on 07-03-2019 6:00 AM
Hello all,
We have an existing SAP BI 4.2 SP05 patch 2 system with WinAD SSO configuration, and have a new requirement for provide (external) access using Azure App Proxy - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-sing...
When accessing the BI server from the app proxy URL, WinAD SSO fails and the logon prompt is displayed, we can then only log-on manually.
We have added the external URL as an SPN for the service account that BI runs under and the BI service user trusts kerberos delegation for all services.
The Azure app proxy is configured on the root (https://<external-FQDN>/ translates to https:<hostname>:8443/) and we are sending on-premises SAM account name as the delegated logon identity. According the Azure App Proxy link above, the kerberos token from the on-premise AD is sent to the application for authentication.
Please advise,
Thank you!
Regards, Walter
Here's the on premise KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070 , if the users are logged into a domain that has a 2 way forest trust to allow kerberos communication then it's possible to setup SSO, I have added some info on using redirects and as long as the correct SPN's exist (resolvable via DNS) in a trusted environment then it can be used, else see the trusted auth KBA which has links to ADFS and Azure specific blogs.
-Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @delliott11,
Unfortunately we were not able to get this working, as per the comments from tim.ziemba this may need trusted authentication. The customer I was working with removed this from the PoC scope.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi David,
External load-balancers / reverse proxy need to allow /BOE* for the application to call all accessible URI’s.
The start page can be https://<bihost>/BOE/BI. With these settings we got the BI launchpad logon page displayed.
Hope this helps,
Cheers, Walter
See this document, it might help
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If I understand correctly the users are authenticated against the (internal) AD domain, according to steps 5-7 at:
--
5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on premises AD, impersonating the user to get a Kerberos token to the application.
6. Active Directory sends the Kerberos token for the application to the Connector.
7. The Connector sends the original request to the application server, using the Kerberos token it received from AD.
--
Regards,
Walter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Walter can you share how you were able to get SAP BI working through Azure Web Application Proxy.
When I Publish the following URL in Azure WAP (https://<external-FQDN>/ translates to https:<hostname>:8080/BOE/BI) I end up on a blank page.
Fiddler trace shows
Thank you
Unless the users are joined to an AD domain that has a 2 way forest trust the only way to login this way would probably be via trusted authentication
Here’s the master KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1795949
-Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.