cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO in BI 4.1 is not loading users from Windows AD

Go to solution
Former Member

on ‎01-30-2014 6:39 AM

0 Kudos

Hello SAP Gurus!,

I have working on setting up a SSO  using the document "Configuring Active Directory Manual Authentication and SSO for BI4" and BI 4.1, SP2 and patch 1, but unfortunately I could not make it work. I will explain you my situation and where I got stuck starting presenting the scenario we have:

·         MS Windows Server 2012 Standard

·         Oracle 11g (11.2.0.1) clients 32 and 64 bits installed.

·         Java 6.1 32 and 64 bits

·         BI platform 4.1 SP2 patch 1 up and running

·         Client tools 4.1 SP2 installed and working (basically, we can connect to the universes and repos).

·         Cluster in a separate server up and running with the same BI platform and patches.

The servers are running properly after applying the sizing and we test them without any major issue. Then, we started the SSO implementation by creating the services account following the document mentioned. Once we had the service account set up in AD we went to the CMC in order to fill the information needed for the Windows AD authentication. By following the document, we filled all the info. Properly and we saved it and updated it.

After that, the issue came up (page 8); in the authentication panel you can see how the CMC could resolve the “group name” which is in the AD, but when you go to the Window AD group in CMC there are no users. In addition, the AD server has a different encryption that the one mentioned in the document attached which is AES and not RC4 (page 4, Prerequisites). I have been trying many things to solve this issue, but none worked.

·         Open CMC and some other ports in the Windows AD Server

·         Try to load a different group

·         Give full read right to our Service account

·         We have changed the Kerberos encryption from AES to RC4

·         We queried window AD from BO’s server manually from the console and it was retrieving the group and the users inside.

·         We have changed the Java version; previously it was 7.45 and now is 6.1

·         As always, restarting the SIA and restart the whole server.

Finally, we went to see the Window Events and we could observe that the CMC was fetching the group and the users, but it did not load them in the application. At this point, I ran out of ideas. For this reason, I would like to ask you if someone has faced this issue before or could give some advices or tricks or places to look at.

Any idea will be more than welcome.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member136842
Employee
Employee
‎01-30-2014 8:55 AM
0 Kudos

Hi,

by default, SAP BI doesnt import the users attached to a Group which is mapped in the CMC. This you have to set manually in the "Update Alias" Options.

Did you ever tried it? Can you logon to the BI LaunchPad manually using Windows AD authentication?

I`m not 100% sure but i think RC4 is the only supported Encrypion type. Maybe someone can confirm this.

Please see:

http://service.sap.com/sap/support/notes/1512759

I would also recommend you activate the Kerberos debugger, simulate a logon attempt and attach the Log to this Thread.

Please see this Note to activate the Kerberos debugger:

http://service.sap.com/sap/support/notes/1372493

Regards

-Seb.

Show replies
Show replies
Former Member
‎01-30-2014 9:10 AM
0 Kudos

Seb,

Thanks a lot for your fast response. Regarding your first question the answer is "Yes", after all our changes we always tried to manually update the Alias and groups, but we could get the users. We also tried to manually log in launchpad, but we got an error; I think, due to the fact that we do not have any users in the AD group (in CMC).

The AES encryption is the suspicius part, but the AD admin told me that windows sent an email asking to update from RC4 to AES because it might be disable in future versions.

Anyway, I will have a look at the Kerberos debugger and post the log file here.

Again, thanks!

Regards,

former_member136842
Employee
Employee
‎01-30-2014 9:27 AM
0 Kudos

Hi,

please try also to Log On with one of the Client Tools using Windows AD. Please try with one of the following:

- Central Configuration Manager

- Universe Design Tool

Please take not one of the Eclipse based Tools such as the Information Design Tool.

With this Test we leave the Java part of SAP BI total out of scope.

Regards

-Seb.

Former Member
‎01-30-2014 10:32 AM
0 Kudos

Sebastian,

I have tried to log in the CCM using Windows AD authentication with a user that should be in the AD group and I am getting the following error:

Then, we reviewed the service account in the AD Server and we have the same SPN for BICMS.

Please let me know if you have any idea of what could be happening.

Regards,

Former Member
‎01-30-2014 10:45 AM
0 Kudos

Seb,

Sorry for wasting your time, your first advice was right, but I misunderstood where to change it. Actually, we had set up the "Alias Update Option" as:

"Create new aliases only when the user logs on"

When we should have had

"Create new aliases when the alias Update occurs"

Apart from that we also changed all user names and SPNs in the same way we introduce them in the Window AD.

Thanks a lot for your help.

Kind regards,

Answers (0)

Ask a Question