I’m Tim Ziemba Senior Authentication Engineer for the BI Authentication Team. This blog is to introduce a new KBA with many new options for…
KBA 2629070 How to Securely Integrate BI 4.x with Active Directory and SSO in Distributed Environments
If you are familiar with the Business Objects / Business Intelligence product line, we have always had white papers written to connect BI to AD and provide SSO to Launchpad and other applications. The latest version of them was KBA 1631734 written for BI 4.0 in 2011 and updated periodically to keep it accurate.
There have been many updates to BI, changing requirements for browsers, encryption, and security over the last 7 years. That old KBA, while containing most of the updates, or links to them, was getting dated. In addition to providing the step by step instructions to setup SSO KBA 1631734 also provided section breakups and troubleshooting to make it easier to get from beginning to end with as few mistakes as possible.
A new KBA 2629070 is now available. It is broken into 5 sections, complete with screen by screen directions to setup AD mapping, manual java logon, and SSO. This document was created using BI 4.2 SP5. The vast majority of features will be backward compatible with all versions of 4.2 and even 4.1.
This new KBA will start with delegation to specified services (aka constrained delegation) to provide maximum security with current browsers that may require it, such as IE 11 and Chrome. Additional troubleshooting info was added to make it easier to setup, and test this more complex configuration. Also added for security are the settings to enable AES encryption right from the start. The configuration is both friendly to AES and RC4, so no matter what level of security on your companies Active Directory, this document should get you going from the start.
This is the 1st version so there are bound to be many updates to come as we gather more feedback. Also removed is the attached word document. All steps and screenshots have been integrated directly into the KBA, and condensed to provide more actionable data, and less explanation. KBA 1631734 will still remain available if anyone wants to reference it. Plus the most important details have been carried over based on years of experience in BI authentication.
Please let us know what you think of the new KBA, any issues and we’ll provide clarification and update it faster than ever.