cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we used 'HTTPS' when creating SETSPN for creating the SPN for AD SSO on Tomcat for SAP BI 4.3?

sheik_pheerunggee
Discoverer

on ‎05-16-2022 9:39 AM

0 Kudos

Dear All,

Currently implementing AD SSO on Tomcat with SAP BI 4.3 SP1 and my manual AD works fine. However my SSO fails [being prompted for logon screen] with below message in stdout.log

com.wedgetail.idm.sso.ConfigException: All SPNs failed verification.
com.businessobjects.webpath.rebean3ws.Activator

setspn -s HTTPS/BISERVERNAME SERVICEACCOUNT

setspn -s HTTPS/BISERVERNAME.FQDN SERVICEACCOUNT

Can anyone advise whether HTTPS is supported or should we used HTTP for creating the Tomcat SPN's?

Many thanks in advance.

Best Regards

Sheik

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

sheik_pheerunggee
Discoverer
‎05-26-2022 6:05 PM
0 Kudos

In Windows 2019 AD, we had to download the fix and change the HTTPS SPN to HTTP to be able to perform SSO on top of SSL in Tomcat/SAP BI 4.3 SP1 Patch 12.

However due to Kerberoasting and security issues our AD and Security team is unwilling to approve the HTTP SPN in Production environment.

Can SAP developers or authentication gurus clearly mention whether creating HTTPS as SPN for Win AD 2019 Domain for the Service Account is supported ? If Not will it ever be supported and by when.

MAny thanks in advance.

Kind Regards

Sheik

Show replies
Show replies
omkarsambare
Employee
Employee
‎05-16-2022 10:17 AM
0 Kudos

HTTPS SPN is not required. The SSL on Tomcat will secure the HTTP.

Show replies
Show replies
sheik_pheerunggee
Discoverer
‎05-16-2022 11:26 AM
0 Kudos

Thanks for the input Omkar, will request HTTP creation from my AD team and keep you posted on the AD SSO over Tomcat SSL.

Kind Regards

Sheik

sheik_pheerunggee
Discoverer
‎05-16-2022 10:13 AM
0 Kudos

I did follow KB 2629070 and modified my registry.

The question is whether SAP supports/recommend HTTPS when creating the SETSPN for Tomcat.

In above KB you will see all the TOMCAT SPN are with HTTP and nowhere i have seen HTTPS.

setspn -s HTTPS/BISERVERNAME SERVICEACCOUNT

I/m sure doing

  • setspn -s HTTP/BISERVERNAME SERVICEACCOUNT will be OK however all requirements for 'Service Account' from our internal Active Directory department is to used HTTPS and no more HTTP.
Show replies
Show replies
ayman_salem
Active Contributor
‎05-16-2022 9:52 AM
0 Kudos

see KBA 2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distribut...

and

3183026 - How to configure modern browsers for Windows AD SSO to BI Platform web applications (Edge,...

Show replies
Show replies
Ask a Question