cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure CMC with Windows AD Authentication and BI 4.0 SP04 Patch 4

former_member326231
Discoverer

on ‎10-08-2012 3:56 PM

0 Kudos

We set up our BO 4.0 SP4 patch4 to SSO with Windows AD follow by the following blog:
http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4?u...
Users can login BILaunchPAD without typing user name and password.
But,the sso is not working for CMC. Users have to input ID  and pwd to login CMC.
If the users are not in the default domain , they need to login with ID + "domain name" to login.
My question are:
1. According to Note : 1243521 - Can I configure Single Sign-On (SSO ) for the Central Management Console (CMC)
CMC does not support SSO ? Users always need to login with their windows ad account manually?No way to configure CMC to behave like bilaunchpad.
Users don't need to enter their id&pwd to login?

2. Is there any way to configure the SSO for those users who are not in the default domain to login with just their user id not the ID with domain name?
For example: my default domain in the krb5.ini is A.COM.TW, userB is in B.A.COM.TW. When he login to CMC with id = userB , he will get a message
asking him to login with UserName@DNS_DomainName.
The system also generate a log:
username: userB@A.COM.TW
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)

But,userB can login with ID = userB@B.A.COM.TW successfully.
It seems that all the users not in the default domain have to enter their user name + domain name as their login ID.Is this correct?


The following is our KRB5.ini
====================================
[libdefaults]
default_realm = A.COM.TW
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1

[realms]
A.COM.TW = {
kdc = DC1.A.COM.TW
kdc = DC1.B.A.COM.TW
default_domain = A.COM.TW
}
B.A.COM.TW = {
kdc = DC1.B.A.COM.TW
default_domain = A.COM.TW
}


[capaths]
B.A.COM.TW = {
     A.COM.TW = .
  }
A.COM.TW = {
     B.A.COM.TW = .
  }
============================

Please advise.
Jeff

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

BasicTek
Advisor
Advisor
‎12-15-2015 3:27 PM
0 Kudos

in case anyone else runs across this thread use KBA 2190831 - How to enable SSO for CMC in BI 4.1 SP6

Show replies
Show replies
Former Member
‎12-16-2015 1:54 PM
0 Kudos

Thank you Tim, the above KBA you mentioned works like a charm for BI 4.1 SP7

BasicTek
Advisor
Advisor
‎12-03-2013 2:09 PM
0 Kudos

Hi Jeff, we have 3 primary ways to authenticate with AD.

#1 the most popular in SSO we use 3rd party library formerly known as vintela to allow this, vintela is integrated with BI launchpad, opendocument, dswsbobje, but not the CMC as for the most part our customers do not need or want SSO for the administrator functions. This would be a good issue to raise in idea place (if not already) but I wouldn't expect a change.

#2 is manual AD which uses the java SDK installed with our product, in this case DNS is not used and AD is maintained manually via the bsclogin, and krb5.ini. Due to how the krb5.ini works each DC (KDC) must be found based on the value places after the @ when logging in, due to this limitation if your users are not in the default domain (which will append the @DOMAIN.COM automatically if nothing is entered) the users from other domains must enter their login name in user @DOMAIN.COM format or else java won't know which domain the users are from. Some day I'd hope the java SDK will support typical AD format domain\user to make this easier, but last I tested it still does not. You can verify this with a kinit test which only tests the krb5.ini and java SDK outside the BI product.

#3 and possibility to make this easier for you is to use the LDAP plugin to connect to AD, if all domains are in the same forest/tree, you can map in groups using the global catalog and as long as no users are duplicated across domains (joe@domain1, joe@domain2) you can login via username only. You can use the AD plugin for regular users and LDAP for your admins to login to CMC (and possibly to perform other functions such as LCM which also doesn't support vintela SSO). See KBA 1245218 logged into SMP for details.

Most of this info was posted by the previous respondents but I wanted everyone to understand the whole picture...

Regards,

Tim

Show replies
Show replies
NestleCH
Participant
‎06-25-2015 9:30 AM
0 Kudos

Hi Tim / All,

Do you know if SSO for the CMC was implemented or is intended to be implemented?  As passwords get longer and more complex this is becoming a higher priority for BO Administrators.

BasicTek
Advisor
Advisor
‎06-25-2015 1:53 PM
0 Kudos

I heard it was added in BI 4.1 SP6 but I have not set it up yet to confirm. In the past we have heard similar and when tested it did not work. 4.1 configuration should be the same as BI launchpad, or opendoc so if you have SP6 it should be easy enough to try

Regards,

Tim

Pavan_Golesar
Active Participant
‎09-24-2015 11:06 AM
0 Kudos

Hello Tim,


Thanks for sharing,

Can you help?

https://scn.sap.com/thread/3803643

Regards,

Pavan Golesar

BasicTek
Advisor
Advisor
‎09-24-2015 1:28 PM
0 Kudos

Hi Pavan,

I work with the BI product suite I do not know what the ECC/netweaver options are.

Regards,

Tim

Former Member
‎02-10-2016 12:18 PM
0 Kudos

Hi Kevin,

SSO option for BI CMC is added in 4.1 SP6 and we are able to successfully configure it.

Create a blank CmcApp.properties to place in the custom folder with your global.properties, BI launchpad properties.

Then you need to ensure the following settings are in place

  • sso.types.and.order = chosen SSO method
  • sso.supported.types = chosen SSO method

Below is a sample file enabling vintela SSO

cms.default= CMS_NAME:6400

authentication.visible = true

cms.visible=true

sso.supported.types=vintela, trustedIS, trustedHeader, trustedParameter, trustedCookie,trustedSession,trustedUserPrincipal,trustedVintela,trustedX509,sapSSO,siteminder

authentication.default=secWinAD

Hope it works for you.

Former Member
‎12-01-2013 11:21 PM
0 Kudos

Hi Jeff,

did you get this resolved? I am also facing similar issues. I have 4 different domain. and SSO is working for all but when it goes to manual (non-Sso) link, 3 domains does not works.

Regards,

Mandar

Show replies
Show replies
former_member136842
Employee
Employee
‎12-03-2013 10:34 AM
0 Kudos

Hi,

can you login using "username@SUBDOMAIN1.DOMAIN.COM"?

Regards

-Seb.

Former Member
‎12-03-2013 3:27 PM
0 Kudos

Seb

Thank you for response.

In BI Launchpad, I cannot login with user@SUBDOMAIN1.DOMAIN.COM

BUT I can login to Client (Like Universe Designer / Rich Client) using user@SUBDOMAIN1.DOMAIN.COM

Does that ring any bells?

Regards,

Mandar

BasicTek
Advisor
Advisor
‎12-03-2013 6:44 PM
0 Kudos

UDT and WRC don't use java, which shows you where the issue is...

regards,

Tim

Former Member
‎12-03-2013 7:37 PM
0 Kudos

Do I need to have all domains mentioned in kr5.ini file?

Regards,

Mandar

BasicTek
Advisor
Advisor
‎12-03-2013 9:29 PM
0 Kudos

yes, and you also have to provide ca-paths for more complex environments, and/ or any parent domains as well, see KBA 1245178 for more details (logged into SMP), remember that krb5.ini is not a function of SAP software but rather required when authenticating to via java SDK (Oracle) which many web applications and quite a few of our java applications require (such as IDT)

Regards,

Tim

Former Member
‎10-10-2012 1:26 PM
0 Kudos

Hello Jeff,

-CMC is an admin application and there is a now way to configure SSO. So all users need to log in CMC manually by providing their credentials.

-Users from non-default domain can not log in without providing domain name at user name. This is by design. If you have more number of users log in to CMC from non-default domain then you can define that domain as default domain in CMC and krb5.in file so that they do not need to provide domain name while logging in. For example say you have two domains A and B. You have a lot many users from domain B log in to CMC when compared to Domain A then you can define domain B as default in CMC->Authentication->WindowsAD and in krb5.in file.

Hope this will help you.

Best Regards,

Sastry

Show replies
Show replies
Former Member
‎10-10-2012 6:14 AM
0 Kudos

Hi jeff Hang,

Please verify this link

http://scn.sap.com/docs/DOC-26314

I hope this will help you.

Regards

Pardhu

Show replies
Show replies
Ask a Question