Skip to Content
author's profile photo Former Member
Former Member

Windows AD Authentication for Business Objects BI Platform

Currently we are running our installation of Business Objects BI Platform on a Windows 2008 r2 server with Tomcat. We understand that it is recommended that in order to authenticate with Windows AD you need to use Kerberos authentication, and this is true for SiteMinder authentication from this application as well. If this is wrong please let me know.

Because of the security restrictions on our environment we can not run the needed scripts on the AD server in order to use Kerberos. But also because of the security restriction we have to use SiteMinder against AD.

Is there any suggestion of what we can do to get this authentication to work? Thanks ahead of time!

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Apr 24, 2012 at 04:09 PM

    This has been resolved. I worked with SAP and found you can not have the service account you are using to connect to AD be attached to just the BOE server.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 09, 2012 at 12:11 PM

    Hello,

    I think according to the requirements that you mention, that you should probably use LDAP authentication in BOE instead of AD kerberos.

    Have a look at the notes 1245218 and 1609333 that will help you for the configuration.

    https://service.sap.com/sap/support/notes/1245218

    https://service.sap.com/sap/support/notes/1609333

    Regards,

    Philippe

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      I followed the note 1245218 and I get the error "An internal error has occurred in the secLdap plugin". I have searched the web and tried the following:

      -Disabled Siteminder

      -Removed the Oracle 11g Client from the server

      Are there any other suggestions on how to establish this connection?

      Thanks!

  • author's profile photo Former Member
    Former Member
    Posted on Mar 09, 2012 at 01:32 PM

    Kerberos is a very secure protocol, compared to others.

    Creating SPNs and enabling the delegation option is required for kerberos to work.

    These steps are suggested by Microsoft for kerberos to work and are not controlled by SAP BO.

    Kerberos also allows you to perform SSO to the DB to view reports on demand.

    However if you wish to use Siteminder, you can pull Active directory users using the AD plug-in and then use Siteminder with Trusted Authentication to pass the username authenticated by Siteminder to BO and BO can use the user name passed to create a session.

    Note: As the user is already authenticated by Siteminder, BO would not perform the authentication again.

    Please go thorough the below SAP Note, that helps setting up Trusted Authentication SSO.

    1422248 Setting up Trusted Authentication in XI 3.x for Infoview and Opendocument using QUERY_STRING

    1603002 - Setting up Trusted Authentication in BI4 for BIlaunchPad and Opendocument using HTTP_HEADER

    Cheers,

    Vikram.V

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.