I am currently using Active Directory SSO for BI lauch pad, having followed Steve Fredell's document "Configuring Active Directory Manual Authentication and SSO for BI4".
I have now been tasked with enabling end-to-end SSO for some Oracle data sources.
Based on Steve's document, the configuration is slightly different for end-to-end SSO. Specifically, the execution of ktpass includes the mapuser option:
ktpass -out bosso.keytab -princ BICMS/service-account-name@REALM.COM –mapuser service-account-name@REALM.COM –pass service-account-password -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
instead of:
ktpass -out bosso.keytab -princ service-account-name@REALM.COM –pass service-account-password -kvno 255-ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
There are also two related changes in global.properties.
My question is this: having already set up SSO, what will happen when I execute ktpass again with the mapuser option? From what little I've read, ktpass will update the service account in AD in addition to generating the file. I'm afraid that at the moment ktpass is executed, my running BI environment will fail to perform SSO, until the global.properties changes are made and the services restarted. If this is the case, I will need to schedule downtime for my BI system in order to have the ktpass command executed and the configuration changes made.
Can anyone confirm if my fears are valid?