cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows AD cannot authenticate if BI platform UNIX?

Go to solution
Former Member

on ‎07-05-2012 6:40 PM

0 Kudos

We were eagerly awaiting BI4 SP04 to address several SAP integration issues including the requirement  use Windows AD for single sign to SAP Enterprise Portal hosting BI4 content (dashboards/webis/Analysis for OLAP) and BEx Web analyzer, i.e. user logs on once for Windows to authenticate to all SAP systems, ECC, BW, BI, EP, etc..  We have no plans to use the BI Launch Pad.

We are on AIX 6.1 for BI4 SP04, NW 7.3.1 and EP and BW 7.3.1 and are working through Kerberos client on AIX to Windows AD and SNC and SSO in SAP...

Frankly we have been struggling for some time with issues on BI4 SP02 and NW 7.3 so we are frustrated when we came across the followg in SAP doc -

Business Intelligence Platform Administrator Guide.pdf (http://help.sap.com/businessobject/product_guides/boexir4/en/xi4_bip_admin_en.pdf)

Page 211

 

The Windows AD security plugin cannot authenticate users if the BI platform server components are running on Unix

Page 212

Windows AD with Kerberos is supported if the Java application is on Unix. However, BI platform services must run on a Windows server.

Can someone clarify these statements?  We will install Java application (NW? BI Java?) on UNIX.  We will not run BI Platform? services on Windows.

If our requirement is to have a user only logon once  to Windows and access BI4 content in the SAP Portal, not the BI Launch Pad, MUST we run BI4 on Windows?

Sincere thanks for your time and thoughts,

Lee Lewis

Summit Electric Supply

ASUG EDW and BO SIG Volunteer - Market Leader

[Email address removed. Please see the rules of engagement. The forum Administrator]

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member184468
Active Participant
‎07-06-2012 7:07 AM
0 Kudos

There is no Active Directory plugin on Unix.  The AD plugin uses native windows API so cannot be used to import users from the Active Directory.  This means that the Central Management Server (CMS) must be installed on a windows machine.

You can use the LDAP connectivity plugin on unix to access your AD, however unless your CMS is running on windows you will not get kerberos SSO.

However you can configure the SAP portal for SSO to BI using SAP SSO tickets.

Have a look at this blog:

http://wiki.sdn.sap.com/wiki/display/BOBJ/BI4+Integration+into+the+SAP+Entreprise+Portal+7.0.x

Show replies
Show replies
Kaempfer
Advisor
Advisor
‎07-06-2012 3:49 PM
0 Kudos

Hi Greg,

with SAP NW SSO the customer could use X.509 certificates (they will be generated automatically out of the Kerberos ticket) which would work for SAP Enterprise Portal on Unix and many other systems for client authentication.

Would this work also for BOBJ4? Topic: Enterprise trusted authentication?

This would of course only work only for all web applications.

Regards

Matthias

former_member184468
Active Participant
‎07-06-2012 6:24 PM
0 Kudos

Hi Matthias, yes that's right.  With NW SSO in the picture, Enterprise Trusted authentication can be used to access web content. 

Answers (1)

Answers (1)

Former Member
‎08-29-2012 2:44 AM
0 Kudos

Hi Lee,

How did you end up resolving this issue? Did you come up with a work around?

The client I am working at is in the exact same scenario.

Cheers,

Ainsley

Show replies
Show replies
Former Member
‎08-29-2012 4:31 PM
0 Kudos

Hi Ainsley,

A work around?  Yes and no and sort of ...kind of...

This turns out to be quite complex and tempermental.

In short, you cannot use Windows AD authentication, but instead use LDAP (with the Microsoft Active Directory). We were able to get this to work with much effort.  The biggest limitation is that it supports a single AD forest.

I am giving a presentation on silent single sign on for BI4 and Enterprise Portals at the SAP BO User Confernce in Orlando and  will see about posting the slides after the conference, but can share some of the resources here that we found to be most useful.  Please reach out to me if I can help further.

Lee Lewis

Integrating SAP BusinessObjects BI Platform 4.x with SAP NetWeaver, Ingo Hilgefort, SapPress 2011

Configuring LDAP Manual Authentication and SSO for BI4 on Unix

1631734 - Configuring Active Directory Manual Authentication and SSO for BI4

Business Intelligence Platform Administrator Guide,  SAP BusinessObjects Business Intelligence platform 4.0 Feature Pack 3,  June 2012

1670073 - How -To: Generate keystore and certificate in the process of configuring STS for SAP

1687295 - How to configure Single Sign On (SSO) on the SAP Netweaver 7.x portal to BI4

IBM - Configure single sign-on authentication on AIX

1537480 - Best Practice: How To setup Active Directory Single Sign On when BOE CMS is on Unix or Linux

Kerberos Explained - Microsoft Technet

SAP Help - Secure Network Communications (SNC)

Using Kerberos Authentication for Single Sign-On

SAP Netweaver 7.3 Configuring Kerberos Authentication

SAP BusinessObjects BI4 Active Directory SSO Tutorial

1631734 - Configuring Active Directory Manual Authentication and SSO for BI4

1245218 - How to connect the LDAP plugin to Active Directory

Lee Lewis

michael_jennings
Participant
‎09-15-2014 8:06 PM
0 Kudos

Dear All,

     At the end is not possible to apply Windows AD SSO using BI 4.1 sp04 installed on UNIX.... Is this

     correct ?

Best Regards,

ZAV

Former Member
‎09-16-2014 10:26 PM
0 Kudos

Zav,

Lee has provided a very comprehensive list and some good information.  Officially you can have SSO with AD using the LDAP connector for Active Directory (not silent - i.e. you have to type in your AD credentials).

It is possible to have silent SSO (i.e. user is signed in automatically) and Lee provides a link: 1537480 - Best Practice: How To setup Active Directory Single Sign On when BOE CMS is on Unix or Linux.  This was updated for BI4 in note 1636349.

The silent SSO is unfortunately not supported although support will help:

  • It is important to note that complete solution is not in the admin guide and support will be limited to best effort ONLY (no product escalations, or Very high support can be extended for unsupported solutions). For the most part it falls under consulting guidelines in SAP notes 83020 and 1054121

Thanks,

Bill

michael_jennings
Participant
‎09-17-2014 11:13 AM
0 Kudos

Dear Bill Lang,

     thank you about your feedback.



Best Regards,

ZAV


Ask a Question