Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Lessons learned setting up End-2-End SSO with Kerberos between BI and HANA

frank_bannert
Active Participant
‎07-15-2013 2:37 PM

Just coming back from an onsite visit where we had to find and resolve some tricky parts in the whole SSO configuration. I thought some of you might want to configure Kerberos Single-Sign-On between SAP BusinessObjects BI 4.0 and SAP HANA.

What you absolutely need to read and follow:

->General knowledge

Business Intelligence Platform Administrator Guide - http://help.sap.com/bobip40

SAP HANA Administration Guides - http://help.sap.com/hana_platform

->Specific guides

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0 - http://scn.sap.com/docs/DOC-36305

1837331 - HOWTO HANA DB SSO Kerberos/ Active Directory

1631734 - Configuring Active Directory Manual Authentication and SSO for BI4  (PDF ATTACHED)

Additional information when you get stuck:

1813724 - HANA SSO/Kerberos: create keytab and validate conf (PYTHON SCRIPT AND GSSCHECKER TOOL)

1767687 - HANA issues with Kerberos SSO, error while parsing protocol

1727859 - How to trace the HANA jdbc driver on a client?

1869952 - Requirements and troubleshooting steps when setting up kerberos SSO to the database

1853668 - How to find the KVNO version of your keytab file

1811398 - How to setup BI components to login to hana via AD kerberos SSO (HANASSO.PDF)

1586166 - How to enable tracing for BI4.0 client applications

1734523 - AD Authenticaion working in IDT only on one Machine

1621106 - How to configure Information Design Tool (IDT) for manual AD Login to BI 4.0

1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On

1871302 - No TGS requests were sent from any server attempting to perform SSO to hana via kerberos

The tricky parts or better what helped us:

- Use the latest HANA JDBC driver (comes with HANA Client 1.0 from Service Marketplace) locally and on BI landscape

- Check that the Keytab on all involved machines is NOT generated with KVNO 255 but without and has the same KVNO everywhere

- Enable attribute "Trust this user for delegation to any service (Kerberos only)" on AD for the service users (-> not a requirement from HANA but from BI)

- Make sure you have the correct REALM everywhere, this can be very tricky in a multidomain environment

- Check if you defined the SPN value you get back from the command "setspn -l <AD ACCOUNT>@DOMAIN" in bscLogin.conf and CMC (case sensitive!)

- Test your HANA SSO configuration with hdbsql and GSSChecker.jar (attached to SP note 1813724) from a client machine

- SAP note 1813724 has a Python script attached which verifies your HANA configuration

- SAP note 1476374 provides troubleshooting for BI SSO

Hope this will help you!

Best,

Frank

SAP AG

Customer Solution Adoption (CSA)

1 Comment
Labels in this area
Popular Blog Posts