cancel
Showing results for 
Search instead for 
Did you mean: 

Manual AD authentication and Oracle Sys Db

Former Member
0 Kudos

Hello Everyone,

We are planning an environment - BO XI3.1 SP3 on Windows Server. The System DB and Audit DB will be Oracle and the connection will be done using Oracle client and TNS Names. We would like to configure BO with the existing Windows AD groups. I have two questions regarding this.

1. Can we configure Windows AD for manual authentication (no SSO) when the System DB and Audit DB are in Oracle database? I have configured AD only when the repository dbs were in SQL Server not in Oracle, hence the question. Are there any known issues in this kind of setup or any pitfalls that I have to watch out for?

2. I have also requested a domain account (Service Account) for running BOBJ services on the server plus asked the administrators to give AD administrative privileges to this domain account so that it has ability to browse through all the AD groups. I am thinking of using this AD account in the AD Administrator field in the AD-Plugin page in CMC. Is this approach correct? Do we need to add SPN properties to this Service Account to configure just manual AD but no SSO?

Any insights, recommendations and suggestions most welcome.

Thanks in Advance.

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Thanks much for the information. That was very helpful.

For the domain account, yes I have requested a domain account to be a Service Account. But do we need to add SPN properties to it? That is do we need to run the following command on the domain controller if we just set manual AD but no SSO?

SETSPN.exe u2013A <ServiceClass>/<DomainName> <Serviceaccount>

Thanks

Adi

Former Member
0 Kudos

I would say this is not necessary in the current scenario you described, but I may be wrong.

I'm confident the service account for SIA and CMS communicating to AD will do, but only testing will tell you.

On a different note, all the KBs I found reference SetSPN for SSO usage, which goes in the same direction as what I state above (it should work just fine without it).

Regards

Romain

Former Member
0 Kudos

Hi Eddie,

You can indeed have AD configured even though you have the DB on Oracle. You can also do SSO with it, which applies at WebApp and CMS level (Oracle would have the user alias recorded in the CMS DB, but the CMS would be the service communicating with AD so the background DB is not relevant).

The limitation to this is that you cannot do end-to-end SSO which is only available for full SAP or full MS solution (When reporting, you would not be able to have the user automatically authenticated, and using his own login for reporting)

You will also need an SPN account as you stated.

See here for further info.

Extract from the Admin Guide (p. 304, 305 and so forth)

http://help.sap.com/businessobject/product_guides/boexir31SP3/en/xi31_sp3_bip_admin_en.pdf

(p.304)

Configuring manual AD authentication

<...>

(p.305) "Setting up a service account

To configure BusinessObjects Enterprise for Kerberos and Windows AD

authentication, you require a service account. You can either create a new

domain account or use an existing domain account. The service account will

be used to run the BusinessObjects Enterprise servers."

I hope this helps.