Skip to Content

SSO for BI Launchpad

 

Reference Note:

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4

 

Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”

 

 

On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.

 

Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.

 

 

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)

 

Note: Make sure domain.com is replaced with your domain name value

 

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”

 

Login to CMC with Administrator user with Enterprise

 

Under the AD Authentication area in the Central Management Console and configure following…

 

Enable Windows Active Directory (AD)

AD Administration Name = DOMAIN\ServiceAccount

Default AD Domain: DOMAIN.COM

Add AD Group: DOMAIN\UserGroup

Use Kerberos Authentication

Service principal name = BOCMS/ServiceAccount.domain.com

Enable Single Sign On for selected authentication mode

 

Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.

 

 

Stop SIA through “Central Configuration Manager”

 

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.

 

Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};

 

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

 

 

 

Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor

 

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

 

 

 

 

Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”

 

If a new ticket is stored, the file is correct.

 

 

Stop Tomcat through “Central Configuration Manager”

 

 

Create file “BIlaunchpad.properties” at X:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom

Add following in to file using Notepad editor

 

authentication.visible = true
authentication.default = secWinAD

authentication.visible = true

authentication.default = secWinAD

 

 

 

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

 

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini

Djava.security.auth.login.config=c:\windows\bscLogin.conf

Djava.security.krb5.conf=c:\windows\krb5.ini

 

 

Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

 

 

 

Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor

 

sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

 

 

 

Open up Tomcat Options Add the following lines to Tomcat Java Options:

 

Note: Clear Text Password is your ServiceAccount password

 

-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true

Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

Djcsi.kerberos.debug=true

 

 

 

 

Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC

 

Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..

 

 

Create a keytab on the AD server by running the following command:

 

ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

ktpass -out bosso.keytabprinc ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

 

File created as below

 

 

Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.

 

 

Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

 

idm.keytab = C:/Windows/bosso.keytab

idm.keytab = C:/Windows/bosso.keytab

 

Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.

 

 

debug=true

 

 

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

 

Start Tomcat and check SSO for BI Launchpad is working and allowing you to login without entering credentials.

 

 

SSO for CMC

 

Referance SAP Notes:

2190831 – How to enable SSO for CMC in BI 4.1 SP6

2190487 – Is SSO for CMC supported in BI 4.1 with Vintela (AD SSO)?

 

 

Create “CmcApp.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

and add following to it with notepad editor

 

cms.default = CMSHOST:PORT
authentication.visible = true
cms.visible = true
sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder
sso.types.and.order = vintela
authentication.default = secWinAD

cms.default = CMSHOST:PORT

authentication.visible = true

cms.visible = true

sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order = vintela

authentication.default = secWinAD

Note: For NON SSO in CMC you can use URL as shown below

http://HOST:PORT/BOE/CMC/logon.faces?skipSso=true

Open CMC page of your BI server and it will allow you to login without entering credentials

 

 

I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  Joshua Fletcher

 

Thank you for reading

Yogesh Patel

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. Rene Gielen

    Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I’m currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.

    Thanks again

    Rene

    (0) 
      1. Rene Gielen

        Thanks Yogesh for quick reply. Reason I was asking is that you’re still using SETSPN -A command and parameter.

        For Windows Server 2012 the -A parameter is no longer available…

        Unless of course you’re using the command on an older Windows Server (prob domain controller)?

        Thx

        R

        (0) 
  2. Brian Kudera

    Hello, I’m not seeing “credentials obtained” in stderr.log
    Suggestions on what to try for troubleshooting?
    I already have AD working (ticket produced), but trying to add SSO.

    (0) 
  3. Mohan Kaparthi

    Hi,

    We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO  is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.

    We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.

    Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.

    Any help is much Appreciated.

    (0) 
    1. Stefan Backhaus

      Hi!

      We face same issue under same configuration.

      In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.

      Any ideas how to overcome this.

      Many thanks!

      Stefan

       

       

      While debugging we can find this error message:

      -timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: KDC can’t fulfill requested option
      KrbError:
      Error code: 13
      Error message: null
      Client name: null
      Client realm: null
      Client time: null
      Server name: BICMS/serviceuser.host.domain
      Server realm: DOMAIN
      Server time: timestamp)

      (0) 
    2. Oxya Oxya

      Dear,

      we discovered the same issue. We never had issues on W7 but in W10 it was not working with Credential Guard turned on.

      Solution: enable Contrained Delegation on the Service Account in Windows Active Directory

      Note 2182400 – Setting up constrained delegation in BI 4.x
      https://blogs.sap.com/2015/12/07/kerberos-single-sign-on-in-mobi-ios/
      Note 1184989 – Error: “An error has occurred: java.lang.NullPointerException” logging on to InfoView with Vintela Single Sign-On after setting constrained delegation

      For AO (dswsbobje URL), we had to set an additional parameter described in note 1730540 – Error: “An error occurred while logging on. (LO 02040)” while logging in to Live Office using AD SSO in BI 4.0

      (0) 
  4. Stefan Zumbühl

    Hi Yogesh

    If we configure the sso for the CMC, is there also a URL that we can logon without sso?

    For the BI launchpad is this URL: http://<FQDN&gt;:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?

     

    Regards Stefan

    (0) 
  5. Tobias Spägele

    Hi Yogesh

    Just trying to process you process the steps in the post.
    We’ve installed BIP 4.2. SP 3 Patch 6 (with Tomcat 8.0.36).

    When adding the Java Parameter (p.e.–Djava.security.auth.login.config=xxxx) in Tomcat It’s not possible to start the tomcat.
    The stderr.log has the following message: “Unrecognized option: –Djava.security.auth.login.config = c:\windows\bscLogin.conf”
    Did we something wrong ?

    regards
    Tobias

     

     

    (0) 
  6. Richard Vasquez

    This guide works the same for BO 4.2 and 4.1 ?

    I’m currently running SAP BusinessObjects BI Platform 4.1 Support Pack 5 Patch 5 and planning to enable SSO

    (0) 

Leave a Reply