Active Directory SSO with Vintela in XI 3.1

After trying to think of of another useful topic, I realised that configuring Single Sign On with Active Directory and Vintela in XI 3.1 is something that is rarely covered, and I used to have quite a lot of trouble with it.

By adapting a document on the SAP Support Portal, I now use a sure-fire method to configure AD SSO with Tomcat, the default web application server that ships with BusinessObjects Enterprise/Edge XI 3.1.  It’s worked every time I’ve used it.

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs – I have underlined commands that need to be changed to help):

  • Domain Name: POWI (FQDN: POWER.INTERNAL)
  • Service Account: bo.service (password: admin)
  • Domain Controller: vs-dev-ad-dc.POWER.INTERNAL (IP: 192.168.5.1)
  • BO Server: vs-dev-ad-bo.POWER.INTERNAL (IP: 192.168.5.2)
  • BusinessObjects AD Group: POWI\Business Objects

Step 1

Create an Active Directory service account, bo.service (pass: admin).  On the BusinessObjects server, add the POWI/bo.service user to the Administrators group.  Also assign them the following rights in the Local Security Policy snap-in:
•    Act as part of Operating System
•    Log on as a Batch Job
•    Log on as a Service
•    Replace a Process Level Token

Step 2

Run the following command on the Active Directory server:

ktpass -out BOSSO.keytab –princ BOSSO/bo.service.power.internal@POWER.INTERNAL -mapuser bo.service@POWER.INTERNAL -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

The output from the above command should be similar to:

Targeting domain controller: vs-dev-ad-dc.POWER.INTERNAL
Using legacy password setting method
Successfully mapped BOSSO/bo.service.power.internal to bo.service.
Key created.
Output keytab to BOSSO.keytab:
Keytab version: 0x502
keysize 81 BOSSO/bo.service.power.internal@POWER.INTERNAL ptype 1 (KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16 (0x209c6174da490caeb422f3fa5a7ae634)

Step 3

Run the following command on the Active Directory server:

setspn -l bo.service

The output should be similar to:

Registered ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
BOSSO/bo.service.power.internal

Step 4

Go to properties of the ‘bo.service’ user in Active Directory and under the Delegation tab, set ”Trust this user for delegation to any service (Kerberos only)’ to on.

Step 5

Move the BOSSO.keytab file that was created on the Active Directory server (refer Step 2) to c:\winnt\ of the BusinessObjects server.

Step 6

Generate the requisite SPN’s by running the following commands on the Active Directory server:

setspn -a HTTP/vs-dev-ad-bo bo.service
setspn -a HTTP/vs-dev-ad-bo.power.internal bo.service
setspn -a HTTP/192.168.5.2 bo.service

The output from the above commands should be similar to:

HTTP/vs-dev-ad-bo
Updated object
Registering ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/vs-dev-ad-bo.power.internal
Updated object
Registering ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/192.168.5.2
Updated object

Step 7

Run the following command on the Active Directory server to view all of the created SPNs:

setspn -l bo.service

The output should be similar to:

Registered ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
HTTP/192.168.5.2
HTTP/vs-dev-ad-bo.power.internal
HTTP/vs-dev-ad-bo
BOSSO/bo.service.power.internal

Step 8

Within the BusinessObjects Central Management Console, within the Windows AD Authentication area, do the following:

  1. Enable Windows AD
  2. Set the AD Administration Name: POWI\bo.service
  3. Set the Default AD Domain: POWER.INTERNAL
  4. Add AD Group: POWI\Business Objects
  5. Set ‘Use Kerberos Authentication’
  6. Set the Service Principal Name: BOSSO/bo.service.power.internal
  7. Set ‘Enable SSO for Selected Authentication Mode’

Step 9

Modify the SIA service on the BusinessObjects server to run as the POWI\bo.service domain user.

Step 10

You should now be able to get SSO onto locally installed tools (ie Designer, Webi Rich Client) by starting the application, selecting the authentication method to be Windows AD, and without inputting a username and password, clicking OK.  You should be logged in as your AD user.

Step 11

Create a file called c:\winnt\bsclogin.conf on the BusinsesObjects server, and put in it the following text:

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

Step 12

Create a file called c:\winnt\krb5.ini on the BusinessObjects server, and put in it the following text:

[libdefaults]
default_realm = POWER.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
POWER.INTERNAL = {
kdc = VS-DEV-AD-DC.POWER.INTERNAL
default_domain = POWER.INTERNAL
}

Step 13

To test that the krb5.ini file was created successfully, undertake the following:

  1. Navigate to \Program Files\Business Objects\javasdk\bin on the command line
  2. Execute ‘kinit bo.service‘, then input your password
  3. A ticket should be created

Step 14

On the BusinessObjects server, open up the Tomcat Configuration application, then go to the Java Options input, and add the following lines (restart Tomcat once done):

-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\Krb5.ini

Step 15

Modify the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file and allow users to see authentication options by changing the authentication.visible tag to true.

Step 16

Modify the \Program Files\Business Objects\Tomcat55\conf\server.xml file, by change the following line to increase the MaxHttpHeaderSize element to ’16384′:

<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="16384" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="80" redirectPort="8443"/>

Step 17

Modify the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file as follows:

  1. Change authentication.default to ‘secWinAD’
  2. Change siteminder.enabled to ‘false’
  3. Change vintela.enabled to ‘true’
  4. Remove comment tags (<!–, –>) from around the authFilter filter element
  5. Change idm.realm to ‘POWER.INTERNAL’
  6. Change idm.princ to ‘BOSSO/bo.service.power.internal
  7. Remove comment tags (<!–, –>) from around the authFilter filter-mapping element

Step 18

On the BusinessObjects server, open up the Tomcat Configuration application, then go to the Java Options input, and add the following lines:

-Dcom.wedgetail.idm.sso.password=admin (password for bo.service user)
-Djcsi.kerberos.maxpacketsize=0
-Djcsi.kerberos.debug=true

Step 19

Remove the following from the Java Options input in the Tomcat Configuration (if they exist):
•    Debug =true in the bsclogin.conf (set by default)
•    -Dbobj.logging.log4j.config=verbose.properties (may have been added to Java Options)
•    -Dcrystal.enterprise.trace.configuration=verbose (may have been added to Java Options)
•    -Djcsi.kerberos.debug=true (may have been added to Java Options)
•    Dcom.wedgetail.idm.sso.password=admin (only remove if you have a valid keytab configured)
•    Switch Tomcat 5.5 back to run as the local system (if running under service account for verbose tracing)

Step 20

Encrypt your service account password by coping the BOSSO.keytab (created during Step 2) to the c:\winnt directory on the BusinessObjects server, then specify the following in the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml (after the idm.princ setting):

<init-param>
<param-name>idm.keytab</param-name>
<param-value>c:\winnt\BOSSO.keytab</param-value>
</init-param>

Step 21

Remove the wedgetail.password option from the Tomcat Configuration Java Options. At this point your Vintela SSO should work with InfoView.

References

I was only able to document the above using the (very) detailed PDF document on Vintela SSO provided by Tim Ziemba at the following SAP Support Note: http://service.sap.com/sap/sapnotes/display/1261835.

If any SAP BusinessObjects staff read this post, it would be fantastic if all this knowledge that is being captured in the SAP Support Portal could be filtered and pushed back into the standard documentation, as this sorely lacks the detail required to implement Vintela SSO.

Tags:

This entry was posted on Thursday, August 27th, 2009 at 1:50 PMand is filed under Business Intelligence. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

24 Responses to “Active Directory SSO with Vintela in XI 3.1”

  • Joshua Fletcher Says:
    July 30th, 2010 at 6:57 AM

    Hi James, glad to hear you got value from the blog post. The errors mean you have AD SSO working for clients but not your Java web apps. This error in particular is quite generic and can be caused by quite a few different problems. You should reference the SAP Note mentioned in my post, as it details checks along the way to ensure you are on the right path.

    Thanks, Josh

  • James Solomon Says:
    July 29th, 2010 at 8:29 PM

    hi Josh – excellent guide man!

    On a quick question – SSO is working for DESIGNER but not for INFOVIEW. Is there something im doing wrong?

    Error is:

    Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

  • Pavithra Says:
    June 30th, 2010 at 3:27 PM

    Excellent guide for SSO config.Thanks Josh

  • Joshua Fletcher Says:
    May 17th, 2010 at 9:25 PM

    Hi Diana,

    Thanks for your comment. I’m afraid I haven’t used Websphere in anger, only really Tomcat. Saying that, if you search the SAP Support Portal (http://service.sap.com/) or the SAP Documentation Portal (http://help.sap.com/), you should be able to find help with Websphere.

    Cheers, Josh

  • Diana Says:
    May 13th, 2010 at 7:02 AM

    Hi ,

    I am using Websphere instead of Tomcat.
    Do you know where to put the Java Options?

    Thanks in advance,

    Diana

  • Joshua Fletcher Says:
    March 26th, 2010 at 1:23 PM

    Hi Pat,

    Thanks for your feedback. I’ve think I’ve encountered this before. When you set up silent single sign-on, if you try to manually authenticate it doesn’t like it. Try clicking Log On without entering your username and password (but leave Authentication Type set to Windows AD).

    Cheers, Josh

  • Pat Willinger Says:
    March 25th, 2010 at 2:35 AM

    Josh -

    First, Thank you for making it easy; I’ve been able to set up SSO with Infoview in XI3.1
    But here is the strange thing if I click on the url link to log into Infoview, I get right in everytime but when I log out and I’m at the Infoview log in page and I enter my username and password and selecting AD authentication I the mesage

    Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact ….

    It is like the session is holding onto something.

    Suggestions?

    patw

  • Joshua Fletcher Says:
    December 23rd, 2009 at 8:10 AM

    Hi Philippe,

    I believe that you cannot enable silent single-sign on for the CMC, however the AD authentication should work, but manually. This is probably a security decision to not allow Silent SSO.

    Cheers, Josh

  • Giselle Bree Says:
    December 23rd, 2009 at 5:53 AM

    extraordinary post , really good position on the subject and very well written, this certainly has put a spin on my day, many thanks from the USA and maintain up the good work

  • Philippe Chauvin Says:
    December 15th, 2009 at 10:06 PM

    thank you! This step by step procedure works fine for infoView.
    But hown can i do the same for CMC? I’ve tried to modify the Tomcat55\webapps\CmcApp\WEB-INF\web.xml like the Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml but it doesn’t works.
    Could you help me?
    Thanks again.

  • Mohammed Imran Says:
    November 26th, 2009 at 1:22 PM

    Hi Josh,

    This is really an awesome document.

    Thanks
    Mohammed Imran

  • Joshua Fletcher Says:
    October 17th, 2009 at 7:44 AM

    Hi Ritesh, I’m reasonably confident that this will work with XI R2 SP2, as I think with the release of SP2 they included the Vintela compatibility. Best bet is to check the support article out. Cheers, Josh

  • Ritesh Says:
    October 17th, 2009 at 6:36 AM

    Hi Josh, thanks for the excellent article. Does it work with XI R2 sp2?

  • Joshua Fletcher Says:
    September 25th, 2009 at 9:25 AM

    Hi Jon,

    Is the error message more explicit than that? The SIA (not Tomcat) should be running as the domain service account, to allow it to talk to AD. Another thing to do is use the logging features of Vintela according to Tim’s document.

    You can also log a case with SAP Support, as they will be able to assist with any problems.

    Kind regards,

    Josh Fletcher

  • Jon Roberts Says:
    September 25th, 2009 at 4:36 AM

    I have done the basic setup of ad with out sso . I have been able to import groups. when I try to log on using an ad account I get a message stating I can not log on. the services are running as the local system account ( same as we had is xi r2) this is curious am I missing sometrhing ?

  • Abishek Says:
    September 16th, 2009 at 1:14 AM

    Great job!! Very nicely and precisely documented. I now really wish if we have similar step-by-step approach for SSO with SAP credentials (mulitlink: SSO AD and SSO SAP).

    Thank you anyways.

  • Joshua Fletcher Says:
    September 1st, 2009 at 8:58 AM

    Hi Brian,

    Unfortunately I haven’t got any experience around that yet. I would suggest you actually touch base with Tim Ziemba, his contact details should be around on the SAP site, or even on the SAP Note I linked to.

    Let us know how you go.

    Kind regards,

    Josh Fletcher

  • Brian H Says:
    September 1st, 2009 at 2:45 AM

    Have any pointers on how to get the single sign on working for multiple forests each having multiple domains?

    We do not have a 2 way transitive trust between all of the domains (and our security officer wont let us put one in). Far as i can tell this is not supported; but maybe you have some ideas.

  • Active Directory SSO with Vintela in XI 3.1 « Business Objects Blog Says:
    August 28th, 2009 at 5:12 PM

    [...] on the subject on the SAP portal, you would benefit greatly from reading Josh Fletcher’s step by step guide to the [...]

  • bobjblog Says:
    August 28th, 2009 at 5:03 PM

    Excellent article Josh.
    On a number of occasions, we do get into a twist with the BOBJ documentation.
    This will come in very handy.

  • Active Directory SSO with Vintela in XI 3.1 | ( Geek2Live.net ) « Domain Namez Says:
    August 28th, 2009 at 4:51 PM

    [...] Joshua Fletcher wrote an interesting post today onActive Directory SSO with Vintela in XI 3.1 | ( Geek2Live.net )Here’s a quick excerpt [...]

  • 13.56MHz RFID Reader/Writer with Embedded Modem | Intro to Business BroadBand Says:
    August 28th, 2009 at 9:08 AM

    [...] Active Directory SSO with Vintela in XI 3.1 | ( Geek2Live.net ) [...]

  • Joshua Fletcher Says:
    August 27th, 2009 at 8:14 PM

    Thanks very much Mike, glad it’s useful for you.

    Kind regards,

    Josh

  • MikeD Says:
    August 27th, 2009 at 8:04 PM

    Way to go Joshua!
    Tim’s document is pretty good but I’m sitting here trying to figure out where I went wrong and it’s great to have a step by step reference of the specifics.
    I concur re getting this onto the SAP portal and will definitely be posting a ref to this on BOBJ.
    I wish we could see more of these step by step task lists without all the explanations i.e. I’m sure I’m not the only one that copies from PDF into Wordpad to create checklists or quick instruction guides etc. The thing is that you typically need the short instruction list for the 2nd round when you upgrade or migrate as you can never remember exactly what you did with all the fiddling and back and forth.

    Thanks J – Much Appreciated!

Leave a Reply