Skip to Content
avatar image
Former Member

AD authentication for BI4.0 on NW7.3x portal

Hi Team BI

I have been asked to configure AD authentication, following Steve Fredell's "Configure Active Directory Manual Authentication and SSO for BI4" I could successfully get AD authentication working  fine with tomcat ๐Ÿ˜Š

However when I use the same BOE/CMC with imported early into portal I get the error:

Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>   

Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?

cmcprotal.png (40.7 kB)
tom.png (56.2 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 04, 2015 at 04:39 AM

    Well I raised a ticket with SAP Support who responded with a "this is consulting" type answer , but they did provide a unreleased note ("internal") 1852377, which I could follow and get things working without 30 minutes. I was 95% there, just was missing the subnode configuration for the com.businessobjects.security.jgss.initiate policy.

    Anyway I wrote a how to blog post on the subject

    Configuration of Active Directory Manual Authentication BI4 for Netweaver NW

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Swapnil Yavalkar

      Thanks Swapnil

      Whilst I am not going to bite the hand that once feed me , again I think that SAP should release not delete such notes, the content was great and it worked and it helped, I thank the author for his efforts. That being said there is a role to play for "officially supported" and "best effort guidance" from SAP.  When you work for SAP it is hard to post to sdn, particularly about 3rd party tools etc because if you make a mistake or say something incorrect some customers or vendors will use that as contractual leverage when it was just a case of a technical person helping another techco.  In the extreme twist you risk billions as per the TomorrowNow case. 

  • Oct 28, 2015 at 09:40 AM

    Hi Glenn,

    You must have created the KRB and bscLogin files for tomcat and mentioned paths for these files in the tomcat JAVA options.

    In the same way, please ensure that you have specified the paths in NW JVM arguments.

    You can also follow the steps 5 and 6 of this KBA: http://service.sap.com/sap/support/notes/1476374

    ~SwapnilY

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Glenn,

      I have configured this for one of our customers long back. I remember that I had taken the screenshots for this, however I have misplaced them. ๐Ÿ˜”

      You can refer the sections "9.4.5.1.2.4" and "9.4.5.1.3.2 " of this guide.

      NOTE: File names are case sensitive so please specify the same case for krb5 and bsclogin files. After all the configuration, do remember to restart the NW instance.

      Please check that Java can receive a Kerberos ticket by following the section "9.4.5.1.4" of the same guide.

      You would also need to ensure that krb and bsclogin files do not have white spaces.

      If you still face the same issue then please attach the krb and bsclogin files here.

      Hope this helps. ๐Ÿ˜Š

      ~SwapnilY