cancel
Showing results for 
Search instead for 
Did you mean: 

Windows AD Credential Mapping for BusinessObjects?

former_member191664
Active Contributor
0 Kudos

Hi,

Per SAP KB 1364761 - XIR3.1 Universe Designer Connection to Windows AD Credential Mapping and the BOXI3.1 Universe Designer Guide, when a user logs into INFOVIEW and BOE id/password are populated, those credentials are then used for the connection.

My question is that what if a BO user has not login, for example, over 3 months (AD password expired) and there are scheduled jobs with reports and universes using "User BusinessObjects credential mapping" owned by this user, how can we ensure that those scheduled jobs will continue to run with a new set of AD password?

Thank you in advance with your input on this!  I have posted the same question to BI Platform, but realize this space may be more appropriate for this question.

Regards,

Jin-Chong

Accepted Solutions (1)

Accepted Solutions (1)

rama_shankar3
Active Contributor
0 Kudos

JinChong,

You will not experience these kind of password expirty issues with you have your network / admin team create a service account with no password expiration. This is the permanent solution.

However, to fix your issue right now. Have your network admin create a server script to automatically renew user activity and run in server as a maintanence script. This will fix your issue. I have had one of my clients do this.

Hope this helps.

Rama

Answers (1)

Answers (1)

former_member184468
Active Participant
0 Kudos

Unfortunately there's no automated way to get those updated.  When a password is expired, it needs to be updated.

Now if your users are logging on manually using AD, you can enable the checkbox in your AD authentication configuration in the CMC, checking the "Enable and update the user's data source credentials at logon time. This will synchronize the data source with the user's current logon credentials" checkbox.   That way you will have the latest credentials always.

If this is a shared connection where all users are connecting with the sam AD account to the database, then unfortunately you have to update it manually (or via the SDK).    Even for the SDK update you still have to have the actual new password to pass to BO somehow.

former_member191664
Active Contributor
0 Kudos

Thank you for your input, Greg.

Yes, I am thinking about using BOXI3.1 Java SDK with Windows AD to reset the password in a loop when detecting an AD account's password is expired.

However, with this approach, we'd be no longer able to track the user last login activity to BOXI3.1 for BO license cleanup.

Regarding to Rama's approach to use a generic account with non-expiration, it will not meet the company internal audit and security guidelines as each user backend database is granted differently to allow seeing the needed data only. 🙂  Thank you for your input, Rama.

I am hoping there will be a similar audit and security requirements from other companies and there may be an approach to address this requirements.

Regards,

Jin-Chong

former_member184468
Active Participant
0 Kudos

This behavior is actually a limitation of how Active Directory works.   You cannot just impersonate a user without their credentials to get a kerberos ticket.   There is certainly the willingness on SAP's part to do more in this regard, but unfortunately we do not control the full communication stack in this case.