BusinessObjects Single Sign On issues( Windows AD)

mohammed fasiur rahman May 17, 2012 12:40 PM

Currently Being Moderated

Hi friends,

As we have BOXI3.1 SP2 integrated with Windows Active directory for single sign on.

As our client changed password at Windows AD level but it is not updated in BusinessObjects.When they are trying to login not happening .

Could you please share your experience in solving this issue.

Activities done

1) I refered the admin document it shows only initial configuration details but not the process related to password change .....like if there is any change in password at windows AD side. what the action has to be taken at BO side

2) I refer the configuration details in CMC level 'Athentication' option I found '' SYNCRONYZATION OF CREDENTIALS'' it was enabled it shows it will update the users datsource credentials & synchronise the current credentials at logon time .

Hence my doubt is do we have to make any work around at BO side or do i suggest the client its a problem of Windows AD side

Please suggest

Thanks & Regards

Re: BusinessObjects Single Sign On issues( Windows AD)

Vikram Veeranagari May 17, 2012 3:18 PM (in response to mohammed fasiur rahman)

Currently Being Moderated

Hello Mohammed,

Are you using SSO to the Database as well?
Synchronization of credentials is not used for SSO to Infoview.

Was the service account's (i.e., the account running BO services) password changed?
If that is the case then there are two places where this should be updated:

1.)Stop SIA>Right click and go to properties and update the password for the account.

Note: At this point AD logins to thick clients and CMC should start working.

2.)For SSO to work you will either need a keytab or the following switch in the Web application server JVM options: -Dcom.wedgetail.idm.sso.password= <your service account password>

If you are using the former you will have to create keytab again and for the latter, modify it to contain the new password.

Also what happens when you hit update in the windows AD page: CMC>Authentication>Windows AD
Does that update fine or throw an error. If it throws an error stating administrator's credentials couldn't be verified you will have to make sure the AD administrator's credentials are corrected as well.

Cheers,
Vikram.V
Report Abuse

Like (0)
- Re: BusinessObjects Single Sign On issues( Windows AD)
  
  mohammed fasiur rahman May 18, 2012 6:20 AM (in response to Vikram Veeranagari)
  
  Currently Being Moderated
  
  Thanks vikram
  
  Thanks for your valuable input,
  one thing I couldn't understand is
  
  For SSO to work you will either need a keytab ?
  
  what this Keytab allabout ?and regarding web app server we are using TOMCAT.
  
  Thanks in advance
  Regards
  Fasi
  
  Report Abuse
  
  Like (0)
  - Re: BusinessObjects Single Sign On issues( Windows AD)
    
    Deepak Mishra May 18, 2012 4:05 PM (in response to mohammed fasiur rahman)
    
    Currently Being Moderated
    
    Hi Mohammed,
    
    We use keytab to Encrypt service account password. If you using keytab than you can see below lines in your web.xml file for InfoViewApp:
    
    <init-param>
    <param-name>idm.keytab</param-name>
    <param-value>c:\winnt\vinsso.keytab</param-value>
    </init-param>
    
    You need to re-generate the the keytab file and place in the appropriate location as mentioned in your web.xml file with the new password.
    
    And if you not using the keytab file than as said by Vikram, you have to update your password under Java option for your Tomcat.
    -Dcom.wedgetail.idm.sso.password= <your service account password>
    
    Hope it will help you.
    
    Regards,
    Deepak
    
    Report Abuse
    
    Like (0)
    - Re: BusinessObjects Single Sign On issues( Windows AD)
      
      Carlos Alberto May 21, 2012 3:20 PM (in response to Deepak Mishra)
      
      Currently Being Moderated
      
      Hi Deepak,
      
      Do I get it right that in the string
      
      -Dcom.wedgetail.idm.sso.password= <your service account password>
      
      in the Tomcat java options the password is typed after the = sign? a lot of documentation doesn't say that you should replace the word password with your own password although it might seem obvious:
      
      -Dcom.wedgetail.idm.sso.password=password
      
      Regards,
      Carlos
      
      Report Abuse
      
      Like (0)
      - Re: BusinessObjects Single Sign On issues( Windows AD)
        
        Vikram Veeranagari May 21, 2012 3:30 PM (in response to Carlos Alberto)
        
        Currently Being Moderated
        
        Yes Carlos, that is correct.
        
        let's assume the password for the account being used for SSO is XYZ, then this is how the switch should look:
        
        -Dcom.wedgetail.idm.sso.password=XYZ
        
        Cheers,
        Vikram.V
        
        Report Abuse
        
        Like (0)

Go to original post