Skip to Content

Hi all,

I’m Tim Ziemba Senior Authentication Engineer for the BI Authentication Team. This blog is to introduce a new KBA with many new options for…

KBA 2629070 How to Securely Integrate BI 4.x with Active Directory and SSO in Distributed Environments

If you are familiar with the Business Objects / Business Intelligence product line, we have always had white papers written to connect BI to AD and provide SSO to Launchpad and other applications. The latest version of them was KBA 1631734 written for BI 4.0 in 2011 and updated periodically to keep it accurate.

There have been many updates to BI, changing requirements for browsers, encryption, and security over the last 7 years. That old KBA, while containing most of the updates, or links to them, was getting dated. In addition to providing the step by step instructions to setup SSO KBA 1631734 also provided section breakups and troubleshooting to make it easier to get from beginning to end with as few mistakes as possible.

A new KBA 2629070 is now available. It is broken into 5 sections, complete with screen by screen directions to setup AD mapping, manual java logon, and SSO. This document was created using BI 4.2 SP5. The vast majority of features will be backward compatible with all versions of 4.2 and even 4.1.

This new KBA will start with delegation to specified services (aka constrained delegation) to provide maximum security with current browsers that may require it, such as IE 11 and Chrome. Additional troubleshooting info was added to make it easier to setup, and test this more complex configuration. Also added for security are the settings to enable AES encryption right from the start. The configuration is both friendly to AES and RC4, so no matter what level of security on your companies Active Directory, this document should get you going from the start.

This is the 1st version so there are bound to be many updates to come as we gather more feedback. Also removed is the attached word document. All steps and screenshots have been integrated directly into the KBA, and condensed to provide more actionable data, and less explanation. KBA 1631734 will still remain available if anyone wants to reference it. Plus the most important details have been carried over based on years of experience in BI authentication.

Please let us know what you think of the new KBA, any issues and we’ll provide clarification and update it faster than ever.

Regards

 

-Tim

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

    1. Tim Ziemba Post author

      Thanks Cristina!

      What would you like about unix/linux? The AD plugin is not available so this KBA won’t apply if the CMS is installed on unix/linux, currently you would have to use this one https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433 I just added this to the new one in the see also section

       

      -Tim

      (0) 

Leave a Reply