Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO Configuration with Active Directory SAP Business Objects 4.2 (AES Encryption)

patelyogesh
Active Contributor
‎09-02-2016 11:27 PM

SSO for BI Launchpad


 

Reference Note:

1631734 - Configuring Active Directory Manual Authentication and SSO for BI4

 

Create an Active Directory service account

Note: User account must set to “User cannot change password” and “Password never expires”



 

 

On the SAP BusinessObjects server, add the DOMAIN/ServiceAccount user to the Local Administrators group.



 

Assign the ‘ServiceAccount’ user the right “Act as part of operating System” in the Local Security Policy snap-in.



 

 

Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs)

 

Note: Make sure domain.com is replaced with your domain name value

 
setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

setspn -a BOCMS/ServiceAccount.domain.com ServiceAccount

setspn -a HTTP/BusinessObjectServerHostName ServiceAccount

setspn -a HTTP/ BusinessObjectServerHostName.domain.com ServiceAccount

 

Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Delegation tab, select “Trust this user for delegation to any service (Kerberos only)”




--------------------------

Note: If you are using Microsoft's new version of browser please look at SAP note : 2182400 - Setting up constrained delegation in BI 4.x

You need to setup AD account as below


 

You also need to add idm.allowS4U=true in the global.properties file and restart your sap business object system including OS

 

------------------------


Change the user configuration of ‘ServiceAccount’ in Active Directory configuration, and under the Account tab, select “This account supports Kerberos AES 128 bit encryption” and ““This account supports Kerberos AES 256 bit encryption”



 

Login to CMC with Administrator user with Enterprise



 

Under the AD Authentication area in the Central Management Console and configure following...

 

Enable Windows Active Directory (AD)

AD Administration Name = DOMAIN\ServiceAccount

Default AD Domain: DOMAIN.COM

Add AD Group: DOMAIN\UserGroup


Use Kerberos Authentication

Service principal name = BOCMS/ServiceAccount.domain.com

Enable Single Sign On for selected authentication mode



 

Click Update to save all your entries. Check under the Groups area to make sure your AD group has been added.

 

 

Stop SIA through “Central Configuration Manager”



 

Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\ServiceAccount user.



 

Create a file called "bscLogin.conf" and save it into "C:\Windows\" directory on the SAP BusinessObjects server, and put the following content into it using Notepad editor
com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug = true;

};

 



 

 

Create a file called "krb5.ini" file save it into "C:\Windows\" directory, and put the following content into it using Notepad editor

 
[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

[libdefaults]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

udp_preference_limit = 1

forwardable = true

[realms]

DOMAIN.COM = {

kdc = DOMAINCONTROLLER.DOMAIN.COM

default_domain = DOMAIN.COM

}

 



 

 

 

Execute  ‘kinit ServiceAccount’ in to folder location “X:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin”



 

If a new ticket is stored, the file is correct.

 

 

Stop Tomcat through “Central Configuration Manager”



 

 

Create file “BIlaunchpad.properties” at X:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom

Add following in to file using Notepad editor

 
authentication.visible = true

authentication.default = secWinAD

authentication.visible = true

authentication.default = secWinAD

 



 

 

Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

 
-Djava.security.auth.login.config=C:\Windows\bscLogin.conf

-Djava.security.krb5.conf=C:\Windows\krb5.ini

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

 



 

Modify X:\Program Files (x86)\SAP BusinessObjects\tomcat\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

 



 

 

Create new file called “global.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

Add following text to it through Notepad editor

 
sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

sso.enabled = true

siteminder.enabled = false

vintela.enabled = true

idm.realm = DOMAIN.COM

idm.princ = ServiceAccount

idm.allowUnsecured = true

idm.allowNTLM = false

idm.logger.name = simple

idm.logger.props = error-log.properties

 



 

 

Open up Tomcat Options Add the following lines to Tomcat Java Options:

 

Note: Clear Text Password is your ServiceAccount password

 
-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

-Djcsi.kerberos.debug=true

-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD

-Djcsi.kerberos.debug=true



 

 

 

Start Tomcat and go to "X:\Program Files (x86)\SAP BusinessObjects\tomcat\logs\" check stderr.log has ‘credentials obtained’ shown.

Test silent single sign on is now working in a browser on client PC

 

Now time to remove cleartext password from Tomcat JAVA option. Inorder to do that please follow steps below..

 

 

Create a keytab on the AD server by running the following command:

 
ktpass -out bosso.keytab -princ ServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

ktpass -out bosso.keytab -princServiceAccount@DOMAIN.COM -pass CLEARTEXTPASSWORD -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1



 

File created as below



 

 

Copy this file "bosso.keytab" to "C:\Windows" of SAP Business Object server then stop Tomcat.

 

 

Add the following line to X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom\global.properties

 
idm.keytab = C:/Windows/bosso.keytab

idm.keytab = C:/Windows/bosso.keytab



 

Open up the Tomcat Configuration, remove the “-Dcom.wedgetail.idm.sso.password=CLEARTEXTPASSWORD“  line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stderr.log.

 

 
debug=true

 

 

Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.



 

Start Tomcat and check SSO for BI Launchpad is working and allowing you to login without entering credentials.

 

 

SSO for CMC


 

Referance SAP Notes:

2190831 - How to enable SSO for CMC in BI 4.1 SP6

2190487 - Is SSO for CMC supported in BI 4.1 with Vintela (AD SSO)?

 

 

Create “CmcApp.properties” at “X:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\custom”

and add following to it with notepad editor

 
cms.default = CMSHOST:PORT

authentication.visible = true

cms.visible = true

sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order = vintela

authentication.default = secWinAD

cms.default = CMSHOST:PORT

authentication.visible = true

cms.visible = true

sso.supported.types = vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

sso.types.and.order = vintela

authentication.default = secWinAD



Note: For NON SSO in CMC you can use URL as shown below
http://HOST:PORT/BOE/CMC/logon.faces?skipSso=true

Open CMC page of your BI server and it will allow you to login without entering credentials

 

 

I have used reference document located at : Active Directory SSO for SAP BusinessObjects BI4

created by :  joshua.fletcher2

Thank you for reading

Yogesh Patel


69 Comments
Labels in this area
Popular Blog Posts