cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Silent SSO is not working in SAP BO 4.1 SP5

former_member371433
Explorer

on ‎05-25-2015 11:49 AM

0 Kudos

Hi all,

We are trying to enable Windows AD SSO for environment SAP BO 4.1 SP5. Please have a look over following details:

  1. Manual Windows Ad Login on both thin and thick client is getting sucessful.
  2. Windows AD Single Sign On is working for thick client like WEBI Rich Client etc, but not working for BI Launchpad.
  3. In stderr tomcat file, we have found out "Credentials Obtained".
  4. The kinit test is generating ticket properly.
  5. We have done all the changes given in Steve Fredell's "Configuring Active Directory Manual Authentication and SSO for BI4" which applies to: BI 4.0 or later, the document is published on 1st September, 2011

As we have followed the mentioned document, please update if some more changes are there in the process in case of enabling Windows AD SSO in SAP BO 4.1 SP5 environment.

        

Thanks and Regards,

Kushal Pardeshi

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

former_member371433
Explorer
‎05-26-2015 7:58 AM
0 Kudos

Hi All,

We revert each and every changes and performed the same procedure again.

Somehow, SSO is working properly.

following link can be helpfull for SSO, as each and every step is explained properly:

Setting up SAP BusinessObjects single sign-on based on WinAD logins. | David Lai's Business...

Many Thanks for your help.

Thanks,

Kushal

Show replies
Show replies
former_member205064
Active Contributor
‎05-25-2015 12:22 PM
0 Kudos

If you getting login screen with no error check maxHTTPHeader value in server.xml.

If you getting FWM00006 error check the idm.princ value in the global.properties file.

if you using password in the java option make sure you have the correct password.

On the AD side for service account "trust this user for kerberos only" should be checked.

-Raunak

Show replies
Show replies
former_member371433
Explorer
‎05-25-2015 3:12 PM
0 Kudos

Hi Raunak,

Thanks for replying.

We have added following line in server.xml:

maxHttpHeaderSize=”65536”


We are not getting any error.


We have correctly mentioned password in java option.


And we have also ticked the "Trust this user for kerberos only" option.


Problem remained same.


At IE browser side, we have done modification as per given in Admin guide of SAP BO 4.1 SP5.


Please inform, if some more changes to perform.


Thanks,

Kushal

former_member205064
Active Contributor
‎05-25-2015 4:03 PM
0 Kudos

your global.properties contain idm.allowS4U=true

for this option to be present in your service Account should be like this:-

Else 2nd option should be there.

-Raunak

former_member371433
Explorer
‎05-26-2015 5:15 AM
0 Kudos

Hi Raunak,

Thanks again for replying.

According to admin guide, to use constrained delegation, we need to enter idm.allowS4U=true.

We have not included this line in global.properties file.

Hence, the second option we have selected for service account which is "Trust this user for delegation to any service (Kerberos only)".

Please provide some more inputs.

Thanks,

Kushal

former_member926196
Active Participant
‎05-26-2015 7:23 AM
0 Kudos

Hi Kushal,

Please go through the steps suggested in the following thread.

Hope it helps !

-Ambarish-

former_member926196
Active Participant
‎05-25-2015 12:17 PM
0 Kudos

Hi Kushal,

Verify the following

- Check the HTTP/SPN's by using command setspn -l svc_acct

- Verify if the 2nd radio button is checked under delegation for svc_acct

- Verify there are no duplicate SPN's by using setspn -x and AD explorer

- Verify there are no white spaces in the password hardcoded in Tomcat config >> Java options

- Also confirm the global.properties file is properly configured

If the above is in place, stop tomcat and navigate to tomcat install dir/work/catalina, rename localhost to localhost_old and start tomcat to rebuild cache. Also clear browser cache and they try to execute the URL.

-Ambarish-

Show replies
Show replies
former_member371433
Explorer
‎05-25-2015 3:18 PM
0 Kudos

Hi Ambrish,

Thanks for replying.

setspn -l sv_acct gives all the 3 SPNs and those are created appropriately.

2nd button is checked under delegation for svc_acct.

There are no duplicate SPNs.

global.properties contain following code:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=DOMAIN.COM

idm.princ=<server>/biservice.DOMAIN.COM

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.allowS4U=true

Please inform, if some more changes to perform.

Thanks,

Kushal

Former Member
‎05-25-2015 12:11 PM
0 Kudos

Hi,

Check the following

1. BILaunchPad URL is added to local intranet

2. HTTP SPNs are created for Host and FQDN names. If you are using Load balancer  then HTTP SPN should also be created for Load balancer name

3. If you are using Tomcat Try using password option in Tomcat Java options

Regards,

Rohit Vamsi

Show replies
Show replies
former_member371433
Explorer
‎05-25-2015 12:15 PM
0 Kudos

Hi Rohit,

Thanks for inputs.

We have tried all the ways suggested by you. But the problem remains same.

Thanks and Regards,

Kushal Pardeshi

Former Member
‎05-25-2015 3:18 PM
0 Kudos

When you enter the BILaunchpad URL are you presented with a BILaunchpad login screen ?

Check if there are any duplicate HTTP SPNs on the BO server host, FQDN or IP address by running setspn -x.

If you find any duplicate SPN ask your Windows AD admin to delete the SPN which is not mapped your Service Account

former_member371433
Explorer
‎05-25-2015 3:25 PM
0 Kudos

Hi Rohit,

Thanks again for quick response.

There are no duplicate SPNs present.

Main problem is, after entering URL, it gives Login page, Windows AD logins entered manually are getting logged in successfully on both thick and thin client.

Silent SSO should work on thin client, which isn't working.

Thanks,

Kushal

Ask a Question