SSO for BI Launchpad
Reference Note:
1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
Create an Active Directory service account
Note: User account must set to “User cannot change password” and “Password never expires”
On the SAP BusinessObjects server, add the DOMAIN/
ServiceAccount user to the Local Administrators group.
Assign the ‘
ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.
Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)
Note: Make sure domain.com is replaced with your domain name value
setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount
setspn -a HTTP/BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount
setspn -a BOCMS/ServiceAccount.domain.com
ServiceAccount
setspn -a HTTP/
BusinessObjectServerHostName ServiceAccount
setspn -a HTTP/ BusinessObjectServerHostName.domain.com
ServiceAccount
Change the user configuration of ‘
ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”
Note: If you are using Microsoft's new version of browser please look at SAP note :
in the global.properties file and restart your sap business object system including OS
Change the user configuration of ‘
ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES
128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”
Login to CMC with Administrator user with Enterprise
Under the AD Authentication area in the Central Management Console and configure following...
Enable Windows Active Directory (AD)
AD Administration Name = DOMAIN\
ServiceAccount
Default AD Domain: DOMAIN.COM
Add AD Group: DOMAIN\
UserGroup
Use Kerberos Authentication
Service principal name = BOCMS/ServiceAccount
.domain.com
Enable Single Sign On for selected authentication mode
Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.
Stop SIA through “Central Configuration Manager”
Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\
ServiceAccount user.
Create a file called "
bscLogin.conf" and save it into "C:\Windows\" directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug = true;
};
Create a file called "krb5.ini" file save it into "C:\Windows\" directory, and put the following content into it using Notepad editor
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
udp_preference_limit = 1
forwardable = true
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain = DOMAIN.COM
}
Execute ‘kinit
ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\
sapjvm\bin”
If a new ticket is stored, the file is correct.
Stop Tomcat through “Central Configuration Manager”
Create file “
BIlaunchpad.properties” at X:\Program Files (x
86)\SAP BusinessObjects\Tomcat6\
webapps\BOE\WEB-INF\
config\custom
Add following in to file using Notepad editor
authentication.visible = true
authentication.default = secWinAD
authentication.visible = true
authentication.default =
secWinAD
Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:
-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
Modify X:\Program Files (x
86)\SAP BusinessObjects\tomcat\
conf\server.xml, by adding ‘
maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.
Create new file called “
global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\
webapps\BOE\WEB-INF\
config\custom”
Add following text to it through Notepad editor
sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties
sso.enabled = true
siteminder.enabled = false
vintela.enabled = true
idm.realm = DOMAIN.COM
idm.princ = ServiceAccount
idm.allowUnsecured = true
idm.allowNTLM = false
idm.logger.name = simple
idm.logger.props = error-log.properties
Open up Tomcat Options Add the following lines to Tomcat Java Options:
Note: Clear Text Password is your ServiceAccount password
-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true
-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD
-Djcsi.kerberos.debug=true
Start Tomcat and go to "X:\Program Files (x
86)\SAP BusinessObjects\tomcat\logs\" check stderr.log has ‘credentials obtained’ shown.
Test silent single sign on is now working in a browser on client PC
Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..
Create a
keytab on the AD server by running the following command:
ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
ktpass -out bosso.keytab -princServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
File created as below
Copy this file "bosso.keytab" to "C:\Windows" of SAP Business Object server then stop Tomcat.
Add the following line to X:\Program Files (x
86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties
idm.keytab = C:/Windows/bosso.keytab
idm.keytab = C:/Windows/bosso.keytab
Open up the Tomcat Configuration, remove the “-
Dcom.wedgetail.idm.sso.password=
CLEARTEXTPASSWORD“ line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.
debug=true
Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.
Start Tomcat and check SSO for BI Launchpad is working and allowing you to login without entering credentials.
SSO for CMC
Referance SAP Notes:
2190831 - How to enable SSO for CMC in BI 4.1 SP6
2190487 - Is SSO for CMC supported in BI 4.1 with
Vintela (AD SSO)?
Create “
CmcApp.properties” at “X:\Program Files (x
86)\SAP BusinessObjects\tomcat\
webapps\BOE\WEB-INF\
config\custom”
and add following to it with notepad editor
cms.default = CMSHOST:PORT
authentication.visible = true
cms.visible = true
sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder
sso.types.and.order = vintela
authentication.default = secWinAD
cms.default = CMSHOST:PORT
authentication.visible = true
cms.visible = true
sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder
sso.types.and.order = vintela
authentication.default = secWinAD
Note: For NON SSO in CMC you can use URL as shown below
http://HOST:PORT/BOE/CMC/logon.faces?skipSso=true
Open CMC page of your BI server and it will allow you to login without entering credentials
I have used reference document located at :
Active Directory SSO for SAP BusinessObjects BI4
created by :
joshua.fletcher2
Thank you for reading
Yogesh Patel