on 01-30-2013 8:06 PM
Hi guys,
I am new here, I have a doubt with Business Objects 4.0 and SSO AD, well I have set SSO for BiLaunchPad and it works, but I want to know if it is possible to set SSO for client tools suchs Xcelsius, Universe Designer, etc. Is it possible? I haven't found any document about this topic only for BiLaunchPad.
Besides for these client tools Windows AD authentication works but we have to login manually with user/password from AD
If this configuration is not possible, is there any sapnote that support it?
I will appreciate your help.
Regards
Hector
Hi Hector,
Follow the below steps for SSO in SAP Business Objects 4.0:
BusinessObjects 4.0 Single Sign On
First thing first.
Define server name and IP address.
Run following commands to return server names and IPs.
Step 1
Create an Active Directory service account, biservice (password: Password1). Make to set this user password never expire
Add Domain/biservice user to local Administrators group and assign biservice user the right 'Act as part of Operating System' in the Local Security Policy snap-in
Step 2
In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:
Run ‘setspn -l biservice’to confirm SPNs have been created by running
Step 3
Make sure to change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.
Step 4
In Central Management Console CMC under AD Authentication area perform the following tasks.
Hit Save to save all your entries. Also make sure to check under the Groups area to make sure your AD group has been added.
Step 5
Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.
Step 6
Here we can test this by logging into Web Intelligence Rich Client using an AD user who is part of the group. Single Sign On (SSO) should take place once you select ‘Windows AD’ authentication and click OK (There is no need to input your username or password).
Step 7
Now it is turn to create a file called ‘bscLogin.conf’. Save this file to C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
We are not done yet. Create another file called ‘krb5.ini’. Save this file to C:\Windows\ directory, and put the following content into it using Notepad:
[libdefaults]
default_realm = DOMAIN.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
kdc = ADSERVER.DOMAIN.INTERNAL
default_domain = DOMAIN.INTERNAL
}
Make sure this file is save correctly by navigating to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct.
Step 8
Here are we now on BOBJ Server.
Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\custom and create a file called ‘BIlaunchpad.properties’ with the following text:
authentication.visible=true
authentication.default=secWinAD
Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:
-Djava.security.auth.login.config=c:\windows\bscLogin.conf
-Djava.security.krb5.conf=c:\windows\krb5.ini
Once you are done there, Start Tomcat and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’.
Step 9
Stop Tomcat. Modify E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.
Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘global.properties’ with the following text:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=DOMAIN.INTERNAL
idm.princ=biservice
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Open Tomcat Options Add the following lines to Tomcat Java Options:
-Dcom.wedgetail.idm.sso.password=Password1
-Djcsi.kerberos.debug=true
Delete logs in E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.
Start Tomcat, go to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.
Test silent single sign on is now working in a browser (not on the BusinessObjects server).
Step 10
Copy BIlaunchpad.properties and global.properties from E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working.
Step 11
Create a keytab on the AD server by running the following command:
ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Copy this file to c:\windows of BOBJ server.
Stop Tomcat.
Add the following line to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties
Open Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.
Now check silent single sign on.
Step 12
Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.
After doing all the above activity you will be able to login in Client (Web Intelligence Rich CLient, Universe Design Tool, Information Design Tool,Business View Manager,Crystal Report & BI Launch pad) Using Single Sign On (SSO).
Thanks,
Daya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for the answers, I already followed exactly all the steps you said, however, I still being prompted to log in at each client tool that I try to enter. So the SSO isn't working at all. I don't know whether I'm being clear. The idea is fill the only login when I turn on the computer and then appear the blue screen with the textbox user and password.
I'll appreciate your help.
Regards.
Hi Hector,
I think you are missing some steps (From Steps V)
Step 5
Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.
1.Stop SIA
2.RMC on SIA and Properties
3.Go to configuration
4.Under Log on as enter your credential
5.User: DOMAIN\biservice and password
6.Click OK and start the service
You need to Point your Server Intelligence Agent (SIA) from Local host to your Domain Name\UserName (For Eg: DOMAIN\biservice )
Then only you have to login using single sign on (SSO) in your client application (Web Intelligence Rich Client, Information Design Tools, Universe Design Tools etc)
Please refer the steps again.
Thanks,
Daya
Hector,
Yes, SSO is fully supported for one authentication at a time. In your case Windows AD if properly configured in CMC, it should be working fine.
The SSO does not apply when you are building the solution using client tools as a developer. You will use SSO either to access the launch pad portal to access reports or while deploying the solution. To answer your questions, SSO is full possible for logon and universe designer and IDT but used more on the deployment step.
Regards,
Rama
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.