How to Securely Integrate BI 4.2 + with Active Directory and SSO in Distributed Environments
I’m Tim Ziemba Senior Authentication Engineer for the BI Authentication Team. This blog is to introduce a new KBA with many new options for…
KBA 2629070 How to Securely Integrate BI 4.x with Active Directory and SSO in Distributed Environments
If you are familiar with the Business Objects / Business Intelligence product line, we have always had white papers written to connect BI to AD and provide SSO to Launchpad and other applications. The last version of them was KBA 1631734 written for BI 4.0 in 2011 and updated periodically to keep it accurate.
There have been many updates to BI, changing requirements for browsers, encryption, and security over the last 7 years. That old KBA, while containing most of the updates or links to them, was getting dated. In addition to providing the step by step instructions to setup SSO KBA 1631734 also provided section breakups and troubleshooting to make it easier to get from beginning to end with as few mistakes as possible.
Beginning in April 2018 KBA 2629070 is available, as well as a NEW! video version in KBA 2640238. Both are broken into 5 sections, complete with screen by screen (or video) directions to setup AD mapping, manual java logon, and SSO. These documents were created using BI 4.2 SP5. The vast majority of features will be backward compatible with all versions of 4.2 and even 4.1.
This new KBA will start with delegation to specified services (aka constrained delegation) to provide maximum security with current browsers that may require it (such as Microsoft IE 11, Edge and Google’s Chrome). Additional troubleshooting info was added to make it easier to setup and test this more complex configuration. Also added for security are the settings to enable AES encryption right from the start. The configuration is friendly to both AES (128 or 256) and RC4, so no matter what level of security on your companies Active Directory, this document should get you going from the start.
Also removed is the attached word document. All steps and screenshots have been integrated directly into the KBA, and condensed to provide more actionable data, and less explanation. KBA 1631734 will still remain available if anyone wants to reference it (but it’s highly recommended to use the new one). The most important details have been carried over based on years of experience in BI authentication.
Please let us know what you think of the new KBA, any issues, suggestions, and we’ll provide clarification and updates faster than ever.