Active Directory SSO with Vintela in XI 3.1
EDIT: Find the BI4 walkthrough here!
After trying to think of of another useful topic, I realised that configuring Single Sign On with Active Directory and Vintela in XI 3.1 is something that is rarely covered, and I used to have quite a lot of trouble with it.
By adapting a document on the SAP Support Portal, I now use a sure-fire method to configure AD SSO with Tomcat, the default web application server that ships with BusinessObjects Enterprise/Edge XI 3.1. It’s worked every time I’ve used it.
Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs – I have underlined commands that need to be changed to help):
- Domain Name: POWI (FQDN: POWER.INTERNAL)
- Service Account: bo.service (password: admin)
- Domain Controller: vs-dev-ad-dc.POWER.INTERNAL (IP: 192.168.5.1)
- BO Server: vs-dev-ad-bo.POWER.INTERNAL (IP: 192.168.5.2)
- BusinessObjects AD Group: POWI\Business Objects
Step 1
Create an Active Directory service account, bo.service (pass: admin). On the BusinessObjects server, add the POWI/bo.service user to the Administrators group. Also assign them the following rights in the Local Security Policy snap-in:
• Act as part of Operating System
• Log on as a Batch Job
• Log on as a Service
• Replace a Process Level Token
Step 2
Run the following command on the Active Directory server:
ktpass -out BOSSO.keytab –princ BOSSO/bo.service.power.internal@POWER.INTERNAL -mapuser bo.service@POWER.INTERNAL -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
The output from the above command should be similar to:
Targeting domain controller: vs-dev-ad-dc.POWER.INTERNAL
Using legacy password setting method
Successfully mapped BOSSO/bo.service.power.internal to bo.service.
Key created.
Output keytab to BOSSO.keytab:
Keytab version: 0x502
keysize 81 BOSSO/bo.service.power.internal@POWER.INTERNAL ptype 1 (KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16 (0x209c6174da490caeb422f3fa5a7ae634)
Step 3
Run the following command on the Active Directory server:
setspn -l bo.service
The output should be similar to:
Registered ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
BOSSO/bo.service.power.internal
Step 4
Go to properties of the ‘bo.service’ user in Active Directory and under the Delegation tab, set ”Trust this user for delegation to any service (Kerberos only)’ to on.
Step 5
Move the BOSSO.keytab file that was created on the Active Directory server (refer Step 2) to c:\winnt\ of the BusinessObjects server.
Step 6
Generate the requisite SPN’s by running the following commands on the Active Directory server:
setspn -a HTTP/vs-dev-ad-bo bo.service
setspn -a HTTP/vs-dev-ad-bo.power.internal bo.service
setspn -a HTTP/192.168.5.2 bo.service
The output from the above commands should be similar to:
HTTP/vs-dev-ad-bo
Updated object
Registering ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/vs-dev-ad-bo.power.internal
Updated object
Registering ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/192.168.5.2
Updated object
Step 7
Run the following command on the Active Directory server to view all of the created SPNs:
setspn -l bo.service
The output should be similar to:
Registered ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
HTTP/192.168.5.2
HTTP/vs-dev-ad-bo.power.internal
HTTP/vs-dev-ad-bo
BOSSO/bo.service.power.internal
Step 8
Within the BusinessObjects Central Management Console, within the Windows AD Authentication area, do the following:
- Enable Windows AD
- Set the AD Administration Name: POWI\bo.service
- Set the Default AD Domain: POWER.INTERNAL
- Add AD Group: POWI\Business Objects
- Set ‘Use Kerberos Authentication’
- Set the Service Principal Name: BOSSO/bo.service.power.internal
- Set ‘Enable SSO for Selected Authentication Mode’
Step 9
Modify the SIA service on the BusinessObjects server to run as the POWI\bo.service domain user.
Step 10
You should now be able to get SSO onto locally installed tools (ie Designer, Webi Rich Client) by starting the application, selecting the authentication method to be Windows AD, and without inputting a username and password, clicking OK. You should be logged in as your AD user.
Step 11
Create a file called c:\winnt\bsclogin.conf on the BusinsesObjects server, and put in it the following text:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Step 12
Create a file called c:\winnt\krb5.ini on the BusinessObjects server, and put in it the following text:
[libdefaults]
default_realm = POWER.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
POWER.INTERNAL = {
kdc = VS-DEV-AD-DC.POWER.INTERNAL
default_domain = POWER.INTERNAL
}
Step 13
To test that the krb5.ini file was created successfully, undertake the following:
- Navigate to \Program Files\Business Objects\javasdk\bin on the command line
- Execute ‘kinit bo.service‘, then input your password
- A ticket should be created
Step 14
On the BusinessObjects server, open up the Tomcat Configuration application, then go to the Java Options input, and add the following lines (restart Tomcat once done):
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\Krb5.ini
Step 15
Modify the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file and allow users to see authentication options by changing the authentication.visible tag to true.
Step 16
Modify the \Program Files\Business Objects\Tomcat55\conf\server.xml file, by change the following line to increase the MaxHttpHeaderSize element to ’16384′:
<Connector URIEncoding="UTF-8" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="16384" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="80" redirectPort="8443"/>
Step 17
Modify the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file as follows:
- Change authentication.default to ‘secWinAD’
- Change siteminder.enabled to ‘false’
- Change vintela.enabled to ‘true’
- Remove comment tags (<!–, –>) from around the authFilter filter element
- Change idm.realm to ‘POWER.INTERNAL’
- Change idm.princ to ‘BOSSO/bo.service.power.internal‘
- Remove comment tags (<!–, –>) from around the authFilter filter-mapping element
Step 18
On the BusinessObjects server, open up the Tomcat Configuration application, then go to the Java Options input, and add the following lines:
-Dcom.wedgetail.idm.sso.password=admin (password for bo.service user)
-Djcsi.kerberos.maxpacketsize=0
-Djcsi.kerberos.debug=true
Step 19
Remove the following from the Java Options input in the Tomcat Configuration (if they exist):
• Debug =true in the bsclogin.conf (set by default)
• -Dbobj.logging.log4j.config=verbose.properties (may have been added to Java Options)
• -Dcrystal.enterprise.trace.configuration=verbose (may have been added to Java Options)
• -Djcsi.kerberos.debug=true (may have been added to Java Options)
• Dcom.wedgetail.idm.sso.password=admin (only remove if you have a valid keytab configured)
• Switch Tomcat 5.5 back to run as the local system (if running under service account for verbose tracing)
Step 20
Encrypt your service account password by coping the BOSSO.keytab (created during Step 2) to the c:\winnt directory on the BusinessObjects server, then specify the following in the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml (after the idm.princ setting):
<init-param>
<param-name>idm.keytab</param-name>
<param-value>c:\winnt\BOSSO.keytab</param-value>
</init-param>
Step 21
Remove the wedgetail.password option from the Tomcat Configuration Java Options. At this point your Vintela SSO should work with InfoView.
References
I was only able to document the above using the (very) detailed PDF document on Vintela SSO provided by Tim Ziemba at the following SAP Support Note: http://service.sap.com/sap/sapnotes/display/1261835.
If any SAP BusinessObjects staff read this post, it would be fantastic if all this knowledge that is being captured in the SAP Support Portal could be filtered and pushed back into the standard documentation, as this sorely lacks the detail required to implement Vintela SSO.
February 23rd, 2012 at 11:13 AM
Hey Leo,
I’m not sure about whether the alternate encryption method works – best bet is to log a call with SAP Support to confirm.
Kind regards,
Josh
February 22nd, 2012 at 11:30 PM
Hi,
I have followed all the steps, but cannot get past step 10, I cant SSO Login to Designer or Deski.
I had to use another encryption method for the ktpass, though: des-cbc-crc and have also put it in the krb5 file.
whenever I try to login, i get the following error: Your login id is not valid – [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Internal error.(hr=#0x80042a01)
Also using the AD Login credentials does not work.
Do you have any ideas?
Thanks! Leo
October 25th, 2011 at 8:07 PM
Hi Sarang,
You can find the BI4 AD SSO tutorial (incl video) at http://geek2live.net/posts/active-directory-sso-for-sap-businessobjects-bi4/.
Thanks, Josh
October 25th, 2011 at 8:07 PM
Hi Adi,
My BI4 AD SSO tutorial can be found at http://geek2live.net/posts/active-directory-sso-for-sap-businessobjects-bi4/.
Thanks,
Josh
October 19th, 2011 at 4:10 PM
Hi Sarang,
Yes definitely – it is in the works, and I also plan on doing a video overview at http://dslayer.net/ as well.
Kind regards,
Josh
October 18th, 2011 at 3:29 AM
Josh,
Any plans on putting together a similar cheat sheet for BI4/Vintela SSO anytime soon?
September 20th, 2011 at 3:41 PM
Hi Andrew,
That’s an interesting one. I’ve found that substituting the service account with the SPN or vice versa sometimes works, but I don’t know enough about AD to understand
Cheers Josh
September 20th, 2011 at 3:12 PM
I had a few problems and followed Tim’s document (relating to SP3 or later). I had to change the idm.princ to be the service account rather than the SPN.
Not sure why or if that’s changed – any thoughts?
August 17th, 2011 at 12:56 AM
Thanks Josh. That’s what i assumed, but with these java things you never know what to expect.
Anyhow, I am at lost with this thing so i will take your advice and open a ticket with SAP.
Cheers.
Adi
August 16th, 2011 at 11:10 AM
Hi Adi, no problem. KTPASS is an AD executable, which can be deployed on any Windows machine. It’ll then authenticate to AD automatically. So short answer is yes, it can be run on the BOE servers no problem.
Cheers, Josh
August 16th, 2011 at 12:15 AM
Thanks Joshua! One more question. Everything I read so far about SSO configuration for BO (every version) as well as for Tivoli Identity management solutions talks about running ktpass command on the DC. The only reason/explanation I found so far, was that the ktpass is only installed by default on the DC. However, in our environment, our sys admins have installed ktpass on our BOE servers and they ran the ktpass command on the BOE server. Is there a problem if they ran the ktpass on the BOE servers instead of running it on the DC? And if we must run it on the DC, what is the reason behind, so I can convince our Sys Admin to run the command on the DC?
Thanks,
Adi
August 15th, 2011 at 1:34 PM
Hi Adi,
Sorry to say I haven’t configured BI4 with SSO yet, and I understand there are some differences. It doesn’t look like SAP have released SSO guides for BI4 yet either. Your best bet would be to log an SAP support ticket to get this resolved.
Sorry I can’t help further, but I will be looking at doing a video guide on SSO for BI4 soon.
Thanks, Josh
August 11th, 2011 at 2:41 AM
Hi,
I am trying to set BOE 4.0 with Apache Tomcat 6.0.24 SSO on a Windows 2008R2 Standard edition and it is failing miserably. I have tried every single idea out on the net with no results. I keep getting the FWM 00006 error in the GUI and the following in the stdout.log file. Any idea what to do to enable the SSO?
Thanks,
Adi
com.businessobjects.webpath.rebean3ws.Activator
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: @ALLINA.COM
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Generic error (description in e-text) (60)
June 22nd, 2011 at 4:31 AM
Excelent Document!!!
I followed every step and it worked from the first try.
April 8th, 2011 at 3:45 PM
Excellent guide for SSO config.Thanks Josh
re
July 30th, 2010 at 6:57 AM
Hi James, glad to hear you got value from the blog post. The errors mean you have AD SSO working for clients but not your Java web apps. This error in particular is quite generic and can be caused by quite a few different problems. You should reference the SAP Note mentioned in my post, as it details checks along the way to ensure you are on the right path.
Thanks, Josh
July 29th, 2010 at 8:29 PM
hi Josh – excellent guide man!
On a quick question – SSO is working for DESIGNER but not for INFOVIEW. Is there something im doing wrong?
Error is:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
June 30th, 2010 at 3:27 PM
Excellent guide for SSO config.Thanks Josh
May 17th, 2010 at 9:25 PM
Hi Diana,
Thanks for your comment. I’m afraid I haven’t used Websphere in anger, only really Tomcat. Saying that, if you search the SAP Support Portal (http://service.sap.com/) or the SAP Documentation Portal (http://help.sap.com/), you should be able to find help with Websphere.
Cheers, Josh
May 13th, 2010 at 7:02 AM
Hi ,
I am using Websphere instead of Tomcat.
Do you know where to put the Java Options?
Thanks in advance,
Diana
March 26th, 2010 at 1:23 PM
Hi Pat,
Thanks for your feedback. I’ve think I’ve encountered this before. When you set up silent single sign-on, if you try to manually authenticate it doesn’t like it. Try clicking Log On without entering your username and password (but leave Authentication Type set to Windows AD).
Cheers, Josh
March 25th, 2010 at 2:35 AM
Josh -
First, Thank you for making it easy; I’ve been able to set up SSO with Infoview in XI3.1
But here is the strange thing if I click on the url link to log into Infoview, I get right in everytime but when I log out and I’m at the Infoview log in page and I enter my username and password and selecting AD authentication I the mesage
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact ….
It is like the session is holding onto something.
Suggestions?
patw
December 23rd, 2009 at 8:10 AM
Hi Philippe,
I believe that you cannot enable silent single-sign on for the CMC, however the AD authentication should work, but manually. This is probably a security decision to not allow Silent SSO.
Cheers, Josh
December 23rd, 2009 at 5:53 AM
extraordinary post , really good position on the subject and very well written, this certainly has put a spin on my day, many thanks from the USA and maintain up the good work
December 15th, 2009 at 10:06 PM
thank you! This step by step procedure works fine for infoView.
But hown can i do the same for CMC? I’ve tried to modify the Tomcat55\webapps\CmcApp\WEB-INF\web.xml like the Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml but it doesn’t works.
Could you help me?
Thanks again.
November 26th, 2009 at 1:22 PM
Hi Josh,
This is really an awesome document.
Thanks
Mohammed Imran
October 17th, 2009 at 7:44 AM
Hi Ritesh, I’m reasonably confident that this will work with XI R2 SP2, as I think with the release of SP2 they included the Vintela compatibility. Best bet is to check the support article out. Cheers, Josh
October 17th, 2009 at 6:36 AM
Hi Josh, thanks for the excellent article. Does it work with XI R2 sp2?
September 25th, 2009 at 9:25 AM
Hi Jon,
Is the error message more explicit than that? The SIA (not Tomcat) should be running as the domain service account, to allow it to talk to AD. Another thing to do is use the logging features of Vintela according to Tim’s document.
You can also log a case with SAP Support, as they will be able to assist with any problems.
Kind regards,
Josh Fletcher
September 25th, 2009 at 4:36 AM
I have done the basic setup of ad with out sso . I have been able to import groups. when I try to log on using an ad account I get a message stating I can not log on. the services are running as the local system account ( same as we had is xi r2) this is curious am I missing sometrhing ?
September 16th, 2009 at 1:14 AM
Great job!! Very nicely and precisely documented. I now really wish if we have similar step-by-step approach for SSO with SAP credentials (mulitlink: SSO AD and SSO SAP).
Thank you anyways.
September 1st, 2009 at 8:58 AM
Hi Brian,
Unfortunately I haven’t got any experience around that yet. I would suggest you actually touch base with Tim Ziemba, his contact details should be around on the SAP site, or even on the SAP Note I linked to.
Let us know how you go.
Kind regards,
Josh Fletcher
September 1st, 2009 at 2:45 AM
Have any pointers on how to get the single sign on working for multiple forests each having multiple domains?
We do not have a 2 way transitive trust between all of the domains (and our security officer wont let us put one in). Far as i can tell this is not supported; but maybe you have some ideas.
August 28th, 2009 at 5:12 PM
[...] on the subject on the SAP portal, you would benefit greatly from reading Josh Fletcher’s step by step guide to the [...]
August 28th, 2009 at 5:03 PM
Excellent article Josh.
On a number of occasions, we do get into a twist with the BOBJ documentation.
This will come in very handy.
August 28th, 2009 at 4:51 PM
[...] Joshua Fletcher wrote an interesting post today onActive Directory SSO with Vintela in XI 3.1 | ( Geek2Live.net )Here’s a quick excerpt [...]
August 28th, 2009 at 9:08 AM
[...] Active Directory SSO with Vintela in XI 3.1 | ( Geek2Live.net ) [...]
August 27th, 2009 at 8:14 PM
Thanks very much Mike, glad it’s useful for you.
Kind regards,
Josh
August 27th, 2009 at 8:04 PM
Way to go Joshua!
Tim’s document is pretty good but I’m sitting here trying to figure out where I went wrong and it’s great to have a step by step reference of the specifics.
I concur re getting this onto the SAP portal and will definitely be posting a ref to this on BOBJ.
I wish we could see more of these step by step task lists without all the explanations i.e. I’m sure I’m not the only one that copies from PDF into Wordpad to create checklists or quick instruction guides etc. The thing is that you typically need the short instruction list for the 2nd round when you upgrade or migrate as you can never remember exactly what you did with all the fiddling and back and forth.
Thanks J – Much Appreciated!