cancel
Showing results for 
Search instead for 
Did you mean: 

SAP BI 4.0 Analysis OLAP and Managing authentication and security

Former Member
0 Kudos

Hi all,

I defined a OLAP connection for accessing a MS SQL 2008 cube. I'd like to manage also security issues, like the correct visibility of data for specific users.

For example, I have a sales data cube containing information of different countries. I define a OLAP connection for that cube and I create a Analysis view of that data.

want to manage data segregation (some users can only see data from Italy, other users can only see data from England, etc). I'm reading also some manuals and it seems I can't decide this kind of data segregation via SAP BO. Is it so? Do I have to manage these issues using MS SQL server authentication and security or there is a way to manage also with BO Security?

Thanks all for the support!

Accepted Solutions (1)

Accepted Solutions (1)

I_MCA
Employee
Employee
0 Kudos

Hi G.Mare

Analysis OLAP honours the security rights defined in the SSAS cube and you must make use of this to control the data that is made available to individual users.

Analysis OLAP connects directly to the SSAS cube so the BO security ultimately only applies at the document/report level.

Tools that make use of the universe (eg Web Intelligence) can alternatively use the security profiles that Henry mentioned).

Regards

Ian

Former Member
0 Kudos

Hi Ian,

it was exactly my doubt. But if it is so, does it mean that all the security profiles I define using Security Profiles on IDT are not applied if a user define an OLAP Analysis connecting with OLAP SSAS?

This consideration can open the following scenario:

- For using OLAP Analysis on SSAS cubes I have to define authorizations on MS SQL Server Platform

- For creating new reports on universes based on other sources I have to define autorization on IDT

And this can generate a double and potentially reduntant security management. Is all true?

Thanks a lot.

I_MCA
Employee
Employee
0 Kudos

Hi G. Mare

Yes, what you have said is true. But there is another option. You can define the security on the database sources and not the universe... then use SSO from the universe to connect to the sources. That way all tools could support the security model regardless if they use the universe or not. Of course this may also mean multiple security models if the datasources are all from different vendors.

Regards

Former Member
0 Kudos

Thanks a lot Ian. I think we will follow the last option you wrote.

Regards

Former Member
0 Kudos

What do we need to make SSO from SAP BI 4.0 Analysis Edition for OLAP work all the way to SQL Server 2008? I have selected SSO option from OLAP connections and my AD account is added on the Analysis Services cube but still I am getting "Login failed. Invalid user name or password."

The connection to the same server worked fine with BO 3.1 where we additionally needed to specify a SPN. Isn't this required anymore now that the connection is done with HTTP and Windows Authentication? Basic Authentication and typing in user name and password works fine. Should I investigate the problem on the IIS or BO server?

Henry_Banks
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

You should ideally create a new thread, as this one is solved already.

Your question is timely, there have been bugs around this . Here are a collection of notes i refer to :

  • 1688079 - Configuring Analysis Edition for OLAP for End-to-End SSO to MS SQL Server Analysis Services in BI4
  • 1743020 - Configuring Crystal Reports for Enterprise for SSO to MS Analysis Services
  • 1743085 - Unable to create an Analysis workspace with an SSO connection to MSAS, when IIS is on different server from MSAS
  • 1689702 - Failed to refresh a Web Intelligence report based on MSAS SSO Universe (UNX) in BI Launch Pad
  • 1689731 - Error "java.lang.SecurityException: Unable to locate a login configuration" when createing an Analysis workspace from a MSAS SSO connection
  • 1689744 - Error "Login failed. Invalid user or password." when createing an Analysis workspace from a MSAS SSO connection
  • 1743633 - Error: "Class not registered" when creating a Web Intelligence report based on MSAS SSO universe
  • 1687799 - Adaptive Processing Server command line arguments not accepted
  • 1689237 - Unable to connect to MS Analysis Services (MSAS) server from MS Excel via XMLA

However, there still is 1 further issue, where you can't create an SSO connection to MSAS in IDT, when IIS is on different server from MSAS.

Let me know.
Regards.

Henry

Former Member
0 Kudos

Hi Henry,

I tried to check some of the notes you mentioned, but from sap support portal it seems it's not possible. I go to notes and I see the message "Document is not released". Could you please tell me if you have the same problem and, in negative case, send me 1689744 note?

Thanks a lot for your support.

Henry_Banks
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

It is still being reviewed by the publisher

here is a copy paste:

Symptom

  • Error "Login failed. Invalid user or password." 
  • Creating Analysis workspace using MSAS SSO connection fails

  Environment 

  • SAP Business Intelligence platform 4.0

Analysis Edition for OLAP Web 4.0

 

Reproducing the Issue

  1. Create a connection to MSAS using AD SSO authentication
  2. Log on to BI Launch Pad
  3. Create a new Analysis workspace using Analysis edition for OLAP
  4. Select the SSO connection
  5. Error "Login failed. Invalid user or password." pop ups

  Cause 

There are several root causes for the error. Trace of the APS (Adaptive Processing Server) running the MDAS service narrows down the issue:

  • Trace: "com.crystaldecisions.sdk.plugin.authentication.secwinad.internal.SecWinADServerAction||SecWinADServerAction.run(): Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))" 
    • KVNO version mismatch between the keytab and the AD object
  • Trace: "com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Server logon failed. Could not load configuration file C:\!test\krb5.ini (The system cannot find the file specified)" 
    • The APS failed to load the krb5.ini
  • Trace: "com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Server logon failed. Client not found in Kerberos database (6)
    • No key found in the keytab for the principal set in parameter principal="" in the bscLogin.con file under "com.businessobjects.security.jgss.accept {..."

  Resolution 

  • Configure Adaptive Processing Server for AD authentication according to KB 1688079

Regards, H

Former Member
0 Kudos

Hi Henry,

I tried what is wrote on that note, but still my matter persists:

- When I try to manage connections through CMC (OLAP CONNECTIONS --> Edit Connection) and I try to connect to SSAS server, message is "Failed to get connections for connection.."

- When I try to create/use a connection via Information Design Tool and I click on "Test Connection", error "password must not be null or empty" arises

Any idea of that issue?

Thanks in advance

Former Member
0 Kudos

I followed the instructions in KB 1688079 and I have the new keytab and settings in place but still getting "Login failed. Invalid user name or password." in Analysis edition for OLAP. I changed MDAS server logging to High and it says "Unsupported SSO scenario" here:

com.businessobjects.multidimensional.services.server.transport.corba.SessionServant||calling [Session] method [openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)] message [Unsupported SSO scenario.]

-- Context Info :

{

   "processid" : "10292@FIOLVAPP424",

   "threadid" : "Transport:Shared-3/10",

   "requestid" : "3",

   "object" : "Session",

   "method" : "openCube(ConnectionDescriptor connectionDescriptor, AuthenticationType authenticationType)"

}

-- type [GenericDescriptor] value [{

   "classType": "GenericDescriptor",

   "connectionName": "FIDO Production",

   "connectionDescription": "",

   "connectionType": "CUBE",

   "isDataSource": "true",

   "credentials":

   {

      "classType": "ConnectionCredentials",

      "username": "",

      "password": "[********]"

   },

   "super":

   {

      "classType": "ConnectionDescriptorBase",

      "providerName": "SSAS2008",

      "providerDescription": "",

      "serverName": "http://fiolsql274/olap/msmdpump.dll",

      "properties": [

         {"CONNECTION_ID": "CONNECTION_ID=Ab2l6F6vuHlHkG7aD51f8VI",

         {"CATALOG": "CATALOG=FidoASProduction",

         {"SERVERTYPE": "SERVERTYPE=SERVER",

         {"CUBE": "CUBE=FIDO",

         {"PROVIDER": "PROVIDER=SSAS2008",

         {"PROTOCOL": "PROTOCOL=XMLA",

         {"CATALOGPROPERTYNAME": "CATALOGPROPERTYNAME=CATALOG"]

   }

}]

-- type [AuthenticationType] value [SSO]

Also BI launch pad SSO works, but manual login with username and password with Windows AD authentication does not (neither to CMC anymore).

Any advice?

Former Member
0 Kudos

I checked log and there is the following line:

com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Server logon failed. Pre-authentication information was invalid (24)

Former Member
0 Kudos

I checked tomcat log and everytime a user log in in BI Launch pad, the following message arises:

GRAVE: Servlet.service() for servlet equinoxbridgeservlet threw exception

java.lang.RuntimeException: java.lang.IllegalStateException

    at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.serviceHelper(BundlePathAwareServiceHandler.java:254)

    at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.service(BundlePathAwareServiceHandler.java:197)

    at com.businessobjects.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:248)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

    at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:220)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at com.businessobjects.pinger.TimeoutManagerFilter.doFilter(TimeoutManagerFilter.java:159)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)

    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)

    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

    at java.lang.Thread.run(Thread.java:619)

Caused by: java.lang.IllegalStateException

    at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:421)

    at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:118)

    at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:118)

    at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)

    at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge(AbstractAuthenticator.java:1936)

    at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:147)

    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)

    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)

    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)

    at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:148)

    at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.crystaldecisions.webapp.util.filter.ResponseEncodingFilter.doFilter(ResponseEncodingFilter.java:24)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.webutil.boetrustguard.BOETrustValidateFilter.doFilter(BOETrustValidateFilter.java:45)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.webutil.internal.filters.BrowserRenderingModeFilter.doFilter(BrowserRenderingModeFilter.java:20)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.webutil.boetrustguard.BOETrustPrepareFilter.doFilter(BOETrustPrepareFilter.java:32)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.swd.shared.tracelog.TraceLogScopeFilter.doFilter(TraceLogScopeFilter.java:38)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.sdk.actionfilter.WorkflowFilter.doFilter(WorkflowFilter.java:45)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.swd.appcontext.RequestInitFilter.doFilter(RequestInitFilter.java:26)

    at com.businessobjects.http.servlet.internal.FilterRegistration.doFilter(FilterRegistration.java:72)

    at com.businessobjects.http.servlet.internal.filter.FilterChainImpl.doFilter(FilterChainImpl.java:43)

    at com.businessobjects.http.servlet.internal.BundlePathAwareServiceHandler.serviceHelper(BundlePathAwareServiceHandler.java:235)

    ... 20 more

Answers (1)

Answers (1)

Henry_Banks
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi,

Sure there is:

Business Security Profiles  (what objects can be used in query panel)  

and Data Security Profiles  (what results rows can be see in a table)

both of these are configurable from IDT, via the Security Editor.

please consult the application's Help files and our Online documentation.

Regards,

Henry