on 04-26-2010 3:06 PM
Hi experts,
I have a problem, i want configure the windows AD authentication in my Business Object 3.1. My system is Windows + SQL Server + Apache.
Are there any manual or documentation?
Thanks in advance,
Regards,
Here is Adminstration Guide...
[http://help.sap.com/businessobject/product_guides/boexir31/en/xi3-1_bip_admin_en.pdf]
Bashir Awan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
This problem occurs when distribution groups do not incorporate the feature of security. The main purpose of this group type is for use with email-applications. Adding this group for authentication in Business Objects will always fail.
Do the following to get issue resolved...
1. Login to the Active Directory Server
2. Go to Active Directory Users and Computers
3. Go to the properties of the target group
4. Change the #Group type# from #Distribution# to #Security#
Have a peek at following links too...
[http://technet.microsoft.com/en-us/library/cc781446(WS.10).aspx]
[http://technet.microsoft.com/en-us/library/cc749909.aspx]
Good Luck
Bashir Awan
[try this doc|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/oss_notes_boj/sdn_oss_boj_bip/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/scn_bosap/notes%7B6163636573733d36393736354636443646363436353344333933393338323636393736354637333631373036453646373436353733354636453735364436323635373233443330333033303331333233363331333833333335%7D.do]
The complete guide will show you everything from mapping groups, creating service accounts to setting up SSO. It's done modularly with troubleshooting per section to ensure the proper steps were followed.
Regards,
Tim
Hi,
Thanks by the doc...
I configure it, but, when i try to log on to the Webi or to the Cmc, don´t work, i have to put the user and pass of the user in the domain, why? Can i avoid to put the user and pass?
In other hand, when i try to go to InfoViewApp, appear an error of Apache, tell don´t exist... Why? I can see an error in the logs of apache:
com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm
any idea?
Thanks in advance,
Regards,
The doc had pretty specific steps, if you are trying SSO they you already verified SPN's? mapped groups?, logged into client tools? logged in manually from infoview/cmc? found credentials obtained in the std.out with the vintela tracing enabled? All those tests should have preceeded your 1st SSO attempt... Also there is no SSO for CMC and no steps to follow so why are you trying to use it there?
Regards,
Tim
so logging into client tools requires
a) a correct user/pw from a valid mapped group
b) a service account running the SIA and SPN or UPN entered in the CMC
You can remove requirement b temporarily and verify the username/pw by switching the AD plugin to NTLM (this won't fix anything just verifies point a is working)
The reason for the modular approach in the docs is because each subsequent section will not work if the last one did not pass the test. If you jump to the end then there could be 20 different problems. I'd advise following the (complete guide) step by step and posting if you have any questions /problems
Regards,
Tim
again you are way ahead of yourself, every step is in the doc, you need should only testing manual logon ininfoview nothing about SSO should have been considered until manual logon works, all the steps to trace and troubleshoot as well as examples are in that complete guide. If client tools work and kinit works then you should be testing infoview. Just follow the steps. What happened with kinit?
Regards,
Tim
Hi Tim,
When i go to the url: http://<server>:8080/InfoViewApp
Appear correctly my user of domain in login, but not SSO work... i go to stdout.log but i can not see errors and not appear nothing new...
If i see the status bar, i can see faster ......logonform.do?sso=false
Any idea?
Thanks in advance,
Regards,
Because all the tracing and troubleshooting steps are in the document. You should be asking why the troubleshooting is failing and you keep trying to SSO which is not tested until the very last step.
A) you couldn't logon to client tools but attempted SSO
B) you could not logon to infoview with AD but attempted SSO
C) you do not see logging information but attempted SSO
These are just a few. If you follow the doc then you will not be attempting SSO you will be kiniting the service account idm.princ @IDM.REALM
you will be viewing commit succeeded for manual logon
you will see credentials obtained for SSO tracing PRIOR to attempting SSO
You would have logged in with client tools long before even mentioning infoview
If you don't follow the steps and troubleshooting in the document then it's a complete waste of time to troubleshoot SSO as the issue could be 100's of things. You may want to consider open a ticket with support - authentication team but they too are going to expect that you follow the doc.
Regards,
Tim
I do understand and prior to SSO you should have verified credentials obtained in the std.out per the doc. If you didn't find that then you should not skip to the end and try SSO. Of course it will not work. I keep trying to explain each step in the previous section must be completed before the end result will work. Every post I have in this thread is verbatim from the doc.
So in the doc under section 7 you should have enabled 3 java options including -Djcsi.kerberos.debug=true
After starting tomcat you should have credentials obtained for BOSSO/youraccount.yourdomain @REALM.COM
If not then you should have tested via kinit the idm.princ @REALM.COM
You mentioned SSO didn't work but did not tell the results of these steps
Regards,
Tim
In this step i received:
com.dstc.security.kerberos.KerberosConfigException: Could not locate KDC for Kerberos Realm "KMC.LOCAL"
But i solved with problem in my NDS, now, appear the ticket correct for the user BOSSO/bossosvcacct.kmc.local
If i continue with the manual, i can not do SSO...
Regards,
Hi Victor,
Can you please let us know what the error message is displayed when you login with an AD account in infoview?
BTW, here are the steps that are required for configuring just the manaul AD kerberos authentication.
1) Login to CMC->authentication->Enable the windows AD plugin and enter the AD administration credentials.
2) Create a SPN.Enter the SPN information under service prinicipal name field.
it could be in this format : BobjCentralMS/HOSTNAME.DOMAIN.COM
Then map the AD group and check if the users are available under Home->Users and Groups.
3) Run the SIA with a domain account.
4) Create bscLogin.conf and krb5.ini files.(Formats available in admin guide)
5) Create a folder under C:\WINNT and place the above files in der.
6) Mention the location of the above files under tomcat configuration->java options(the standard format is available in admin guide).
7) Also check if the delegation option is checked for AD service account on your AD server.
😎 Try to login with a AD account in infoview test the issue.
Hope this information helps!!!
Refer to page 508 of Business Objects Enterprise 3.1 Administrator's Guide available from help.sap.com. The content around this page and on this page should be able to assist you with the configuration.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
83 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.