cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BI through Microsoft App Proxy

WalterK
Product and Topic Expert
Product and Topic Expert

on ‎07-03-2019 6:00 AM

Hello all,

We have an existing SAP BI 4.2 SP05 patch 2 system with WinAD SSO configuration, and have a new requirement for provide (external) access using Azure App Proxy - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-sing...

When accessing the BI server from the app proxy URL, WinAD SSO fails and the logon prompt is displayed, we can then only log-on manually.

We have added the external URL as an SPN for the service account that BI runs under and the BI service user trusts kerberos delegation for all services.

The Azure app proxy is configured on the root (https://<external-FQDN>/ translates to https:<hostname>:8443/) and we are sending on-premises SAM account name as the delegated logon identity. According the Azure App Proxy link above, the kerberos token from the on-premise AD is sent to the application for authentication.

Please advise,

Thank you!

Regards, Walter

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

BasicTek
Advisor
Advisor
‎09-24-2019 2:24 PM
0 Kudos

Here's the on premise KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070 , if the users are logged into a domain that has a 2 way forest trust to allow kerberos communication then it's possible to setup SSO, I have added some info on using redirects and as long as the correct SPN's exist (resolvable via DNS) in a trusted environment then it can be used, else see the trusted auth KBA which has links to ADFS and Azure specific blogs.

-Tim

Show replies
Show replies
WalterK
Product and Topic Expert
Product and Topic Expert
‎09-24-2019 7:41 AM
0 Kudos

Hi @delliott11,

Unfortunately we were not able to get this working, as per the comments from tim.ziemba this may need trusted authentication. The customer I was working with removed this from the PoC scope.

Show replies
Show replies
former_member631748
Discoverer
‎09-24-2019 5:17 PM
0 Kudos

@walter.koenders1 to clarify I am fine with not having SSO functionality from Azure WAP. My issue is I cannot even get the BI Login page to display.

Did you have to modify anything with Tomcat or some other settings to be able to get to the BI login page through Azure WAP?

Thank you

WalterK
Product and Topic Expert
Product and Topic Expert
‎09-25-2019 4:27 AM
0 Kudos

Hi David,

External load-balancers / reverse proxy need to allow /BOE* for the application to call all accessible URI’s.

The start page can be https://<bihost>/BOE/BI. With these settings we got the BI launchpad logon page displayed.

Hope this helps,

Cheers, Walter

ayman_salem
Active Contributor
‎07-04-2019 11:18 PM
0 Kudos

See this document, it might help

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/

Show replies
Show replies
WalterK
Product and Topic Expert
Product and Topic Expert
‎07-03-2019 2:01 PM
0 Kudos

If I understand correctly the users are authenticated against the (internal) AD domain, according to steps 5-7 at:

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-sing...

--

5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.

6. Active Directory sends the Kerberos token for the application to the Connector.

7. The Connector sends the original request to the application server, using the Kerberos token it received from AD.

--

Regards,

Walter

Show replies
Show replies
former_member631748
Discoverer
‎09-24-2019 7:34 AM
0 Kudos

Walter can you share how you were able to get SAP BI working through Azure Web Application Proxy.

When I Publish the following URL in Azure WAP (https://<external-FQDN>/ translates to https:<hostname>:8080/BOE/BI) I end up on a blank page.

Fiddler trace shows

  1. Request URL: https://<external-FQDN>/BOE/portal/1802121353/InfoView/logon.faces
  2. Request Method: POST
  3. Status Code: 404 Not Found

Thank you

BasicTek
Advisor
Advisor
‎07-03-2019 12:19 PM
0 Kudos

Unless the users are joined to an AD domain that has a 2 way forest trust the only way to login this way would probably be via trusted authentication

https://blogs.sap.com/2018/03/01/saml-integration-between-microsoft-azure-portal-and-sap-business-in...

Here’s the master KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1795949

-Tim

Show replies
Show replies
Ask a Question