any feedback or information.


    James Chapman


    • it's all detailed here

      to note it's not BI looking for the other forest it's the browser and DNS is missing the required info created by a forest trust.





        Hi Tim,

        Thanks for your reply, unfortunately in do not have access to the link you included. I see the Symptoms section and then Read more... When I click on the Read more hyper-link I get prompted for a logon to which doesn't allow me to login using my existing credentials.

        I am AD Support, I do not have not access to the BI configuration, they showed me a Windows Active Directory screen that had our Default Primary Domain only, no place to add additional info. As far as I can tell the Forest Trust and DNS info are correct, but I will review.




        • well more to the point of why kerberos SSO will not work without a forest trust is this Microsoft article

          One-way forest trust support cross forest Kerberos and NTLM authentication while external trust only support NTLM (Kerberos authentication is the preferred method in SOEasy, NTLM is provided for backward compatibility)

          A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction.

          Now an additional complication is that BI CMS must also read users/groups from the other forest, and while this might not require a forest trust, the forest trust is by far the easiest way of accomplishing this. So SSO kerberos must have 1 way forest trust and BI group mapping should have one in the other direction, or some equivalent that will allow a remote server to query all the domains using Microsoft API's .



  • Hello Yogesh,


    Thanks for your post.

    Single signon is working but we get kerberos errors


    I searched the internet for a solution but haven't found the right one yet.

    Can you help me fixing this problem ?

    solutions from others are welcome as wel.



    Maarten Kuivenhoven

  • Did you do the portion where it mentions increasing the HTTP header size in the server.xml file?

    I've seen wedgetail errors when a user is in so many AD groups that info gets cut off if that max size isn't increased. Just guessing here. Otherwise as mentioned in earlier posts above, has the password of the service acct been changed? Because if so then you need to regenerate the keytab file with updated embedded pwd.

  • We have this working in our environment (has been working for a few years now). We now want to change the KDC value. Is this just a simple change in the KRB5 file or is there more to it than that?

  • Thank you for great information, i am trying this procedure tom implement SSO on my environment.

    I have a question:

    Can i link Quality BO server and Production BO server to one Active Directory??

    I guess I change this registering SPNs procedure from above to following:

        > setspn -a BOCMS/ ServiceAccount

        > setspn -a HTTP/ QualityBOserver HostName ServiceAccount

        > setspn -a HTTP/ QualityBOserver ServiceAccoun

        > setspn -a HTTP/ ProductionBOserverHostNamerHostName ServiceAccount

        > setspn -a HTTP/ ServiceAccoun



    Hi Guys,

    I have configured Windows AD in 4.2 Environment and trying to log into the Windows AD Authentication getting the following error.


    Account information not recognized: An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.


    Please let me know what is causing this error?. Configuring SSO first time, your help is greatly appreciated.


    Server OS: 2012 R12

    SAP BO Version: 4.2 SP5






    Hi Yogesh,

    I do researched not found any solution for my issue, also working with SAP support still no luck. So I thought of trying out in community blog.





  • Hi Yogesh Patel


    This blog seems to be really helpful on my scenario!! Currently my BI platform is running on windows 12 and i am trying to enable SSO for my application that runs on the same machine.

    But i am not sure how to create a AD account as my DOMAIN name is GLOBAL which is managed by accounts


    Your suggestion will be really helpful.






  • Thanks very much for this detailed document - very helpful and all is now working. The only issue i had was when i created the files because it added .txt onto the file name and as these were hidden, i couldn't see that! Once the files had the txt remvoed all worked perfectly. Just worth noting, make sure you have hidden file extensions showing!

    Thanks again

  • Hi


    Our SSO Was wokring fine from couple of years but it suddenly stoped working.


    Can you lets us know where to look or debug process.


    In log I am not seeing any error. It also has "Credential Obtained"


    Any pointers to debug this.

  • Add to  Java Options in Tomcat properties

    • –Dcom.wedgetail.idm.sso.password=Business0bjectsBISBX

    But then Tomcat will not start, found error in logs

    • Unrecognized option: –Djcsi.kerberos.debug=true

    When I remove the 2 lines Tomcat will start, AD authentication works but not SSO.

    Keytab file is working with WAS servers, so issue not with this file.

    Any Ideas?