SSO for BI Launchpad

Reference Note:

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4

Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”

On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.

Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)

Note: Make sure domain.com is replaced with your domain name value

    setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

    setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

    setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”

Login to CMC with Administrator user with Enterprise

Under the AD Authentication area in the Central Management Console and configure following…

    Enable Windows Active Directory (AD)

    AD Administration Name = DOMAIN\ServiceAccount

    Default AD Domain: DOMAIN.COM

    Add AD Group: DOMAIN\UserGroup

    Use Kerberos Authentication

    Service principal name = BOCMS/ServiceAccount.domain.com

    Enable Single Sign On for selected authentication mode

Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.

Stop SIA through “Central Configuration Manager”

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.

Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor


com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”

If a new ticket is stored, the file is correct.

Stop Tomcat through “Central Configuration Manager”

Create file “BIlaunchpad.properties” at X:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom

Add following in to file using Notepad editor

authentication.visible = true

authentication.default = secWinAD

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

Djava.security.auth.login.config=c:\windows\bscLogin.conf

Djava.security.krb5.conf=c:\windows\krb5.ini

Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

Open up Tomcat Options Add the following lines to Tomcat Java Options:

Note: Clear Text Password is your ServiceAccount password

Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

Djcsi.kerberos.debug=true


Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC

Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..

Create a keytab on the AD server by running the following command:

ktpass -out bosso.keytabprinc ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

File created as below

Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.

Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

idm.keytab = C:/Windows/bosso.keytab

Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

Start Tomcat and check SSO for BI Launchpad is working and allowing you to login without entering credentials.

SSO for CMC

Referance SAP Notes:

2190831 – How to enable SSO for CMC in BI 4.1 SP6

2190487 – Is SSO for CMC supported in BI 4.1 with Vintela (AD SSO)?

Create “CmcApp.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

and add following to it with notepad editor

cms.default = CMSHOST:PORT

authentication.visible = true

cms.visible = true

sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order = vintela

authentication.default = secWinAD

Open CMC page of your BI server and it will allow you to login without entering credentials

I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  Joshua Fletcher


Thank you for reading

Yogesh Patel

To report this post you need to login first.

19 Comments

You must be Logged on to comment or reply to a post.

  1. Rene Gielen

    Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I’m currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.

    Thanks again

    Rene

    (0) 
      1. Rene Gielen

        Thanks Yogesh for quick reply. Reason I was asking is that you’re still using SETSPN -A command and parameter.

        For Windows Server 2012 the -A parameter is no longer available…

        Unless of course you’re using the command on an older Windows Server (prob domain controller)?

        Thx

        R

        (0) 
  2. Brian Kudera

    Hello, I’m not seeing “credentials obtained” in stderr.log
    Suggestions on what to try for troubleshooting?
    I already have AD working (ticket produced), but trying to add SSO.

    (0) 
  3. Mohan Kaparthi

    Hi,

    We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO  is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.

    We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.

    Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.

    Any help is much Appreciated.

    (0) 
    1. Stefan Backhaus

      Hi!

      We face same issue under same configuration.

      In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.

      Any ideas how to overcome this.

      Many thanks!

      Stefan

       

       

      While debugging we can find this error message:

      -timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: KDC can’t fulfill requested option
      KrbError:
      Error code: 13
      Error message: null
      Client name: null
      Client realm: null
      Client time: null
      Server name: BICMS/serviceuser.host.domain
      Server realm: DOMAIN
      Server time: timestamp)

      (0) 
  4. Stefan Zumbühl

    Hi Yogesh

    If we configure the sso for the CMC, is there also a URL that we can logon without sso?

    For the BI launchpad is this URL: http://<FQDN&gt;:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?

     

    Regards Stefan

    (0) 

Leave a Reply