Just coming back from an onsite visit where we had to find and resolve some tricky parts in the whole SSO configuration. I thought some of you might want to configure Kerberos Single-Sign-On between SAP BusinessObjects BI 4.0 and SAP HANA.
What you absolutely need to read and follow:
->General knowledge
Business Intelligence Platform Administrator Guide - http://help.sap.com/bobip40
SAP HANA Administration Guides - http://help.sap.com/hana_platform
->Specific guides
Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 - http://scn.sap.com/docs/DOC-36305
1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory
1631734 - Configuring Active Directory Manual Authentication and SSO for BI4 (PDF ATTACHED)
Additional information when you get stuck:
1813724 - HANA SSO/Kerberos: create keytab and validate conf (PYTHON SCRIPT AND GSSCHECKER TOOL)
1767687 - HANA issues with Kerberos SSO, error while parsing protocol
1727859 - How to trace the HANA jdbc driver on a client?
1869952 - Requirements and troubleshooting steps when setting up kerberos SSO to the database
1853668 - How to find the KVNO version of your keytab file
1811398 - How to setup BI components to login to hana via AD kerberos SSO (HANASSO.PDF)
1586166 - How to enable tracing for BI4.0 client applications
1734523 - AD Authenticaion working in IDT only on one Machine
1621106 - How to configure Information Design Tool (IDT) for manual AD Login to BI 4.0
1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On
1871302 - No TGS requests were sent from any server attempting to perform SSO to hana via kerberos
The tricky parts or better what helped us:
- Use the latest HANA JDBC driver (comes with HANA Client 1.0 from Service Marketplace) locally and on BI landscape
- Check that the Keytab on all involved machines is NOT generated with KVNO 255 but without and has the same KVNO everywhere
- Enable attribute "Trust this user for delegation to any service (Kerberos only)" on AD for the service users (-> not a requirement from HANA but from BI)
- Make sure you have the correct REALM everywhere, this can be very tricky in a multidomain environment
- Check if you defined the SPN value you get back from the command "setspn -l <AD ACCOUNT>@DOMAIN" in bscLogin.conf and CMC (case sensitive!)
- Test your HANA SSO configuration with hdbsql and GSSChecker.jar (attached to SP note 1813724) from a client machine
- SAP note 1813724 has a Python script attached which verifies your HANA configuration
- SAP note 1476374 provides troubleshooting for BI SSO
Hope this will help you!
Best,
Frank
SAP AG
Customer Solution Adoption (CSA)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
35 | |
25 | |
13 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |