Skip to Content
Technical Articles

How to Securely Integrate BI 4.2 + with Active Directory and SSO in Distributed Environments

Hi all,

I’m Tim Ziemba Senior Authentication Engineer for the BI Authentication Team. This blog is to introduce a new KBA with many new options for…

KBA 2629070 How to Securely Integrate BI 4.x with Active Directory and SSO in Distributed Environments

If you are familiar with the Business Objects / Business Intelligence product line, we have always had white papers written to connect BI to AD and provide SSO to Launchpad and other applications. The last version of them was KBA 1631734 written for BI 4.0 in 2011 and updated periodically to keep it accurate.

There have been many updates to BI, changing requirements for browsers, encryption, and security over the last 7 years. That old KBA, while containing most of the updates or links to them, was getting dated. In addition to providing the step by step instructions to setup SSO KBA 1631734 also provided section breakups and troubleshooting to make it easier to get from beginning to end with as few mistakes as possible.

Beginning in April 2018 KBA 2629070 is available, as well as a NEW! video version in KBA 2640238. Both are broken into 5 sections, complete with screen by screen (or video) directions to setup AD mapping, manual java logon, and SSO. These documents were created using BI 4.2 SP5. The vast majority of features will be backward compatible with all versions of 4.2 and even 4.1.

This new KBA will start with delegation to specified services (aka constrained delegation) to provide maximum security with current browsers that may require it (such as Microsoft IE 11, Edge and Google’s Chrome). Additional troubleshooting info was added to make it easier to setup and test this more complex configuration. Also added for security are the settings to enable AES encryption right from the start. The configuration is friendly to both AES (128 or 256) and RC4, so no matter what level of security on your companies Active Directory, this document should get you going from the start.

Also removed is the attached word document. All steps and screenshots have been integrated directly into the KBA, and condensed to provide more actionable data, and less explanation. KBA 1631734 will still remain available if anyone wants to reference it (but it’s highly recommended to use the new one). The most important details have been carried over based on years of experience in BI authentication.

Please let us know what you think of the new KBA, any issues, suggestions, and we’ll provide clarification and updates faster than ever.

Regards

 

-Tim

5 Comments
You must be Logged on to comment or reply to a post.
    • Thanks Cristina!

      What would you like about unix/linux? The AD plugin is not available so this KBA won’t apply if the CMS is installed on unix/linux, currently you would have to use this one https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433 I just added this to the new one in the see also section

       

      -Tim

  • I am dealing with the additional security for our windows server team turning on the AES security setting in the Local Policy settings on the server.

    We run our webservers in Linux, and I am having trouble getting this to work with the additional security settings.  The KB articles are written to a Windows webserver deployment.

    And apparently SAP support doesn't know how to support this type of deployment (2 weeks of logging a ticket and NOTHING).  Ticket: 1845890/2021 (P3)

     

     

     

  • I updated your ticket, for SSO problems a comprehensive troubleshooting KBA based on BI web/app tracing has been written, you can use this KBA, and I attached it to your ticket https://apps.support.sap.com/sap/support/knowledge/en/2820819

     

    -Tim