cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD authentication for BI4.0 on NW7.3x portal

Go to solution
Former Member

on ‎10-28-2015 5:16 AM

0 Kudos

Hi Team BI

I have been asked to configure AD authentication, following Steve Fredell's "Configure Active Directory Manual Authentication and SSO for BI4" I could successfully get AD authentication working  fine with tomcat

However when I use the same BOE/CMC with imported early into portal I get the error:

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>   

Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-04-2015 4:39 AM
0 Kudos

Well I raised a ticket with SAP Support who responded with a "this is consulting" type answer , but they did provide a unreleased note ("internal") 1852377, which I could follow and get things working without 30 minutes. I was 95% there, just was missing the subnode configuration for the com.businessobjects.security.jgss.initiate policy.

Anyway I wrote a how to blog post on the subject

Show replies
Show replies
Former Member
‎11-04-2015 4:52 AM
0 Kudos

Hi Glenn,

Good to hear that you have finally resolved it

~SwapnilY

Former Member
‎11-06-2015 3:11 AM
0 Kudos

Well I asked SAP to make note 1852377 available to customers and the response from SAP support was

"I received permission to have the article deleted from our system

we will no longer give customers configurations for unsupported 3rd

parties..."

So amazingly SAP will delete the note that helped me. SAP wont support NW as a web server for BOE in a SSO environment but will I guess help with BOE tomcat and SSO.

So we have decided to shutdown our NW Portal for BOE and revert to tomcat.

Former Member
‎11-06-2015 5:53 AM
0 Kudos

Hi Glenn,

Thank you for the update.

Well, what to say about their decision. Perhaps they are going to delete it because it creates problems for the support team as well.

Sometimes support team has to work on the technologies, they have never worked on(third party) and if such document is available to the customers then the support team may get questioned by the customers "Why this document was created when it is not supported at all?".

So I am certain, just to avoid such situations they must have taken this decision. I must say that being their customers, we also need to consider Support team's all concerns.

SAP will always support the integrations with the application servers which are bundled with the installation of SAP Business Objects such as tomcat. So, you would definitely get help from them on the tomcat issues.

~Swapnil

Former Member
‎11-06-2015 6:18 AM
0 Kudos

You have already documented all the required steps here. So this would always be their for other customers to follow.

Former Member
‎11-06-2015 9:10 AM
0 Kudos

Well Swapnil, my customers who are paying millions in support fees and to hear that SAP has information and yet decided not to provide it ...I am a disappointed.  SAP exists ( just I do) because of their customers, support staff role is to support customers.  All SAP has to do is release notes with the caveat of saying "this is not supported and is provided as is".

Former Member
‎11-06-2015 9:45 AM
0 Kudos

Hi Glenn,

I understand your concern and I agree with you. I have contacted senior engineers from SAP Support regarding this. Let's see what they have to say about this. I will let you know if I have any update on this.

I guess SAP has already mentioned caveats in that note. I also could not check it because it is not released to customers.

~Swapnil

Former Member
‎11-07-2015 6:44 AM
0 Kudos

Hi Glenn,

I got an update from SAP engineers about that SAP note and it is going to be deleted since it involves NW configuration.

We would be having your blog to configure this so this should be fine with us.

~Swapnil

Former Member
‎11-08-2015 12:49 AM
0 Kudos

Thanks Swapnil

Whilst I am not going to bite the hand that once feed me , again I think that SAP should release not delete such notes, the content was great and it worked and it helped, I thank the author for his efforts. That being said there is a role to play for "officially supported" and "best effort guidance" from SAP.  When you work for SAP it is hard to post to sdn, particularly about 3rd party tools etc because if you make a mistake or say something incorrect some customers or vendors will use that as contractual leverage when it was just a case of a technical person helping another techco.  In the extreme twist you risk billions as per the TomorrowNow case. 

Answers (1)

Answers (1)

Former Member
‎10-28-2015 9:40 AM
0 Kudos

Hi Glenn,

You must have created the KRB and bscLogin files for tomcat and mentioned paths for these files in the tomcat JAVA options.

In the same way, please ensure that you have specified the paths in NW JVM arguments.

You can also follow the steps 5 and 6 of this KBA: http://service.sap.com/sap/support/notes/1476374

~SwapnilY

Show replies
Show replies
Former Member
‎11-02-2015 6:35 AM
0 Kudos

Hi Swapnil

Do you have AD manual authentication working in an environment with NW Java (portal) running sapjvm ? I am aware of note 1476374 and 1631734 , but (todate) have not been successful with manual authentication. If you do have it working can you share the VM Java startup parameters and/or the single signon authetication routines in NWA

Former Member
‎11-02-2015 7:53 AM
0 Kudos

Hi Glenn,

I have configured this for one of our customers long back. I remember that I had taken the screenshots for this, however I have misplaced them.

You can refer the sections "9.4.5.1.2.4" and "9.4.5.1.3.2 " of this guide.

NOTE: File names are case sensitive so please specify the same case for krb5 and bsclogin files. After all the configuration, do remember to restart the NW instance.

Please check that Java can receive a Kerberos ticket by following the section "9.4.5.1.4" of the same guide.

You would also need to ensure that krb and bsclogin files do not have white spaces.

If you still face the same issue then please attach the krb and bsclogin files here.

Hope this helps.

~SwapnilY

Ask a Question