Scribd Logo
Upload

Welcome to Scribd!

  • Bobi 4.0 Single Sign On - Sso

    Uploaded by

    Bashir Awan
    390 views5 pages
    Bobjbiuser is a service account on the business objects server. Add the user to the Local Administrators group and 'Act as part of Operating System' under the delegation tab, turn on 'Trust this user for delegation to any service (Kerberos only)'

    Original Description:

    Original Title

    Bobi 4.0 Single Sign on -Sso

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Bobjbiuser is a service account on the business objects server. Add the user to the Local Administrators group and 'Act as part of Operating System' under the delegation tab, turn on 'Trust this user for delegation to any service (Kerberos only)'

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    390 views5 pages

    Bobi 4.0 Single Sign On - Sso

    Uploaded by

    Bashir Awan
    Bobjbiuser is a service account on the business objects server. Add the user to the Local Administrators group and 'Act as part of Operating System' under the delegation tab, turn on 'Trust this user for delegation to any service (Kerberos only)'

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Windows AD Single Sign On

    Firstly, lets define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

    Domain Name: DOMAIN (FQDN: DOMAIN.SITE) Service Account: bobjbiuser (password: Password1) Domain Controller: <DC>.<DOMAIN.SITE> BusinessObjects Server: <BI Server>.<DOMAIN.SITE> BusinessObjects AD Group: DOMAIN\UserGroup

    Step 1 Create an Active Directory service account, bobjbiuser (password: Password1). Ensure the user config has Password never expires option checked on. On the BusinessObjects server, add the DOMAIN/bobjbiuser user to the Local Administrators group. Also assign the bobjbiuser user the right Act as part of Operating System in the Local Security Policy snap-in. Step 2 Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

    setspn -a BICMS/bobjbiuser. <DOMAIN.SITE> bobjbiuser setspn -a HTTP/<BI Server> bobjbiuser setspn -a HTTP/<BI Server>.<DOMAIN.SITE> bobjbiuser

    Verify the SPNs have been created by running setspn -l bobjbiuser. Step 3 Change the user config of bobjbiuser user in Active Directory configuration, and under the Delegation tab, turn on Trust this user for delegation to any service (Kerberos only). Step 4 Under the AD Authentication area in the Central Management Console, take the following actions:

    Enable Windows Active Directory (AD) AD Administration Name = <DOMAIN>\bobjbiuser Default AD Domain: <DOMAIN.SITE> Add AD Group:< DOMAIN>\UserGroup Use Kerberos Authentication Service principal name = BICMS/bobjbiuser. <DOMAIN.SITE>

    Enable Single Sign On for selected authentication mode

    Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added. Step 5 Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the <DOMAIN>\bobjbiuser user. a. b. c. d. Stop SIA RMC on SIA and Properties Go to configuration Under Log on as enter your credential e. User: DOMAIN\bobjbiuser and password f. Click OK and start the service Step 6 Test this by logging into Web Intelligence Rich Client by using an AD user who is part of the group. SSO should occur once you select Windows AD authentication and click OK (no need to input your username or password). Step 7 Create a file called bscLogin.conf, save it into C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad: com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true; }; Create a file called krb5.ini, save it into C:\Windows\ directory, and put the following content into it using Notepad: [libdefaults] default_realm = <DOMAIN.SITE> dns_lookup_kdc = true dns_lookup_realm = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac udp_preference_limit = 1 [realms] DOMAIN.SITE ={ kdc = ADSERVER.DOMAIN.SITE default_domain = <DOMAIN.SITE>

    } Verify this file is completed correctly by navigating to <BI Folder>\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute kinit bobjbiuser in a command prompt. If a new ticket is stored, the file is correct. Step 8 Stop Tomcat. Modify the BI Launch Pads .properties file to reveal the authentication dropdown. Navigate to <BI Folder>\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\custom and create a file called BIlaunchpad.properties with the following text: authentication.visible=true authentication.default=secWinAD Open up the Tomcat Options, and add the following lines to the Tomcat Java Options: a. Start > Tomcat > Tomcat Configuration b. Go to Java Tab c. Enter the following code under Java Option at the end or previously entered commands (Dont delete previous commands d. Click Apply -Djava.security.auth.login.config=c:\windows\bscLogin.conf -Djava.security.krb5.conf=c:\windows\krb5.ini Start Tomcat, then try and do a manual logon to BusinessObjects, and check Tomcat trace logs for a commit succeeded. Step 9 Stop Tomcat. Modify <BI >\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding maxHttpHeaderSize=65536 in Connector Port 8080 tag. Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom and create a file called global.properties with the following text: sso.enabled=true siteminder.enabled=false vintela.enabled=true idm.realm=DOMAIN.SITE idm.princ=bobjbiuser idm.allowUnsecured=true idm.allowNTLM=false idm.logger.name=simple idm.logger.props=error-log.properties

    Open up Tomcat Options Add the following lines to Tomcat Java Options: -Dcom.wedgetail.idm.sso.password=Password1 -Djcsi.kerberos.debug=true Delete logs in E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\. Start Tomcat, go to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has credentials obtained shown. Test silent single sign on is now working in a browser (not on the BusinessObjects server). Step 10 Copy BIlaunchpad.properties and global.properties from E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEBINF\config\custom so that patches dont overwrite them and SSO stops working. Step 11 Create a keytab on the AD server by running the following command: ktpass -out bosso.keytab -princ bobjbiuser@DOMAIN.SITE -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT Copy this file to c:\windows of BOBJ server. Stop Tomcat. Add the following line to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties idm.keytab=C:/WINDOWS/bosso.keytab Open up the Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure credentials obtained still showing up in stdout.log. Now check silent single sign on still operating correctly. Step 12 Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line Djcsi.kerberos.debug=true Java Options in Tomcat Configuration.

    a. b. c. d.

    Stop Tomcat RMC on Tomcat and click Properties Go to Java tab Remove debug = true from there

    Other information Detailed troubleshooting and best practices can be found in KBA 1476374 How to enable trace logging for BI40 Web applications found in KBA 1613472 For manual logon use http://server:PORT/BOE/BI/logonNoSso.jsp

    You might also like