on 07-29-2011 3:19 PM
Hi,
We have a problem about SSO with Windows AD.We use BI 4.0 on windows server 2008 (64bit),domain controller server is also windows server 2008 (64bit).We did everything what "xi4_bip_admin_en" document says.We did these before SSO like in the document;
We created a new folder called "c:\WINNT" and created "krb5.ini" and "bsclogin.conf" in the folder.
İn krb5.ini we wrote these;
[libdefaults]
default_realm =DOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com =DOMAIN1.COM
domain.com =DOMAIN1.COM
.domain2.com =DOMAIN2.COM
domain2.com DOMAIN2.COM
[realms]
DOMAIN.COM = {
default_domain =DOMAIN2.COM
kdc =HOST.DOMAIN1.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}
[capaths]
DOMAIN2.COM = {
DOMAIN1.COM =
}
AND
in bsclogin we wrote these;
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
keyTab=C:\Program Files\Java\jre6\bin\BOSSO.keytab
doNotPrompt=true
useKeyTab=true
realm=DOMAIN.COM
principal=SERVICENAME at DOMAIN.COM
debug=true;
};
AND THEN
We created new docs in "C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom"
calls;
bilaunchpad.properties;
"authentication.default=secWinAD
cms.default=<cmsservername>:<cms port>"
global.properties;
vintela.enabled=true
idm.realm=DOMAIN.COM
idm.princ=PRINCIPAL NAME
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:\Program Files\Java\jre6\bin\BOSSO.keytab
idm.allowS4U=true
sso.enabled=true
siteminder.authentication=secWinAD
siteminder.enabled=false"
opendocument.properties
"app.name=BusinessObjects OpenDocument
app.name.short=OpenDocument
You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secEnterprise
Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used
authentication.visible=false
You can specify the default CMS machine name here
cms.default=:
Choose whether to let the user change the CMS name. If it isn't shown the default System from above will be used
cms.visible=false
Set to false to disable logon with token.
logontoken.enabled=true
Allow or disallow logoff on web session expiry for external logon.
Has no effect if the global logoff.on.websession.expiry value is false
extlogon.allow.logoff=true"
AFTER THESE WE SET THESE;
"ktab -k BOSSO.keytab -a BOSSO/service.domain.com at domain.com"
"ktpass -princ HTTP/server.domain.com at domain.com -mapuser bi1 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass password -out BOSSO.keytab"
"setspn -a HTTP/servername servicename"
"setspn -a HTTP/servername.domainname servicename"
"setspn -a HTTP/<ip adress of server> servicename"
AND in BO server we set serviceaccount as administrator.and started SIA with this account.Than logged in to CMC,open the "Authentication".Enabled windows AD.Put domain group to map.Everything is ok.We can see the domain users.
But when we try to log in with these users we get this error;
"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName at DNS_DomainName, and then try again. (FWM 00006)"
And there is a log in tomcat6 s log folder "stdout",writes this;
"log4j:WARN No appenders could be found for logger (com.sun.faces.config.ConfigureListener).
log4j:WARN Please initialize the log4j system properly.
com.businessobjects.webpath.rebean3ws.Activator"
Please Help About This
Thank You
We haven't finished the white paper on XI 4 vintela yet, so you should use the info in KB 1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 **Best Practice** replacing the settings in the global.properties rather than the web.xml.
Each step in this guide has troubleshooting to isolate possible problems.
regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi guys, we had the exact same issue with BI 4.0 and SSO, and after much frustration got it to work the following way:
Our setup:
-
Windows Domain Functional Level: 2003
Windows 2008 R2 SAP servers
Windows Domain: MYDOMAIN.COM
DNS Suffix (for FQDN): MYDOMAIN.COM (Note: your AD and DNS might have different names)
Windows Domain Controller: MYDC.MYDOMAIN.COM
BI Server FQDN: bi4dev.mydomain.com
BI Service User (UPN): SAPServiceBI4<at>MYDOMAIN.COM
BI Service User (SAM): MYDOMAIN\SAPServiceBI4
Cleanup for previous attempts:
-
In case you have already tried to configure SSO, cleanup all you have done:
- List current SPN's assigned to the Service User (setspn -l SAPServiceBI4) and delete all SPN's (setspn -D <SPN> SAPServiceBI4)
- Check for duplicate SPN's assigned to the Service User and delete them too: setspn -X
- Delete or rename current keytab file
- On AD ensure the UPN of the Service User is back to normal (usually when you run KTPASS it changes the Ad User name to the SPN you specified, ie. change HOST/server.com<at>MYDOMAIN.COM back to SAPServiceBI4<at>MYDOMAIN.COM)
- In the global.properties file, remove the SPN entry for idm.princ= and the keytab entry for idm.keytab=
- In the BI CMC > Authentication > Windows AD, uncheck/disable "Enable Windows Active Directory"
- Reboot the whole server to clear the cache etc for a clean start
SSO Config:
-
- Create new Service User or use previous one as per guide:
UPN=SAPServiceBI4<at>MYDOMAIN.COM, SAM=MYDOMAIN\SAPServiceBI4
- Add user to Local Administrators group and update Local Security Policy as per guide (Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a Process Level Token)
- On Domain Controller run the KTPASS to create SPN and Keytab file (this is VERY important: for the SPN you need to specify the URL that users will be using in their webbrowser to access the BI Launchpad. (For example, if your server URL to BI Launchpad is http://server.domain.com:8080/BOE/BI, then use server.domain.com<at>DOMAIN.COM):
ktpass -princ HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM -mapuser SAPServiceBI4<at>MYDOMAIN.COM -pass passw123 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out SAPServiceBI4.keytab
- Now, on the AD goto Domain Users and check your Service Account. The UPN should now have changed to HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM, whilst the SAM is still MYDOMAIN\SAPServiceBI4. Also, RESET THE PASSWORD to the SAME password you had for the Service User (right-click user > Reset Password) - this prevents any funny Kerberos credential issues between AD and the keytab.
- Next, goto the Delegation tab and select "Trust this user for delegation to any service (Kerberos only)". If the Delegation tab is not visible, run the setspn commands below and retry.
- Run "setspn -l SAPServiceBI4". There should now already be an SPN registered (which is the FQDN), namely HTTP/bi4dev.mydomain.com. Register additional SPN's (shortname and IP):
setspn -a HTTP/bi4dev SAPServiceBI4
setspn -a HTTP/10.10.20.30 SAPServiceBI4
- Create folder C:\WINNT and copy the keytab file to it (you can use C:\Windows itself I guess, but I played it safe)
- Assign the Service User to the SIA service in the CCM as MYDOMAIN\SAPServiceBI4
- Create/edit the "global.properties" file under ..\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom\:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=MYDOMAIN.COM
idm.princ=HTTP/bi4dev.mydomain.com (!! Use the SPN defined in the KTPASS command above)
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:/WINNT/SAPServiceBI4.keytab (!! VERY IMPORTANT !! Don't use backslashes (example C:\WINNT\SAPServiceBI4.keytab), use the forwardslash as it should be in Java format)
- Create the "BIlaunchpad.properties" file in the same location:
authentication.visible=true
authentication.default=secWinAD
cms.default=bi4dev:6400
- Increase the Tomcat header size limit in the "server.xml" file as per guide
- Create file "C:\WINNT\krb5.ini":
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com = MYDOMAIN.COM
domain.com = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
default_domain = MYDOMAIN.COM
kdc = MYDC.MYDOMAIN.COM
}
- Create file "C:\WINNT\bscLogin.conf":
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:37 AM
- Modify the Tomcat JAVA options:
-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf
-Djava.security.krb5.conf=C:\WINNT\krb5.ini
Now you can restart the server again. Once it is up and running, go into the BI CMC > Authentication > Windows AD and configure it as follows:
- Enable Windows AD
- Ad Admin Name = MYDOMAIN\SAPServiceBI4 (or any other user that can read the AD)
- Default Domain = MYDOMAIN.COM
- Add AD Group = MYDOMAIN\Domain Users
- Use Kerberos Authentication + Cache Security Context
- Service Principal Name = HTTP/bi4dev.mydomain.com
.. and set the rest as per the guide or your preferences. I opted for "Create new alias only when user logs on" so as not to import all the Domain Users at once. Restart the SIA and/or Tomcat services in CCM. Now you can test SSO via your AD login to the BI launchpad.
But alas, it still didn't work for us!? So I found a Java error in this logfile:
..\Program Files (x86)\SAP BusinessObjects\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt
bundle=/admin
Registering config info for bundle=/admin
Starting bundle=com.businessobjects.webpath.InfoView
Registering web.xml for bundle=/InfoView
Registering config info for bundle=/InfoView
Error with config registration for bundle=/InfoView
com.wedgetail.idm.sso.ConfigException: Could not validate keytab [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Clock skew too greatKrbError:
Error code: 37
Error message: null
Client name: null
Client realm: null
Client time: null
Server name: krbtgt/MYDOMAIN.COM
Server realm: MYDOMAIN.COM
Server time: Mon Aug 01 21:14:04 CAT 2011)]
at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:181)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at com.businessobjects.http.servlet.internal.FilterRegistration.init(FilterRegistration.java:42)
at com.businessobjects.http.servlet.internal.FilterRegistrationManager.registerFilter(FilterRegistrationManager.java:260)
Take note this error: "Clock skew too greatKrbError"
Our Domain Controller and SAP Server time was over 4 minutes out of sync. So as a test I increased my local time on the SAP server to about the same time as the DC and VOILA! SSO works!
By the way, at first we had another error in this file, which was something like "keytab not found, could not find or read CWINNTSAPServiceBI4.keytab". This is when we used backslashes in the "global.properties" for the entry "idm.keytab=C:\WINNT\SAPServiceBI4.keytab". After changing it to forwardslahes it could find/read the keytab file "idm.keytab=C:/WINNT/SAPServiceBI4.keytab"
I hope this solves everyone's SSO problems!
Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:42 AM
Hi Bernardt,
Your instructions were a little confusing.
It is better if folks follow the SAP BusinessObjects BI 4x Administrators Guide.
The thing that confused me about your instructions was your specifications for the global.properties, in particular the idm.princ where you said it should be:
idm.princ=HTTP/bi4dev.mydomain.com
I was putting HTTP/<mydomain> in the file which was incorrect.
You should specify there the Kerberos service principal account in there with the domain.
eg. if my principal account was created as:
BOSSO/mydomain.com
that is what is specified in the global.properties file.
Set to true to enable Vintela single sign on.
vintela.enabled=true
idm.realm=
idm.princ= BOSSO/mydomain.com
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=
Also, when creating the krb5.ini, it should be in the following format:
[[libdefaults]]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[[domain_realm]]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.domain2.com = DOMAIN2.COM
domain2.com = DOMAIN2.COM
[[realms]]
DOMAIN.COM = {
default_domain = DOMAIN.COM
kdc = HOSTNAME.DOMAIN.COM
}
Anyway, all of the steps are explained pretty clearly in the Administrator's Guide.
You can download it from here:
http://help.sap.com/businessobject/product_guides/
Edited by: Ainsley O'Sullivan on Oct 13, 2011 1:47 AM
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.