Hi Enrico,
from your SAP landscape - what will be the initial user authentication for the reporting aspect ?
ingo
Initial auth should be WinAD, but since Infoview is configured in trust authentication we don't inherit kerberos token from browser
but then you are using Windows Ad as the leading authentication - correct ?
and you want to use Windows AD on the client side and still achieve SSO ? if so we talking about SNC here.
ingo
but then you are using Windows Ad as the leading authentication - correct ?
Not exactly. From the web point of view the leading authenticatiom is Trusted Authentication.
A customer layer put in HTTP Header a variable agreed with me. In this variable there is the AccountName.
An offline process creates Enterprise Aliases with RANDOM password so nobody know how to login with enterprise credentials.
The Web SSO is then obtained simply by configuring the trusted authentication and without any kerberos tickets or Vintela configuration.
WinAD and SAP plugin are also configured. The first one for client tools logon (Designer) and the second one to go to BW.
So, each BO user has 3 aliases:
- 1 enterprise (used by Web SSO / Trusted Authentication)
- 1 WinAd (used by client tools login / windAd authentication)
- 1 SAP
and you want to use Windows AD on the client side and still achieve SSO ? if so we talking about SNC here.
Yes. From client perspective (Designer) users login with WinAD authentication. So I still need SSO.
I hope I have been more clear
Hi,
so which authentication you are using then to authenticate the user towards you BOE system ? Enterprise ?
that wouldn't give you SSO to your SAP system.
ingo
I feared this answer 
... but the problem is that I can use Vintela because it is not recognized by customer's security policy.
So... if I use winAD authentication with Siteminder (p 551 of BOE Administrator's Guide) and I configure winAD to use Kerberos, can I achieve Web SSO from Infoview to SAP BW?
Edited by: Enrico Acchioni on Oct 7, 2009 11:15 PM
Hi,
well....... Windows AD doesn't necessary give you access to the SAP systems. that is why there is something called SNC where you can combine for example Windows AD with SAP authentication.
How is this done today in the SAP landscape ?
Ingo
Hi,
in the previous post there is a mistake... of course I meant to say:
- the problem is that I can NOT use Vintela because it is not recognized by customer's security policy!
Anyway... this is the SAP landscape:
OS: IBM AIX
BW: Release 701 (7.0 EHP1) SPS4 (Support Package Stack 4)
SNC: active and configured with kerberos (GSSAPI library provided by IBM)
SAP GUI SSO: active
WSSO SAP (Java): active (with SPNego)
Now, since I can not use Vintela, I must find a solution to get the SSO.
Considering the current SAP landscape, if (in XI 3.1) I use winAD authentication with Siteminder (p 551 of BOE Administrator's Guide) and I configure winAD to use Kerberos, can I achieve Web SSO from Infoview to SAP BW?
Thanks,
Enrico
Hi,
yes - by configuring the BusinessObjects system also for SNC using the existing implementation.
take a look here:
SNC Part 1
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
SNC Part 2
/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
ingo
I got a temporary exemption for the use of Vintela.
So I have successfully configured the Web SSO with Vintela / WinAD with Kerberos.
Then I applied step by step instructions in the post that you specified with the only difference that the SAP landscape was already properly configured (SNC active and configured with kerberos - GSSAPI library provided by IBM).
Now, I am stall in section 9 (Enter the SNC account name in the field SNC NAME without any password. All other values should already be filled with the values you entered during the initial configuration) of the BusinessObjects Enterprise and client side SNC Part 2 of 2.
In fact, after specifying the SNC Name, selecting the tab Role Import the system returns the error Incomplete logon data and if I try to login in Infoview, the procedure hangs. This even if the user is correctly configured in SAP system with a Kerberos SNC name in SU01, and SNC SSO with SAPGUI with same user from BOXI server works fine.
The strange thing is that removing SNC Name and re-entering user password (but leaving the SNC0 part for the user whith which SIA server is starting, of course), the SSO end-to-end works properly for report refreshed on demand and the tab Role Import (CMC) works properly too.
What's the matter? Where am I wrong?
Enrico
From an enterprise perspective vintela is kerberos (siteminder trusted auth is not), and saying you have to use trusted auth because vintela does not pass a security policy is like saying I cannot keep my valuables in a safe(vintela) because someone might figure out the combination so I'm going to just leave them out in the open and pass out maps & directions (trusted authentication)
Trusted auth was created for compatibility not security. If you are interested in security you must SSL the communications and force IP restrictions for your trusted source (siteminder). Both require 3rd party(non BO solutions) to accomplish.
Regards,
Tim
and saying you have to use trusted auth because vintela does not pass a security policy is like saying I cannot keep my valuables in a safe(vintela) because someone might figure out the combination so I'm going to just leave them out in the open and pass out maps & directions (trusted authentication)
Trusted auth was created for compatibility not security. If you are interested in security you must SSL the communications and force IP restrictions for your trusted source (siteminder). Both require 3rd party(non BO solutions) to accomplish.
I agree with you but the current architecture is more complicated than I have described and includes also 3rd party (customer specific security URL protector), IP restrictions and SSL.
I have not described these things because from BOXI perspective the entry point is trusted authentication, and I wanted to know if in this way I could get SSO to SAP BW.
Now is clear that I can't (in this way) .
From an enterprise perspective vintela is kerberos (siteminder trusted auth is not)
What does this mean? It means that if I configure SiteMinder I can not use Kerberos?
In BusinessObjects Enterprise Administrator's Guide, Chapter 12 Configuring Third-Party Authentication - Authentication Using AD - Using AD with SiteMinder (p. 551), is written: You can use SiteMinder with NTLM or Kerberos.
Enrico
>
Enrico Acchioni wrote:What does this mean? It means that if I configure SiteMinder I can not use Kerberos?
In BusinessObjects Enterprise Administrator's Guide, Chapter 12 Configuring Third-Party Authentication - Authentication Using AD - Using AD with SiteMinder (p. 551), is written: _*You can use SiteMinder with NTLM or Kerberos.Enrico
Correct you can have siteminder use kerberos, but if using trusted authentication (with BO) this logs users on via username and shared secret (in your case it matches the username via AD), there is no negotiation, and thus no kerberos(spengo) on your access to BO.
In regards to your SNC post I'll let Ingo address that as I'm still new to setting this up.I've seen several customers report that they cannot use kerberos for security reasons and use TA instead. I just wanted to comment on this as TA was designed for customers that don't have the technical ability to use kerberos (CMS on unix/linux or no AD) and is far less secure by default. From an SNC perspective I don't think it matters if you use kerberos or TA on the front end if in both cases you use AD.
Regards,
Tim
Hi,
which steps of the SNC configuration did you do already ?
ingo
Hi Ingo,
we performed all steps of blog #1 and up to step 9 of blog #2.
Since step 9 does not work we temporary leaved username/password in Entitlement Server section of CMC console and we mapped AD users to SAP users so we could obtain "on demand refresh" for reports correctly working with Client SSO.
Now we want to complete also step 9 using SNC and not username/password combination since we are afraid scheduled reports won't work correctly without this part configured with SNC too.
Enrico
HI,
so SSO for ondemand viewing works ?
Did you configure the BusinessObjects services to run under the domain account ?
ingo
so SSO for ondemand viewing works ?
Yes but it works only if I set username/password explicitly while in your blog you show that also connection in "Entitlement System" section should work via SNC.
Did you configure the BusinessObjects services to run under the domain account ?
Yes, and this is the user we have both configured in SNC0 and we are trying to use in "Entitlement Systems" section (any other user we try give us a GSSAPI error instead of simply "Incorrect logon data" error).
To be sure we have also configured this user in SU01, proof is that we can log in in SNC SSO with SAPGUI (on BOE server) with it.
- so you did configure SU01 and SNCO ?
- did you configure the SNC options in the CMC ?
- are you able to import roles with the SNC items configured in the SAP Authentication in the CMC ?
Ingo
so you did configure SU01 and SNCO ?
Yes.
did you configure the SNC options in the CMC ?
Yes. The only field not specified (blank) is SNC name of Enterprise system.
are you able to import roles with the SNC items configured in the SAP Authentication in the CMC ?
Yes but only if I set username and password instead of SNC name. If I use SNC name (as you suggest in point 9 of blog #2) I achieve the Incomplete logon data error and if I try to login in Infoview configured in SSO vith Vintela and WinAD), the login procedere hangs.
Any idea?
Hi,
you need to enter the SNC name as well. you can not leave the SNC name empty
ingo
Hi Ingo,
I'll try as soon as possible. At this moment I'm not at customer site.
Enrico
Hello Ingo,
I am working with Enrico on same problem (Enrico works on the BOXI side and I work on the BW side - I am the one who has set up SNC on BW machine).
I try to clarify further: if we insert the SNC name as you suggest, we hit the Incomplete Logon Data error. This is why we have left user an password: this temporary configuration enables at least on demand SSO to work till our next test.
So our concern now is: we have already tested your last suggestion, and we get this nonsense "Incomplete Logon Data" error. Is there anything we are missing, in your opinion?
Kind regards,
Sandro
Hi,
SNC is tricky in a way that the easiest way is to go through every single step again and ensure you always use the same values - which are case sensitive !
go through all the steps involved and make sure all the items are done correctly.
ingo
Hello Ingo,
done it. Again, we are stuck on same step (9 of part 2 of your blog) as before.
It seems like despite the configuration kerberos ticket is not passed to SAP BW system... and we do not have a case problem, since if case is wrong the SNC error is far more bad than simply "Incomplete logon data".
Any further suggestion?
Best regards,
Sandro
Hi Sandro,
so when you are at Step 9 you did configure the user in SU01 with the SNC account ?
can you logon via SNC using SAP GUI ?
Ingo
Hi Ingo, Yes to both questions.
Sandro
Hi,
which BusinessObjects services have been started using this credentials ?
Ingo
Hi Ingo,
to be sure, we configured all BOXI services to be started with this credentials.
The SNC logon test with SAPGUI was performed while logged interactively on BOXI server with same credentials - to be certain that the thing works on that server.
Sandro
Hi,
so which services in the Central Configuration Manager did you configure to be started under this account ?
Ingo
Hi,
all BOXI services start under service account. Tomcat also starts under the same service account.
Enrico
hi,
so you want to configure client and server side SNC at the same time ?
which SNC library are you using ?
I assume the following steps have been done:
- SAP system is configured for SNC
- BOE system has SNC Libs and path settings
- BOE runs under a domain account
- domain account has been configured in SU01 with SNC items
- SNC0 has been used to add the SNC item
Ingo
Hi Ingo,
of course yes we need both server and client SNC, as per your blog.
On BOXI server we are using SAP standard Kerberos GSS-API V2 library i.e. gsskrb5.dll
Things are a bit more complicate on AIX server; GSSAPI call from AIX 64-bit kernel is not just pointing to the file.
To be short on AIX BW instance we have:
snc/gssapi_lib = /usr/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)
Anyway, SAPGUI and Excel BEx SNC work fine so being on AIX is not a problem for us.
All steps you mention:
- SAP system is configured for SNC
- BOE system has SNC Libs and path settings
- BOE runs under a domain account
- domain account has been configured in SU01 with SNC items
- SNC0 has been used to add the SNC item
have been done.
Any suggestion? Are you sure that NTLM configuration and Kerberos configuration works in the same way?
Kind regards,
Sandro
Hi,
ok - could you send some screenshots from the CMC / SNC configuration ?
in SNC0 which items did you configure ? RFC and Ext ID ?
the "conceptual" items in terms of configuration is the same on the NTLM / Kerberos part.
ingo
Hi Ingo,
the matter goes far deeper than we were thinking while working in an heterogeneous landscape; we have solved nearly all problems by ourselves and we'll let you know as soon as we have a truly stable situation.
But the message is: it works.
Hi,
sure it works. the main question is always what the main entry point for the authentication will be and then you can work from there.
ingo
Hi Sandra,
could you post the steps that you did ?
thanks
Ingo
Hello Ingo,
sorry for replying so late. We are working on a detailed documentation to integrate current one in order to enable people to manage pre-existing SNC scenarios in complex heterogeneous environments, as the one we have dealed with, but we still are in draft with italian version...
The trick is basically to treat every end-user as a "trusted system" in BW server, that is to insert it in SNC0.
This still leaves unsolved the CMS SNC configuration unsolved (we are using username and password for CMS) but this is acceptable in our scenario.
Sandro
Hi,
which SNC library are you using ?
and treating each user as "trusted" sounds a little bit strange
Ingo
Hello Ingo,
as you can check in previous posts, on AIX we are using the GSSAPI V2 library from IBM NAS for AIX 5.3, and on win32 platform we are of course using the standard SAP-delivered GSSAPI V2 dll for Kerberos.
Sure you're right, treating users as trusted systems sounds quite strange, but this awkward solution nevertheless has a good point... it works fine.
And since as far as we know there is no valid documentation to deal with this...
Kind regards,
Sandro
Hi,
SNC is there to - as one option - consolidate the user accounts with Windows AD and SAP, which then involves the user mapping. Treating every single user as a "trusted" user in SNC0 is not required with using Kerberos. the configuration is much easier.
Ingo
