Skip to Content
Technical Articles
Author's profile photo Yogesh Patel

SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

SSO for BI Launchpad

 

Reference Note:

1631734 – Configuring Active Directory Manual Authentication and SSO for BI4

 

Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”

 

 

On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.

 

Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.

 

 

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)

 

Note: Make sure domain.com is replaced with your domain name value

 

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”

————————–

Note: If you are using Microsoft’s new version of browser please look at SAP note : 2182400 – Setting up constrained delegation in BI 4.x

You need to setup AD account as below

 

You also need to add idm.allowS4U=true in the global.properties file and restart your sap business object system including OS

 

————————

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”

 

Login to CMC with Administrator user with Enterprise

 

Under the AD Authentication area in the Central Management Console and configure following…

 

Enable Windows Active Directory (AD)

AD Administration Name = DOMAIN\ServiceAccount

Default AD Domain: DOMAIN.COM

Add AD Group: DOMAIN\UserGroup

Use Kerberos Authentication

Service principal name = BOCMS/ServiceAccount.domain.com

Enable Single Sign On for selected authentication mode

 

Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.

 

 

Stop SIA through “Central Configuration Manager”

 

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.

 

Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

 

 

 

Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor

 

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

 

 

 

 

Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”

 

If a new ticket is stored, the file is correct.

 

 

Stop Tomcat through “Central Configuration Manager”

 

 

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

 

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini

Djava.security.auth.login.config=c:\windows\bscLogin.conf

Djava.security.krb5.conf=c:\windows\krb5.ini

 

 

Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

 

 

 

Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor

 

sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

 

 

 

Open up Tomcat Options Add the following lines to Tomcat Java Options:

 

Note: Clear Text Password is your ServiceAccount password

 

-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true

Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

Djcsi.kerberos.debug=true

 

 

 

Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC

 

Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..

 

 

Create a keytab on the AD server by running the following command:

 

ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

ktpass -out bosso.keytabprincServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

 

File created as below

 

 

Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.

 

 

Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

 

idm.keytab = C:/Windows/bosso.keytab

idm.keytab = C:/Windows/bosso.keytab

 

Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.

 

 

debug=true

 

 

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

Note: For NON SSO in CMC you can use URL as shown below

http://HOST:PORT/BOE/CMC/logon.faces?skipSso=true

Open CMC page of your BI server and it will allow you to login without entering credentials

 

 

I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  Joshua Fletcher

Thank you for reading

Yogesh Patel

Assigned Tags

      67 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I'm currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.

      Thanks again

      Rene

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Rene,

      When I create this document I use windows server 2012

      Thanks

      Yogesh

      Author's profile photo Former Member
      Former Member

      Thanks Yogesh for quick reply. Reason I was asking is that you're still using SETSPN -A command and parameter.

      For Windows Server 2012 the -A parameter is no longer available...

      Unless of course you're using the command on an older Windows Server (prob domain controller)?

      Thx

      R

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Oh I understand yout you trying to explain.

      How about using windows 'ADSI Edit' tool

      -Yogesh

      Author's profile photo Former Member
      Former Member

      As an aside, have noticed you sue this in KRB5.ini:

      forwardable = true

      This is not mentioned normally in SAP documentation. Any reason why you have it. have checked Kerberos references,

      https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

      Have added this, but SSO still doesn't pass through automatically.

      Thanks

      R

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Rene,

      Do you see any error message in to tomcat log file?

      Can you please share logs?

      Thank you

      Yogesh

      Author's profile photo Rodrigo Silveira
      Rodrigo Silveira

      Hello Rene!

      I´m facing the same problem with BO42 SP3 on Windows Server 2012, the SSO does not pass through automatically.

      I have no see any problems in the tomcat logs and the AD groups/users were replicated successfully.

      How do you fixed your problem ? Could you share it please ?

       

      Regards,

      Rodrigo Silveira.

      Author's profile photo Brian Kudera
      Brian Kudera

      Hello, I'm not seeing "credentials obtained" in stderr.log
      Suggestions on what to try for troubleshooting?
      I already have AD working (ticket produced), but trying to add SSO.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Can you please give me logs.
      -Yogesh
       

      Author's profile photo Angel Perales
      Angel Perales

      Hello,

      it's this procedure valid if we use concurrent users instead of named users?

      Thank you. Angel.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Yes Its still valid process.

      Author's profile photo Angel Perales
      Angel Perales

      Hello.

       

      if  want to change the Service accout password , i have to regenerate the SPN's?

       

       

      Regards. Angel

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Angel,

      You need to run all commands again.

      -Yogesh

      Author's profile photo Mohan Kaparthi
      Mohan Kaparthi

      Hi,

      We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO  is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.

      We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.

      Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.

      Any help is much Appreciated.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

       

      Hello Mohan,

      Did you try adding BI server URL in to trusted site? i.e. it has to be read as intranet and NOT Internet.

      -Yogesh

      Author's profile photo Mohan Kaparthi
      Mohan Kaparthi

      Thanks Yogesh for the reply. We tried adding the BI Server URL into the trusted site also. But the issue doesn't seems to be fixed.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Actually we do have windows 10 but do not seen this issue. Some settings maybe done by group policy!!!

      -Yogesh

      Author's profile photo Tim Ziemba
      Tim Ziemba

      Implement KBA 2182400 or 2629070 for the credential guard issue

      Author's profile photo Stefan Backhaus
      Stefan Backhaus

      Hi!

      We face same issue under same configuration.

      In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.

      Any ideas how to overcome this.

      Many thanks!

      Stefan

       

       

      While debugging we can find this error message:

      -timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: KDC can’t fulfill requested option
      KrbError:
      Error code: 13
      Error message: null
      Client name: null
      Client realm: null
      Client time: null
      Server name: BICMS/serviceuser.host.domain
      Server realm: DOMAIN
      Server time: timestamp)

      Author's profile photo Former Member
      Former Member

      Dear,

      we discovered the same issue. We never had issues on W7 but in W10 it was not working with Credential Guard turned on.

      Solution: enable Contrained Delegation on the Service Account in Windows Active Directory

      Note 2182400 - Setting up constrained delegation in BI 4.x
      https://blogs.sap.com/2015/12/07/kerberos-single-sign-on-in-mobi-ios/
      Note 1184989 - Error: "An error has occurred: java.lang.NullPointerException" logging on to InfoView with Vintela Single Sign-On after setting constrained delegation

      For AO (dswsbobje URL), we had to set an additional parameter described in note 1730540 - Error: "An error occurred while logging on. (LO 02040)" while logging in to Live Office using AD SSO in BI 4.0

      Author's profile photo Stefan Zumbühl
      Stefan Zumbühl

      Hi Yogesh

      If we configure the sso for the CMC, is there also a URL that we can logon without sso?

      For the BI launchpad is this URL: http://<FQDN>:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?

       

      Regards Stefan

      Author's profile photo Tim Ziemba
      Tim Ziemba

      It looks to be there on 4.2 SP5 but it wasn't there initially when CMC SSO was added on 4.1 I don't know when they added it.

      Author's profile photo Former Member
      Former Member

      Great post! Thank you for sharing.

       

      Author's profile photo Tobias Spägele
      Tobias Spägele

      Hi Yogesh

      Just trying to process you process the steps in the post.
      We've installed BIP 4.2. SP 3 Patch 6 (with Tomcat 8.0.36).

      When adding the Java Parameter (p.e.–Djava.security.auth.login.config=xxxx) in Tomcat It's not possible to start the tomcat.
      The stderr.log has the following message: "Unrecognized option: –Djava.security.auth.login.config = c:\windows\bscLogin.conf"
      Did we something wrong ?

      regards
      Tobias

       

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      MAke sure its C:\Windows\...... Case sensitive

       

      Author's profile photo Tobias Spägele
      Tobias Spägele

      still: Unrecognized option: –Djava.security.auth.login.config=C:\Windows\bscLogin.conf

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Did you copy paste – (Desh) ?

      Thanks

      Yogesh

      Author's profile photo Tobias Spägele
      Tobias Spägele

       

      Thanks for the Hint now it worked

      Author's profile photo Former Member
      Former Member

      This guide works the same for BO 4.2 and 4.1 ?

      I'm currently running SAP BusinessObjects BI Platform 4.1 Support Pack 5 Patch 5 and planning to enable SSO

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      It should work...

      Author's profile photo Former Member
      Former Member

      I just notice my landscape is not using TomCat, we use netweaver. So for the folder configuration I found a similar path under config/custom that I can use, but when stopping the tomcat and edit the java options I don't know how to translate that into my netweaver.

      I there a similar good guide like this to do it on NetWeaver?

      Author's profile photo MARCO GIOIA
      MARCO GIOIA

      Hi, I follow all this steps.. everything works fine.. but!

      I add the AD Group, but the group is empty altought in the former systems (synthetically I have two server BO: the former with BI 4.1 SP5 where the AD Group is imported and works and the new with BI 4.2 SP4 where the AD Group hasn't any user inside) everything works fine.

      What can I check?

      Thanks

       

      Author's profile photo Joe Peters
      Joe Peters

      CMC -> Authentication -> Windows AD, select "Create new aliases when the Alias Update occurs".

      Author's profile photo Former Member
      Former Member

      Hi –

      I’m working on configuring Windows AD on a distributed landscape and wanted to know on which server should i create the BscLogin and Krb5 files? Is just the web tier enough or do i also have to create on intelligence or processing tier servers as well? I have configured Windows AD on a standalone system and is working fine. Thanks in advance!

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Create on both

      Author's profile photo Former Member
      Former Member

      Sorry, what do you mean by both?

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      You need to setup files on all of your BI servers.

      -Yogesh

      Author's profile photo Former Member
      Former Member

       

      Hi Yogesh,

      we are on "SAP BusinessObjects BI Platform 4.2 SP4 Patch 3 update"

      the "CMC -> Authentication -> Windows AD, select “Create new aliases when the Alias Update occurs”." are not updating with any new users added to the AD Group. I have deleted a group and re-added now the existing users also disappeared.

      any pointer are much appreciated.

      thanks,

      Naveen Jain

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Naveen,

      We faced same issue in our environment.

      Our SAP security team was able to get it fixed. Let me ping them to find out what they did. I will get back to you on this.

      -Yogesh

      Author's profile photo Former Member
      Former Member

      Hi Yogesh,

      it's been reported for BI 4.2 SP3 "2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3" - https://apps.support.sap.com/sap/support/knowledge/preview/en/2388068

      but I could not find any solution or work around, would definitely be helpful if you can find more details.

      Thanks,

      Naveen Jain

       

      Author's profile photo James Chapman
      James Chapman

       

      Hello, Yogesh.

      I find my way to these forums looking for solutions and advice. I am one of the Enterprise Admins specializing in the care and feeding of Active Directory and all it associated services.

      I have been recent introduced to an issue with SSO and Business Objects BI Launch Pad (SAP Business Objects BI Platform 4.2 Support Pack 3 Patch 3 Version 14.2.3.2277) and I'm hope for some assistance or advice.

      Originally we had a single forest single domain, and the existing SSO with BOP was setup (before my time) and follows pretty much your process above. I spent most of yesterday reviewing and confirming our setup, (well written).

      Last year we purchased a company with it's own forest and domain, the powers at be right now want to keep them separate but authorized a full forest trust between the two forest\domains.

      Most systems seem to be fine, and for the most part no issues accessing systems on either side of the trust. Except when thy wanted staff from the new domain to start accessing  BI Launch Pad using SSO. It fails miserably, it doesn't work via SSO or using prompted credentials...

      My investigation so far has shown than BOP login has no idea where to authenticate these alternate forest\domain users...

      As far as my knowledge goes this seems to work for a single domain or multiple domains in the same forest. Is there any reference material or experience setting something like this up for the situation I hopefully explained correctly above?

      Thanks in advance for all or any feedback or information.

      Cheers,

      James Chapman

       

      Author's profile photo Tim Ziemba
      Tim Ziemba

      it's all detailed here https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391

      to note it's not BI looking for the other forest it's the browser and DNS is missing the required info created by a forest trust.

       

       

      -Tim

      Author's profile photo James Chapman
      James Chapman

       

      Hi Tim,

      Thanks for your reply, unfortunately in do not have access to the link you included. I see the Symptoms section and then Read more... When I click on the Read more hyper-link I get prompted for a logon to https://apps.support.sap.com/sap/support/knowledge/mimes/call.htm?number=1323391 which doesn't allow me to login using my existing credentials.

      I am AD Support, I do not have not access to the BI configuration, they showed me a Windows Active Directory screen that had our Default Primary Domain only, no place to add additional info. As far as I can tell the Forest Trust and DNS info are correct, but I will review.

       

       

       

      Author's profile photo Tim Ziemba
      Tim Ziemba

      well more to the point of why kerberos SSO will not work without a forest trust is this Microsoft article https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/

      One-way forest trust support cross forest Kerberos and NTLM authentication while external trust only support NTLM (Kerberos authentication is the preferred method in SOEasy, NTLM is provided for backward compatibility)

      A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction.

      Now an additional complication is that BI CMS must also read users/groups from the other forest, and while this might not require a forest trust, the forest trust is by far the easiest way of accomplishing this. So SSO kerberos must have 1 way forest trust and BI group mapping should have one in the other direction, or some equivalent that will allow a remote server to query all the domains using Microsoft API's .

       

      -Tim

      Author's profile photo Maarten Kuivenhoven
      Maarten Kuivenhoven

      Hello Yogesh,

       

      Thanks for your post.

      Single signon is working but we get kerberos errors

      example:

      I searched the internet for a solution but haven't found the right one yet.

      Can you help me fixing this problem ?

      solutions from others are welcome as wel.

       

      regards

      Maarten Kuivenhoven

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello,

      What are you trying to do?

      -Yogesh

      Author's profile photo Joe Peters
      Joe Peters

      Looks like there is a problem with your keytab file.  Either it's missing, incorrect, is for the wrong ID, or the path to the file is incorrect.

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Please look at Chad'e reply

      -Yogesh

      Author's profile photo Former Member
      Former Member

      Did you do the portion where it mentions increasing the HTTP header size in the server.xml file?

      I've seen wedgetail errors when a user is in so many AD groups that info gets cut off if that max size isn't increased. Just guessing here. Otherwise as mentioned in earlier posts above, has the password of the service acct been changed? Because if so then you need to regenerate the keytab file with updated embedded pwd.

      Author's profile photo Former Member
      Former Member

      Also, have you confirmed the SIA service is running as the service account (on all the BO servers) and not the default local acct?

      Author's profile photo Former Member
      Former Member

      We have this working in our environment (has been working for a few years now). We now want to change the KDC value. Is this just a simple change in the KRB5 file or is there more to it than that?

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Yes that will do it. What we did was added domain.com and NOT domaincontroller.domain.com

      -Yogesh

       

      Author's profile photo Shota Nakai
      Shota Nakai

      Thank you for great information, i am trying this procedure tom implement SSO on my environment.

      I have a question:

      Can i link Quality BO server and Production BO server to one Active Directory??

      I guess I change this registering SPNs procedure from above to following:

          > setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

          > setspn -a HTTP/ QualityBOserver HostName ServiceAccount

          > setspn -a HTTP/ QualityBOserver HostName.domain.com ServiceAccoun

          > setspn -a HTTP/ ProductionBOserverHostNamerHostName ServiceAccount

          > setspn -a HTTP/ ProductionBOserverHostName.domain.com ServiceAccoun

       

      Author's profile photo Mohammed Ashraf
      Mohammed Ashraf

      https://answers.sap.com/questions/478554/is-it-possible-to-implement-sso-on-sap-bo-42-sp5-q.html?childToView=478707#answer-478707

      Author's profile photo Shota Nakai
      Shota Nakai

      Thank you for the answer.

       

      Author's profile photo Punniyamurthy Sunderam
      Punniyamurthy Sunderam

       

      Hi Guys,

      I have configured Windows AD in 4.2 Environment and trying to log into the Windows AD Authentication getting the following error.

       

      Account information not recognized: An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.

       

      Please let me know what is causing this error?. Configuring SSO first time, your help is greatly appreciated.

       

      Server OS: 2012 R12

      SAP BO Version: 4.2 SP5

       

      Thanks

      Sunder

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Sunder,

      Did you try to check SAP Note for this error?

      -Yogesh

       

      Author's profile photo Punniyamurthy Sunderam
      Punniyamurthy Sunderam

       

      Hi Yogesh,

      I do researched not found any solution for my issue, also working with SAP support still no luck. So I thought of trying out in community blog.

       

      Thanks

      Sunder

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hi Punniyamurthy Sunderam,

      How about asking a question on the community with all error details with TAG "SAP BusinessObjects - Authentication"?

      Hope this will expedite to resolve the issue you have in the system.

      -Yogesh

      Author's profile photo Punniyamurthy Sunderam
      Punniyamurthy Sunderam

       

      Thanks Yogesh! I will do the same. Sunder

       

      Author's profile photo Chinmayee Rout
      Chinmayee Rout

      Hi Yogesh Patel

       

      This blog seems to be really helpful on my scenario!! Currently my BI platform is running on windows 12 and i am trying to enable SSO for my application that runs on the same machine.

      But i am not sure how to create a AD account as my DOMAIN name is GLOBAL which is managed by accounts .sap.com.

       

      Your suggestion will be really helpful.

       

      Regards,

      Chinmayee

       

       

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      Hello Chinmayee Rout,

      Is there any way you can request an AD account? There must be a test environment for SAP too!

      -Yogesh

      Author's profile photo Jackie Jones
      Jackie Jones

      Thanks very much for this detailed document - very helpful and all is now working. The only issue i had was when i created the files because it added .txt onto the file name and as these were hidden, i couldn't see that! Once the files had the txt remvoed all worked perfectly. Just worth noting, make sure you have hidden file extensions showing!

      Thanks again

      Author's profile photo Yogesh Patel
      Yogesh Patel
      Blog Post Author

      That is why I tried to give screenshots with it as below

      Author's profile photo SuEllen Robitaille
      SuEllen Robitaille

      Hi

       

      Our SSO Was wokring fine from couple of years but it suddenly stoped working.

       

      Can you lets us know where to look or debug process.

       

      In log I am not seeing any error. It also has "Credential Obtained"

       

      Any pointers to debug this.

      Author's profile photo Joe O'Callaghan
      Joe O'Callaghan

      Add to  Java Options in Tomcat properties

      • –Dcom.wedgetail.idm.sso.password=Business0bjectsBISBX
        –Djcsi.kerberos.debug=true

      But then Tomcat will not start, found error in logs

      • Unrecognized option: –Djcsi.kerberos.debug=true

      When I remove the 2 lines Tomcat will start, AD authentication works but not SSO.

      Keytab file is working with WAS servers, so issue not with this file.

      Any Ideas?

      Author's profile photo Karim Ibrahim
      Karim Ibrahim

      i can found credential obtained in log file but SSO still not working , however i can login via AD users