Technical Articles
How to Securely Integrate BI 4.2 + with Active Directory and SSO in Distributed Environments
Hi all,
I’m Tim Ziemba Senior Authentication Engineer for the BI Authentication Team. This blog is to introduce a new KBA with many new options for…
KBA 2629070 How to Securely Integrate BI 4.x with Active Directory and SSO in Distributed Environments
If you are familiar with the Business Objects / Business Intelligence product line, we have always had white papers written to connect BI to AD and provide SSO to Launchpad and other applications. The last version of them was KBA 1631734 written for BI 4.0 in 2011 and updated periodically to keep it accurate.
There have been many updates to BI, changing requirements for browsers, encryption, and security over the last 7 years. That old KBA, while containing most of the updates or links to them, was getting dated. In addition to providing the step by step instructions to setup SSO KBA 1631734 also provided section breakups and troubleshooting to make it easier to get from beginning to end with as few mistakes as possible.
Beginning in April 2018 KBA 2629070 is available, as well as a NEW! video version in KBA 2640238. Both are broken into 5 sections, complete with screen by screen (or video) directions to setup AD mapping, manual java logon, and SSO. These documents were created using BI 4.2 SP5. The vast majority of features will be backward compatible with all versions of 4.2 and even 4.1.
This new KBA will start with delegation to specified services (aka constrained delegation) to provide maximum security with current browsers that may require it (such as Microsoft IE 11, Edge and Google’s Chrome). Additional troubleshooting info was added to make it easier to setup and test this more complex configuration. Also added for security are the settings to enable AES encryption right from the start. The configuration is friendly to both AES (128 or 256) and RC4, so no matter what level of security on your companies Active Directory, this document should get you going from the start.
Also removed is the attached word document. All steps and screenshots have been integrated directly into the KBA, and condensed to provide more actionable data, and less explanation. KBA 1631734 will still remain available if anyone wants to reference it (but it’s highly recommended to use the new one). The most important details have been carried over based on years of experience in BI authentication.
Please let us know what you think of the new KBA, any issues, suggestions, and we’ll provide clarification and updates faster than ever.
Regards
-Tim
Good one, more infos or a specific OSS note for Unix/Linux environments would be nice
Thanks Cristina!
What would you like about unix/linux? The AD plugin is not available so this KBA won’t apply if the CMS is installed on unix/linux, currently you would have to use this one https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433 I just added this to the new one in the see also section
-Tim
Good one Tim. Thanks for the update!
I am dealing with the additional security for our windows server team turning on the AES security setting in the Local Policy settings on the server.
We run our webservers in Linux, and I am having trouble getting this to work with the additional security settings. The KB articles are written to a Windows webserver deployment.
And apparently SAP support doesn't know how to support this type of deployment (2 weeks of logging a ticket and NOTHING). Ticket: 1845890/2021 (P3)
I updated your ticket, for SSO problems a comprehensive troubleshooting KBA based on BI web/app tracing has been written, you can use this KBA, and I attached it to your ticket https://apps.support.sap.com/sap/support/knowledge/en/2820819
-Tim
going back to the roots and following the KB Article listed here we got the secure hardened servers working with a Manual AD login.
What should I check for to get the "silent login" working. That is no login box just goes right in. We have the url we are using delegated to the new service account.
SSO and manual logon have very little in common, the manual logon is entirely dependent on the krb5 and bsclogin, while the SSO doesn't use them at all and the settings are controlled by the global.properties, bilaunchpad.properteries and SPN's/delegation/encryption on the service account
If you have followed KBA 2629070 it should just work, if not then I have written an extensive troubleshooting KBA 2820819
Setup vintela log and it matches your KB for debugging.
555920 / 2021 Vintela/Kerberos - Manual AD login works Silent login does not work.
I uploaded all logs and configurations. See what your seen and respond to the ticket.
Thanks for all the help!!!!