cancel
Showing results for 
Search instead for 
Did you mean: 

Problem about SSO with Windows AD

Former Member
0 Kudos

Hi,

We have a problem about SSO with Windows AD.We use BI 4.0 on windows server 2008 (64bit),domain controller server is also windows server 2008 (64bit).We did everything what "xi4_bip_admin_en" document says.We did these before SSO like in the document;

We created a new folder called "c:\WINNT" and created "krb5.ini" and "bsclogin.conf" in the folder.

İn krb5.ini we wrote these;

[libdefaults]
default_realm =DOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com =DOMAIN1.COM
domain.com =DOMAIN1.COM
.domain2.com =DOMAIN2.COM
domain2.com DOMAIN2.COM
[realms]
DOMAIN.COM = {
default_domain =DOMAIN2.COM
kdc =HOST.DOMAIN1.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}
[capaths]
DOMAIN2.COM = {
 DOMAIN1.COM =
}

AND

in bsclogin we wrote these;

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required

storeKey=true

keyTab=C:\Program Files\Java\jre6\bin\BOSSO.keytab

doNotPrompt=true

useKeyTab=true

realm=DOMAIN.COM

principal=SERVICENAME at DOMAIN.COM

debug=true;

};

AND THEN

We created new docs in "C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom"

calls;

bilaunchpad.properties;

"authentication.default=secWinAD

cms.default=<cmsservername>:<cms port>"

global.properties;

vintela.enabled=true

idm.realm=DOMAIN.COM

idm.princ=PRINCIPAL NAME

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\Program Files\Java\jre6\bin\BOSSO.keytab

idm.allowS4U=true

sso.enabled=true

siteminder.authentication=secWinAD

siteminder.enabled=false"

opendocument.properties

"app.name=BusinessObjects OpenDocument

app.name.short=OpenDocument

  1. You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3

authentication.default=secEnterprise

  1. Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used

authentication.visible=false

  1. You can specify the default CMS machine name here

cms.default=:

  1. Choose whether to let the user change the CMS name. If it isn't shown the default System from above will be used

cms.visible=false

  1. Set to false to disable logon with token.

logontoken.enabled=true

  1. Allow or disallow logoff on web session expiry for external logon.

  2. Has no effect if the global logoff.on.websession.expiry value is false

extlogon.allow.logoff=true"

AFTER THESE WE SET THESE;

"ktab -k BOSSO.keytab -a BOSSO/service.domain.com at domain.com"

"ktpass -princ HTTP/server.domain.com at domain.com -mapuser bi1 -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass password -out BOSSO.keytab"

"setspn -a HTTP/servername servicename"

"setspn -a HTTP/servername.domainname servicename"

"setspn -a HTTP/<ip adress of server> servicename"

AND in BO server we set serviceaccount as administrator.and started SIA with this account.Than logged in to CMC,open the "Authentication".Enabled windows AD.Put domain group to map.Everything is ok.We can see the domain users.

But when we try to log in with these users we get this error;

"Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName at DNS_DomainName, and then try again. (FWM 00006)"

And there is a log in tomcat6 s log folder "stdout",writes this;

"log4j:WARN No appenders could be found for logger (com.sun.faces.config.ConfigureListener).

log4j:WARN Please initialize the log4j system properly.

com.businessobjects.webpath.rebean3ws.Activator"

Please Help About This

Thank You

Accepted Solutions (0)

Answers (1)

Answers (1)

BasicTek
Active Contributor
0 Kudos

We haven't finished the white paper on XI 4 vintela yet, so you should use the info in KB 1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 **Best Practice** replacing the settings in the global.properties rather than the web.xml.

Each step in this guide has troubleshooting to isolate possible problems.

regards,

Tim

Former Member
0 Kudos

Hi guys, we had the exact same issue with BI 4.0 and SSO, and after much frustration got it to work the following way:

Our setup:

-


Windows Domain Functional Level: 2003

Windows 2008 R2 SAP servers

Windows Domain: MYDOMAIN.COM

DNS Suffix (for FQDN): MYDOMAIN.COM (Note: your AD and DNS might have different names)

Windows Domain Controller: MYDC.MYDOMAIN.COM

BI Server FQDN: bi4dev.mydomain.com

BI Service User (UPN): SAPServiceBI4<at>MYDOMAIN.COM

BI Service User (SAM): MYDOMAIN\SAPServiceBI4

Cleanup for previous attempts:

-


In case you have already tried to configure SSO, cleanup all you have done:

- List current SPN's assigned to the Service User (setspn -l SAPServiceBI4) and delete all SPN's (setspn -D <SPN> SAPServiceBI4)

- Check for duplicate SPN's assigned to the Service User and delete them too: setspn -X

- Delete or rename current keytab file

- On AD ensure the UPN of the Service User is back to normal (usually when you run KTPASS it changes the Ad User name to the SPN you specified, ie. change HOST/server.com<at>MYDOMAIN.COM back to SAPServiceBI4<at>MYDOMAIN.COM)

- In the global.properties file, remove the SPN entry for idm.princ= and the keytab entry for idm.keytab=

- In the BI CMC > Authentication > Windows AD, uncheck/disable "Enable Windows Active Directory"

- Reboot the whole server to clear the cache etc for a clean start

SSO Config:

-


- Create new Service User or use previous one as per guide:

UPN=SAPServiceBI4<at>MYDOMAIN.COM, SAM=MYDOMAIN\SAPServiceBI4

- Add user to Local Administrators group and update Local Security Policy as per guide (Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a Process Level Token)

- On Domain Controller run the KTPASS to create SPN and Keytab file (this is VERY important: for the SPN you need to specify the URL that users will be using in their webbrowser to access the BI Launchpad. (For example, if your server URL to BI Launchpad is http://server.domain.com:8080/BOE/BI, then use server.domain.com<at>DOMAIN.COM):

ktpass -princ HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM -mapuser SAPServiceBI4<at>MYDOMAIN.COM -pass passw123 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out SAPServiceBI4.keytab

- Now, on the AD goto Domain Users and check your Service Account. The UPN should now have changed to HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM, whilst the SAM is still MYDOMAIN\SAPServiceBI4. Also, RESET THE PASSWORD to the SAME password you had for the Service User (right-click user > Reset Password) - this prevents any funny Kerberos credential issues between AD and the keytab.

- Next, goto the Delegation tab and select "Trust this user for delegation to any service (Kerberos only)". If the Delegation tab is not visible, run the setspn commands below and retry.

- Run "setspn -l SAPServiceBI4". There should now already be an SPN registered (which is the FQDN), namely HTTP/bi4dev.mydomain.com. Register additional SPN's (shortname and IP):

setspn -a HTTP/bi4dev SAPServiceBI4

setspn -a HTTP/10.10.20.30 SAPServiceBI4

- Create folder C:\WINNT and copy the keytab file to it (you can use C:\Windows itself I guess, but I played it safe)

- Assign the Service User to the SIA service in the CCM as MYDOMAIN\SAPServiceBI4

- Create/edit the "global.properties" file under ..\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom\:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=MYDOMAIN.COM

idm.princ=HTTP/bi4dev.mydomain.com (!! Use the SPN defined in the KTPASS command above)

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:/WINNT/SAPServiceBI4.keytab (!! VERY IMPORTANT !! Don't use backslashes (example C:\WINNT\SAPServiceBI4.keytab), use the forwardslash as it should be in Java format)

- Create the "BIlaunchpad.properties" file in the same location:

authentication.visible=true

authentication.default=secWinAD

cms.default=bi4dev:6400

- Increase the Tomcat header size limit in the "server.xml" file as per guide

- Create file "C:\WINNT\krb5.ini":

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[domain_realm]

.domain.com = MYDOMAIN.COM

domain.com = MYDOMAIN.COM

[realms]

MYDOMAIN.COM = {

default_domain = MYDOMAIN.COM

kdc = MYDC.MYDOMAIN.COM

}

- Create file "C:\WINNT\bscLogin.conf":

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:37 AM

Former Member
0 Kudos

- Modify the Tomcat JAVA options:

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf=C:\WINNT\krb5.ini

Now you can restart the server again. Once it is up and running, go into the BI CMC > Authentication > Windows AD and configure it as follows:

- Enable Windows AD

- Ad Admin Name = MYDOMAIN\SAPServiceBI4 (or any other user that can read the AD)

- Default Domain = MYDOMAIN.COM

- Add AD Group = MYDOMAIN\Domain Users

- Use Kerberos Authentication + Cache Security Context

- Service Principal Name = HTTP/bi4dev.mydomain.com

.. and set the rest as per the guide or your preferences. I opted for "Create new alias only when user logs on" so as not to import all the Domain Users at once. Restart the SIA and/or Tomcat services in CCM. Now you can test SSO via your AD login to the BI launchpad.

But alas, it still didn't work for us!? So I found a Java error in this logfile:

..\Program Files (x86)\SAP BusinessObjects\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt

bundle=/admin

Registering config info for bundle=/admin

Starting bundle=com.businessobjects.webpath.InfoView

Registering web.xml for bundle=/InfoView

Registering config info for bundle=/InfoView

Error with config registration for bundle=/InfoView

com.wedgetail.idm.sso.ConfigException: Could not validate keytab [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Clock skew too greatKrbError:

Error code: 37

Error message: null

Client name: null

Client realm: null

Client time: null

Server name: krbtgt/MYDOMAIN.COM

Server realm: MYDOMAIN.COM

Server time: Mon Aug 01 21:14:04 CAT 2011)]

at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:181)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)

at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)

at com.businessobjects.http.servlet.internal.FilterRegistration.init(FilterRegistration.java:42)

at com.businessobjects.http.servlet.internal.FilterRegistrationManager.registerFilter(FilterRegistrationManager.java:260)

Take note this error: "Clock skew too greatKrbError"

Our Domain Controller and SAP Server time was over 4 minutes out of sync. So as a test I increased my local time on the SAP server to about the same time as the DC and VOILA! SSO works!

By the way, at first we had another error in this file, which was something like "keytab not found, could not find or read CWINNTSAPServiceBI4.keytab". This is when we used backslashes in the "global.properties" for the entry "idm.keytab=C:\WINNT\SAPServiceBI4.keytab". After changing it to forwardslahes it could find/read the keytab file "idm.keytab=C:/WINNT/SAPServiceBI4.keytab"

I hope this solves everyone's SSO problems!

Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:42 AM

Former Member
0 Kudos

Hi Bernardt,

Your instructions were a little confusing.

It is better if folks follow the SAP BusinessObjects BI 4x Administrators Guide.

The thing that confused me about your instructions was your specifications for the global.properties, in particular the idm.princ where you said it should be:

idm.princ=HTTP/bi4dev.mydomain.com

I was putting HTTP/<mydomain> in the file which was incorrect.

You should specify there the Kerberos service principal account in there with the domain.

eg. if my principal account was created as:

BOSSO/mydomain.com

that is what is specified in the global.properties file.

  1. Set to true to enable Vintela single sign on.

vintela.enabled=true

idm.realm=

idm.princ= BOSSO/mydomain.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=

Also, when creating the krb5.ini, it should be in the following format:

[[libdefaults]]

default_realm = DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[[domain_realm]]

.domain.com = DOMAIN.COM

domain.com = DOMAIN.COM

.domain2.com = DOMAIN2.COM

domain2.com = DOMAIN2.COM

[[realms]]

DOMAIN.COM = {

default_domain = DOMAIN.COM

kdc = HOSTNAME.DOMAIN.COM

}

Anyway, all of the steps are explained pretty clearly in the Administrator's Guide.

You can download it from here:

http://help.sap.com/businessobject/product_guides/

Edited by: Ainsley O'Sullivan on Oct 13, 2011 1:47 AM

BasicTek
Active Contributor
0 Kudos

Here is the new white paper KB 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4

You must be logged into SMP to access it.

Regards,

Tim