More documents in BusinessObjects BI for SAPWhere is place located?
    Currently Being Moderated

    BusinessObjects 4.0 Single Sign On (SSO) with WIN AD

    created by Bashir Awan on Apr 3, 2012 2:49 PM, last modified by Bashir Awan on Apr 3, 2012 2:57 PM
    Version 1

    BusinessObjects 4.0 Single Sign On

    First thing first.

    Define server name and IP address.

    Run following commands to return server names and IPs.


    • Domain Name: DOMAIN (FQDN: DOMAIN.INTERNAL)
    • Service Account: biservice (password: Password1)
    • Domain Controller: adserver.DOMAIN.INTERNAL
    • BusinessObjects Server: <Your Server>.DOMAIN.INTERNAL
    • BusinessObjects AD Group: DOMAIN\UserGroup

     

    Step 1 

    Create an Active Directory service account, biservice (password: Password1). Make to set this user password never expire

    Add Domain/biservice user to local Administrators group and assign biservice user the right 'Act as part of Operating System' in the Local Security Policy snap-in


    Step 2

    In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:


    • setspn -a BICMS/biservice.domain.internal biservice
    • setspn -a HTTP/bi4server biservice
    • setspn -a HTTP/bi4server.domain.internal biservice


      Run ‘setspn -l biservice’to confirm SPNs have been created by running 

     

    Step 3

    Make sure to change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

     

    Step 4

    In Central Management Console CMC under AD Authentication area perform the following tasks.

    • AD Administration Name = DOMAIN\biservice
    • Default AD Domain: DOMAIN.INTERNAL
    • Add AD Group: DOMAIN\UserGroup
    • Use Kerberos Authentication
    • Service principal name = BICMS/biservice.domain.internal
    • Enable Single Sign On for selected authentication mode

      Hit Save to save all your entries. Also make sure to check under the Groups area to make sure your AD group has been added. 

     

    Step 5

    Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.

    1. Stop SIA
    2. RMC on SIA and Properties
    3. Go to configuration
    4. Under Log on as enter your credential
    5. User: DOMAIN\biservice and password
    6. Click OK and start the service

     

    Step 6

    Here we can test this by logging into Web Intelligence Rich Client using an AD user who is part of the group. Single Sign On (SSO) should take place once you select ‘Windows AD’ authentication and click OK (There is no need to input your username or password).

     

    Step 7

    Now it is turn to create a file called ‘bscLogin.conf’. Save this file to C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad:


    com.businessobjects.security.jgss.initiate {

    com.sun.security.auth.module.Krb5LoginModule required debug=true;

    };


    We are not done yet. Create another file called ‘krb5.ini’. Save this file to C:\Windows\ directory, and put the following content into it using Notepad:

     

    [libdefaults]

    default_realm = DOMAIN.INTERNAL

    dns_lookup_kdc = true

    dns_lookup_realm = true

    default_tgs_enctypes = rc4-hmac

    default_tkt_enctypes = rc4-hmac

    udp_preference_limit = 1

    [realms]

    1. DOMAIN.INTERNAL ={

    kdc = ADSERVER.DOMAIN.INTERNAL

    default_domain = DOMAIN.INTERNAL

    }


    Make sure this file is save correctly by navigating to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct.

     

    Step 8

    Here are we now on BOBJ Server.

    Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\custom and create a file called ‘BIlaunchpad.properties’ with the following text:


    authentication.visible=true

    authentication.default=secWinAD


    Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:

    1. Start > Tomcat > Tomcat Configuration
    2. Go to Java Tab
    3. Enter the following code under Java Option at the end or previously entered commands (Don’t delete previous commands
    4. Click Apply

    -Djava.security.auth.login.config=c:\windows\bscLogin.conf

    -Djava.security.krb5.conf=c:\windows\krb5.ini

    Once you are done there, Start Tomcat and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’.

     

    Step 9

    Stop Tomcat. Modify E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.

    Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘global.properties’ with the following text:


    sso.enabled=true

    siteminder.enabled=false

    vintela.enabled=true

    idm.realm=DOMAIN.INTERNAL

    idm.princ=biservice

    idm.allowUnsecured=true

    idm.allowNTLM=false

    idm.logger.name=simple

    idm.logger.props=error-log.properties


    Open Tomcat Options Add the following lines to Tomcat Java Options:

    -Dcom.wedgetail.idm.sso.password=Password1

    -Djcsi.kerberos.debug=true

    Delete logs in E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.

    Start Tomcat, go to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.

    Test silent single sign on is now working in a browser (not on the BusinessObjects server).

     

    Step 10

    Copy BIlaunchpad.properties and global.properties from E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working.

     

    Step 11

    Create a keytab on the AD server by running the following command:

    ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

    Copy this file to c:\windows of BOBJ server.

    Stop Tomcat.

    Add the following line to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties

    1. idm.keytab=C:/WINDOWS/bosso.keytab

    Open Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.

    Now check silent single sign on.

     

    Step 12

    Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.

    1. Stop Tomcat
    2. RMC on Tomcat and click Properties
    3. Go to Java tab
    4. Remove debug = true from there

    Conclusion

    I hope these steps will give a bird's eye view to know how to setup SSO in WIN AD environment with BusinessObjects 4.0

    Don’t forget to look at SAP note 1631734. SAP notes contain troubleshooting help for each given step.


     

    Bashir Awan

    Comments

    Delete Document

    Are you sure you want to delete this document?

    Actions

    Incoming Links