Skip to Content

SSO with BOXI 3.1 SP5

Hi everyone,

I'm setting up a SSO on BusinessObjects XI 3.1 SP5 and after reading some guides like in KB "1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 ***Best Practice***", I can't retrieve my mapped AD groups in CMC>Authentification>Windows AD.

I follow the guide and that's what I've done until now (reproducing step by step) :

- Create an AD user (no password expires, can't change logon) wich is "bossosvcacct"

- use "setspn" on my BusinessObjects server which is in my domain MYDOMAIN.COM

For the CMS

setspn -A BOCMS/ bossosvcacct

For TOMCAT (Tomcat 5.5.33)

setspn -A HTTP/ bossosvcacct

setspn -A HTTP/BOSERVERNAME bossosvcacct

setspn -A HTTP/

- Choose "Trust this user....(Kerberos only)" for delegation for bossosvcacct

- In the CMC, I've enabled "Windows AD"

- AD Administration Name : MYDOMAIN\bossosvcacct

- Default AD Domain : MYDOMAIN.COM

- I choose "Use Kerberos authentication" with service principal name : "BOCMS/"

And after this configuration similar to the best practices, I can't map my AD groups and it seems that it doesn't work.

If you want more informations to resolve this issue, no problem.

Best Regards,

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    May 14, 2012 at 07:28 PM

    Are you dealing with multiple domains? This portion is pretty straight forward, after enableinthe account does the plugin show as enabled (if you leave and come back is the username/pw/domain still showing)?

    Possibly you are entering the group names wrong, are these AD security groups (not distribution lists)? Are you entering the group samaccountname? how about domain\group (needed for non default domain but shouldn't be needed if the groups are in the default)

    One other test is to try domain users (default group in every domain)



    Add comment
    10|10000 characters needed characters exceeded

    • Ok TIM, it works !

      the last problem was the keytab and parameters in JAVA options with Tomcat configuration.

      Now, it works like a charm and SSO is OK, I've deleted password option in Tomcat configuration and I've done KTPASS with all the option in order to generate a correct keytab file.

      Thanks for your advices and your time, it was really helpful !

      Best regards,