Technical Articles
SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)
SSO for BI Launchpad
Reference Note:
1631734 – Configuring Active Directory Manual Authentication and SSO for BI4
Create an Active Directory service account
Note: User account must set to “User cannot change password” and “Password never expires”
On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.
Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.
Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)
Note: Make sure domain.com is replaced with your domain name value
setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount
setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount
Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”
————————–
Note: If you are using Microsoft’s new version of browser please look at SAP note : 2182400 – Setting up constrained delegation in BI 4.x
You need to setup AD account as below
You also need to add idm.allowS4U=true in the global.properties file and restart your sap business object system including OS
————————
Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”
Login to CMC with Administrator user with Enterprise
Under the AD Authentication area in the Central Management Console and configure following…
Enable Windows Active Directory (AD)
AD Administration Name = DOMAIN\ServiceAccount
Default AD Domain: DOMAIN.COM
Add AD Group: DOMAIN\UserGroup
Use Kerberos Authentication
Service principal name = BOCMS/ServiceAccount.domain.com
Enable Single Sign On for selected authentication mode
Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.
Stop SIA through “Central Configuration Manager”
Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.
Create a file called “bscLogin.conf” and save it into “C:\Windows\” directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};
Create a file called “krb5.ini” file save it into “C:\Windows\” directory, and put the following content into it using Notepad editor
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}
Execute ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”
If a new ticket is stored, the file is correct.
Stop Tomcat through “Central Configuration Manager”
Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:
-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini
–Djava.security.auth.login.config=c:\windows\bscLogin.conf
–Djava.security.krb5.conf=c:\windows\krb5.ini
Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.
Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”
Add following text to it through Notepad editor
sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties
sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties
Open up Tomcat Options Add the following lines to Tomcat Java Options:
Note: Clear Text Password is your ServiceAccount password
-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true
–Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
–Djcsi.kerberos.debug=true
Start Tomcat and go to “X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\” check stderr.log has ‘credentials obtained’ shown.
Test silent single sign on is now working in a browser on client PC
Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..
Create a keytab on the AD server by running the following command:
ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1ktpass -out bosso.keytab –princServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD –kvno 255 –ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
File created as below
Copy this file “bosso.keytab” to “C:\Windows” of SAP Business Object server then stop Tomcat.
Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
idm.keytab = C:/Windows/bosso.keytabidm.keytab = C:/Windows/bosso.keytab
Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“ line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.
debug=true
Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.
Note: For NON SSO in CMC you can use URL as shown below
http://HOST:PORT/BOE/CMC/logon.faces?skipSso=trueOpen CMC page of your BI server and it will allow you to login without entering credentials
I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4
created by : Joshua Fletcher
Thank you for reading
Yogesh Patel
Great post, thanks for sharing! Is this on Windows Server 2008 or 2012? I'm currently having issues getting SSO to work for BI4.2SP3 on Win Server 2012 R2. Am trying to gauge any config differences in all the krb5, bscLogin, BILaunchpad and any other config files.
Thanks again
Rene
Hello Rene,
When I create this document I use windows server 2012
Thanks
Yogesh
Thanks Yogesh for quick reply. Reason I was asking is that you're still using SETSPN -A command and parameter.
For Windows Server 2012 the -A parameter is no longer available...
Unless of course you're using the command on an older Windows Server (prob domain controller)?
Thx
R
Oh I understand yout you trying to explain.
How about using windows 'ADSI Edit' tool
-Yogesh
As an aside, have noticed you sue this in KRB5.ini:
forwardable = true
This is not mentioned normally in SAP documentation. Any reason why you have it. have checked Kerberos references,
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
Have added this, but SSO still doesn't pass through automatically.
Thanks
R
Hello Rene,
Do you see any error message in to tomcat log file?
Can you please share logs?
Thank you
Yogesh
Hello Rene!
I´m facing the same problem with BO42 SP3 on Windows Server 2012, the SSO does not pass through automatically.
I have no see any problems in the tomcat logs and the AD groups/users were replicated successfully.
How do you fixed your problem ? Could you share it please ?
Regards,
Rodrigo Silveira.
Hello, I'm not seeing "credentials obtained" in stderr.log
Suggestions on what to try for troubleshooting?
I already have AD working (ticket produced), but trying to add SSO.
Can you please give me logs.
-Yogesh
Hello,
it's this procedure valid if we use concurrent users instead of named users?
Thank you. Angel.
Yes Its still valid process.
Hello.
if want to change the Service accout password , i have to regenerate the SPN's?
Regards. Angel
Hello Angel,
You need to run all commands again.
-Yogesh
Hi,
We are Windows Server 2008 R2 And BI 4.2 SP3 Patch2. Even though we have configured all the steps above SSO is not working means it is prompting for USER ID and Password in Windows 10 Client Machine but the same was working good in Windows 7 Machine.
We understood from our research Windows 10 has additional security feature Credential Guard which is blocking the SSO. When we turn off the Credential Guard SSO was working fine in Windows 10.
Any idea if anyone has faced similar issue? We are looking for a solution to work with Credentail Guard on in Windows 10.
Any help is much Appreciated.
Hello Mohan,
Did you try adding BI server URL in to trusted site? i.e. it has to be read as intranet and NOT Internet.
-Yogesh
Thanks Yogesh for the reply. We tried adding the BI Server URL into the trusted site also. But the issue doesn't seems to be fixed.
Actually we do have windows 10 but do not seen this issue. Some settings maybe done by group policy!!!
-Yogesh
Implement KBA 2182400 or 2629070 for the credential guard issue
Hi!
We face same issue under same configuration.
In Windows10 client machine with IE11, SSO is not working, while it is working in Win7 with IE11 for years.
Any ideas how to overcome this.
Many thanks!
Stefan
While debugging we can find this error message:
-timestamp-|LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: KDC can’t fulfill requested option
KrbError:
Error code: 13
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: BICMS/serviceuser.host.domain
Server realm: DOMAIN
Server time: timestamp)
Dear,
we discovered the same issue. We never had issues on W7 but in W10 it was not working with Credential Guard turned on.
Solution: enable Contrained Delegation on the Service Account in Windows Active Directory
Note 2182400 - Setting up constrained delegation in BI 4.x
https://blogs.sap.com/2015/12/07/kerberos-single-sign-on-in-mobi-ios/
Note 1184989 - Error: "An error has occurred: java.lang.NullPointerException" logging on to InfoView with Vintela Single Sign-On after setting constrained delegation
For AO (dswsbobje URL), we had to set an additional parameter described in note 1730540 - Error: "An error occurred while logging on. (LO 02040)" while logging in to Live Office using AD SSO in BI 4.0
Hi Yogesh
If we configure the sso for the CMC, is there also a URL that we can logon without sso?
For the BI launchpad is this URL: http://<FQDN>:<Port>/BOE/BI/logonNoSso.jsp but for the CMC which URL we can use there?
Regards Stefan
It looks to be there on 4.2 SP5 but it wasn't there initially when CMC SSO was added on 4.1 I don't know when they added it.
Great post! Thank you for sharing.
Hi Yogesh
Just trying to process you process the steps in the post.
We've installed BIP 4.2. SP 3 Patch 6 (with Tomcat 8.0.36).
When adding the Java Parameter (p.e.–Djava.security.auth.login.config=xxxx) in Tomcat It's not possible to start the tomcat.
The stderr.log has the following message: "Unrecognized option: –Djava.security.auth.login.config = c:\windows\bscLogin.conf"
Did we something wrong ?
regards
Tobias
MAke sure its C:\Windows\...... Case sensitive
still: Unrecognized option: –Djava.security.auth.login.config=C:\Windows\bscLogin.conf
Did you copy paste – (Desh) ?
Thanks
Yogesh
Thanks for the Hint now it worked
This guide works the same for BO 4.2 and 4.1 ?
I'm currently running SAP BusinessObjects BI Platform 4.1 Support Pack 5 Patch 5 and planning to enable SSO
It should work...
I just notice my landscape is not using TomCat, we use netweaver. So for the folder configuration I found a similar path under config/custom that I can use, but when stopping the tomcat and edit the java options I don't know how to translate that into my netweaver.
I there a similar good guide like this to do it on NetWeaver?
Hi, I follow all this steps.. everything works fine.. but!
I add the AD Group, but the group is empty altought in the former systems (synthetically I have two server BO: the former with BI 4.1 SP5 where the AD Group is imported and works and the new with BI 4.2 SP4 where the AD Group hasn't any user inside) everything works fine.
What can I check?
Thanks
CMC -> Authentication -> Windows AD, select "Create new aliases when the Alias Update occurs".
Hi –
I’m working on configuring Windows AD on a distributed landscape and wanted to know on which server should i create the BscLogin and Krb5 files? Is just the web tier enough or do i also have to create on intelligence or processing tier servers as well? I have configured Windows AD on a standalone system and is working fine. Thanks in advance!
Create on both
Sorry, what do you mean by both?
You need to setup files on all of your BI servers.
-Yogesh
Hi Yogesh,
we are on "SAP BusinessObjects BI Platform 4.2 SP4 Patch 3 update"
the "CMC -> Authentication -> Windows AD, select “Create new aliases when the Alias Update occurs”." are not updating with any new users added to the AD Group. I have deleted a group and re-added now the existing users also disappeared.
any pointer are much appreciated.
thanks,
Naveen Jain
Hello Naveen,
We faced same issue in our environment.
Our SAP security team was able to get it fixed. Let me ping them to find out what they did. I will get back to you on this.
-Yogesh
Hi Yogesh,
it's been reported for BI 4.2 SP3 "2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3" - https://apps.support.sap.com/sap/support/knowledge/preview/en/2388068
but I could not find any solution or work around, would definitely be helpful if you can find more details.
Thanks,
Naveen Jain
Hello, Yogesh.
I find my way to these forums looking for solutions and advice. I am one of the Enterprise Admins specializing in the care and feeding of Active Directory and all it associated services.
I have been recent introduced to an issue with SSO and Business Objects BI Launch Pad (SAP Business Objects BI Platform 4.2 Support Pack 3 Patch 3 Version 14.2.3.2277) and I'm hope for some assistance or advice.
Originally we had a single forest single domain, and the existing SSO with BOP was setup (before my time) and follows pretty much your process above. I spent most of yesterday reviewing and confirming our setup, (well written).
Last year we purchased a company with it's own forest and domain, the powers at be right now want to keep them separate but authorized a full forest trust between the two forest\domains.
Most systems seem to be fine, and for the most part no issues accessing systems on either side of the trust. Except when thy wanted staff from the new domain to start accessing BI Launch Pad using SSO. It fails miserably, it doesn't work via SSO or using prompted credentials...
My investigation so far has shown than BOP login has no idea where to authenticate these alternate forest\domain users...
As far as my knowledge goes this seems to work for a single domain or multiple domains in the same forest. Is there any reference material or experience setting something like this up for the situation I hopefully explained correctly above?
Thanks in advance for all or any feedback or information.
Cheers,
James Chapman
it's all detailed here https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391
to note it's not BI looking for the other forest it's the browser and DNS is missing the required info created by a forest trust.
-Tim
Hi Tim,
Thanks for your reply, unfortunately in do not have access to the link you included. I see the Symptoms section and then Read more... When I click on the Read more hyper-link I get prompted for a logon to https://apps.support.sap.com/sap/support/knowledge/mimes/call.htm?number=1323391 which doesn't allow me to login using my existing credentials.
I am AD Support, I do not have not access to the BI configuration, they showed me a Windows Active Directory screen that had our Default Primary Domain only, no place to add additional info. As far as I can tell the Forest Trust and DNS info are correct, but I will review.
well more to the point of why kerberos SSO will not work without a forest trust is this Microsoft article https://blogs.technet.microsoft.com/mir/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1/
“One-way forest trust support cross forest Kerberos and NTLM authentication while external trust only support NTLM (Kerberos authentication is the preferred method in SOEasy, NTLM is provided for backward compatibility)
A one-way, forest trust between two forests allows members of the trusted forest to use resources that are located in the trusting forest. However, the trust operates in only one direction.”
Now an additional complication is that BI CMS must also read users/groups from the other forest, and while this might not require a forest trust, the forest trust is by far the easiest way of accomplishing this. So SSO kerberos must have 1 way forest trust and BI group mapping should have one in the other direction, or some equivalent that will allow a remote server to query all the domains using Microsoft API's .
-Tim
Hello Yogesh,
Thanks for your post.
Single signon is working but we get kerberos errors
example:
I searched the internet for a solution but haven't found the right one yet.
Can you help me fixing this problem ?
solutions from others are welcome as wel.
regards
Maarten Kuivenhoven
Hello,
What are you trying to do?
-Yogesh
Looks like there is a problem with your keytab file. Either it's missing, incorrect, is for the wrong ID, or the path to the file is incorrect.
Please look at Chad'e reply
-Yogesh
Did you do the portion where it mentions increasing the HTTP header size in the server.xml file?
I've seen wedgetail errors when a user is in so many AD groups that info gets cut off if that max size isn't increased. Just guessing here. Otherwise as mentioned in earlier posts above, has the password of the service acct been changed? Because if so then you need to regenerate the keytab file with updated embedded pwd.
Also, have you confirmed the SIA service is running as the service account (on all the BO servers) and not the default local acct?
We have this working in our environment (has been working for a few years now). We now want to change the KDC value. Is this just a simple change in the KRB5 file or is there more to it than that?
Yes that will do it. What we did was added domain.com and NOT domaincontroller.domain.com
-Yogesh
Thank you for great information, i am trying this procedure tom implement SSO on my environment.
I have a question:
Can i link Quality BO server and Production BO server to one Active Directory??
I guess I change this registering SPNs procedure from above to following:
> setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
> setspn -a HTTP/ QualityBOserver HostName ServiceAccount
> setspn -a HTTP/ QualityBOserver HostName.domain.com ServiceAccoun
> setspn -a HTTP/ ProductionBOserverHostNamerHostName ServiceAccount
> setspn -a HTTP/ ProductionBOserverHostName.domain.com ServiceAccoun
https://answers.sap.com/questions/478554/is-it-possible-to-implement-sso-on-sap-bo-42-sp5-q.html?childToView=478707#answer-478707
Thank you for the answer.
Hi Guys,
I have configured Windows AD in 4.2 Environment and trying to log into the Windows AD Authentication getting the following error.
Account information not recognized: An error has occurred propagating the security context between the security server and the client. Please contact your system administrator.
Please let me know what is causing this error?. Configuring SSO first time, your help is greatly appreciated.
Server OS: 2012 R12
SAP BO Version: 4.2 SP5
Thanks
Sunder
Hello Sunder,
Did you try to check SAP Note for this error?
-Yogesh
Hi Yogesh,
I do researched not found any solution for my issue, also working with SAP support still no luck. So I thought of trying out in community blog.
Thanks
Sunder
Hi Punniyamurthy Sunderam,
How about asking a question on the community with all error details with TAG "SAP BusinessObjects - Authentication"?
Hope this will expedite to resolve the issue you have in the system.
-Yogesh
Thanks Yogesh! I will do the same. Sunder
Hi Yogesh Patel
This blog seems to be really helpful on my scenario!! Currently my BI platform is running on windows 12 and i am trying to enable SSO for my application that runs on the same machine.
But i am not sure how to create a AD account as my DOMAIN name is GLOBAL which is managed by accounts .sap.com.
Your suggestion will be really helpful.
Regards,
Chinmayee
Hello Chinmayee Rout,
Is there any way you can request an AD account? There must be a test environment for SAP too!
-Yogesh
Thanks very much for this detailed document - very helpful and all is now working. The only issue i had was when i created the files because it added .txt onto the file name and as these were hidden, i couldn't see that! Once the files had the txt remvoed all worked perfectly. Just worth noting, make sure you have hidden file extensions showing!
Thanks again
That is why I tried to give screenshots with it as below
Hi
Our SSO Was wokring fine from couple of years but it suddenly stoped working.
Can you lets us know where to look or debug process.
In log I am not seeing any error. It also has "Credential Obtained"
Any pointers to debug this.
Add to Java Options in Tomcat properties
–Djcsi.kerberos.debug=true
But then Tomcat will not start, found error in logs
When I remove the 2 lines Tomcat will start, AD authentication works but not SSO.
Keytab file is working with WAS servers, so issue not with this file.
Any Ideas?
i can found credential obtained in log file but SSO still not working , however i can login via AD users
urgent! urgent!
we are using an application from which we access BI reports. we have users in multiple domains. SSO works when we launch BI launch pad directly however, it works only for default AD domain users when we are redirecting from our application
This default AD domain is specified in CMC --> Authentication--> Windows AD
default AD domain is ONE and if we try to direct to reports other than this domain we get the below error