Skip to Content
avatar image
Former Member

SAP BI 4.1 SP5 - Vintela setup - No silent SSO issue

Hi,

Hope you experts can help me with this issue.

I am doing SSO setup on SAP BI 4.1 SP5 on Windows Server 2012 R2. I have followed the process as outlined in the article at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4.

I am stuck at the Step 9, as I cannot get silent SSO no matter what. I understand lot of people have had this issue and there's been a lot of discussions in the SAP blog about it and I've read all of them.

However, does anyone have a solution for this problem ?

Here are my configurations (with sanitized domain names):

Environment:

Domain Name: XXXXCO (FQDN: CORP.XXXXCO.COM)

BO Service Account: CMS41SVC (password: F4M34!xl )

Domain Controller: VM-DC-GH-01.CORP.XXXXCO.COM

BusinessObjects Server: DEV-BOB-APP-01.CORP.XXXXCO.COM

BusinessObjects AD Group: XXXXCO\DL-Business Objects

krb5.ini file

----------------

[libdefaults]

default_realm = CORP.XXXXCO.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

CORP.XXXXCO.COM = {

kdc = VM-DC-GH-01.CORP.XXXXCO.COM

default_domain = CORP.XXXXCO.COM

}

bscLogin.conf file

---------------------------------

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

BIlaunchpad.properties file

--------------------------------------------

authentication.visible=true

authentication.default=secWinAD

sso.types.and.order=vintela

global.properties file

-------------------------------------

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.XXXXCO.COM

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Tomcat added options

-----------------------------------------

...

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

-Dcom.wedgetail.idm.sso.password=F4M34!xl

-Djcsi.kerberos.debug=true

What I've done so far:

-All steps 1-8 verified (as per Josh's article above)

-(NOTE: Under Delegation tab for service account CMS41SVC, turned on ‘Trust this user for delegation to any service (Kerberos only)’.)

-I can get the ticket with kinit CMS41SVC.

-There are no duplicate SPNs.

-I got "commit succeeded" after step 8 and was able to get Manual AD access to the system with AD accounts.

-After application of step 9 I do not get silent SSO and, perhaps not surprisingly, cannot login with AD accounts any more.

I have not performed the keytab steps as this is a showstpper I guess.

What is wrong here ?? !! Any suggestions ?

Some additional questions:

- Does my service account CMS41SVC need to be member of BusinessObjects AD Group: XXXXCO\DL-Business Objects ? In my setup it is not.

- Further, what is the impact of SSO on deployment of Mobile server. If we manage to setup SSO, will it be propagated to Mobile clients ?

- Is there a special process on how to setup Mobile clients for platform with SSO setup ?

- Similarly, impact on SSO on integration with SharePoint ?

- Is there a special process on how to setup SharePoint integration for platform with SSO setup ?

Many thanks for your help in the past and your effort regarding this one.

Regards,

Davor Mitrasevic

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    May 22, 2015 at 05:45 AM

    Hi Davor,

    The idm.princ=service_account value is missing from the global.properties file.

    -Ambarish-

    Add comment
    10|10000 characters needed characters exceeded

  • May 22, 2015 at 05:39 AM

    Your Service account is not required to be a member of BusinessObjects AD Group.

    I think Mobile SSO is still not possible. but for sharepoint its possible

    For Sharepoint can refer these link:-

    Overview of SAP BI 4.x Integration Option for Microsoft SharePoint

    what is the error msg you getting for manual as well SSO after step 9.

    Also try checking after restating the tomcat and rebuilding the tomcat cache.

    -Raunak

    Add comment
    10|10000 characters needed characters exceeded