BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Follow BOB on Twitter! 
Follow BOB on Twitter! (Opens a new window)  

General Notice: No events within the next 45 days.

HOWTO BO4 SSO using AD and Kerberos
1 members found this topic helpful

 
Search this topic... | Search XI Server Discussion... | Search Box
Register or Login to Post    Forum Index -> Server Administration, Installation, Upgrades -> XI Server Discussion  Previous TopicPrint TopicNext Topic
Author Message
clarej
Senior Member
Senior Member



Joined: 22 Jan 2008

Posts: 44
Location: Sunny Crewe!


flag
PostPosted: Wed Jul 31, 2013 6:25 am 
Post subject: HOWTO BO4 SSO using AD and Kerberos

[Moderator note - now a sticky - Nick]
Business Objects 4 SSO using Windows AD and Kerberos
I’m currently (2013) performing an upgrade from BO3.1 to BO4 and made the decision to move away from my .Net Single Signon solution to a more “out of the box” approach – AD. Should be straight forward right? - Sadly not. The hardest part was trying to find the solution hidden in inconsistent and hard to follow documentation from both SAP and Forums. I never managed to find a nice easy to follow document which covered all my requirements so I thought I would try to right (or write!) that wrong here.
So let’s start with the setup. I have 2 Windows 2008R2 BI4 SP6 Patch1 servers which both have Tomcat and SIA installed. Our domain (I’m going to call it ukco) is part of a much larger global domain (going with globalco here) so for the purpose of this document I’m going to refer to the two servers as SERVER1.ukco.emea.globalco and SERVER2.ukco.emea.globalco. Our domain controller is going to be called DOMAIN_CONTROLLER.
Business Objects is running on both servers under the same domain account called ukco\BO_SERVICE_ACCOUNT and the Business Objects cluster name is @BO_CLUSTER
Straight forward so far so now let’s spice things up a bit! I wanted more resilience on the Web server side and a single URL for the users so I setup Microsoft Network Load Balancing across SERVER1 and SERVER2. I created a host name in DNS for this called BOHOST.ukco.emea.globalco and this points to the NLB shared IP of the two servers. Just to give myself a headache I decided to keep the alias we already use so I also have an alias of BOALIAS.ukco.emea.globalco and this points to the BOHOST address.
It’s not really relevant but just for completeness I also configured SSL which uses the alias in the certificate.


Step1 – AD configuration

As a domain administrator the following setspn command needs to be run:-
setspn -a HTTP/BOHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT
**Tip** There is a real gotcha here which drove me mad! ALWAYS type this command in manually and NEVER copy it from Outlook. Outlook messes around with the hyphens and the command will fail but not tell you why.
Next we need to create a keytab file on the Domain controller. So again as a domain administrator and on the domain controller run the following command:-
ktpass -princ HTTP/BOHOST.ukco.emea.globalco@UKCO.EMEA.GLOBALCO -mapuser BO_SERVICE_ACCOUNT@UKCO.EMEA.GLOBALCO -pass password_of_the_service_account -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out c:\bo4_service.keytab
Again do not copy and paste this command!
**Tip** If you want to check what SPN’s have been created anyone can run this:-
setspn -l ukco\BO_SERVICE_ACCOUNT
**Tip** To check that the ktpass command has worked the UPN of the service account should have changed. Anyone can check this by right clicking on a folder on your pc > properties > security tab > edit button > add button > type in the service account name > check name button. This should resolve the account and show you the UPN in brackets. For our example here it would show:-
BO_SERVICE_ACCOUNT(HTTP/BOHOST.ukco.emea.globalco@UKCO.EMEA.GLOBALCO)
You can of course then cancel out of all the folder properties windows.
**Tip** After running the ktpass command on an account you should reset the password for that account back to what it was.
Finally ask the domain administrator to edit the account for the BO_SERVICE_ACCOUNT and select the “Trust this user for delegation to any service (Kerberos only)” option.


Step2 – CMC configuration

Launch your CMC as a BO administrator and go to the Authentication tab. Double click on Windows AD and apply the following settings:-
1. Check the “Enable Windows Active Directory (AD)” checkbox.
2. Click the “ ” link next to AD Administration Name and enter the details for the BO_SERVICE_ACCOUNT. Default AD Domain should be UKCO.EMEA.GLOBALCO. Click the Update button.
3. Add and groups that you want to pull in from AD into the “Mapped AD Member Groups”.
4. Under the Authentication Options select “Use Kerberos authentication”. In the Service principal name enter:-
HTTP/BOHOST.ukco.emea.globalco
Make sure the “Enable Single Sign On for selected authentication mode” is checked.
5. Now choose if and when to pull in AD accounts to BO and set the rest of the settings accordingly. If you want to pull them in now under the “On-Demand AD Update” section choose “Update AD Groups and Aliases now”.
6. Click the Update button and then close the window.
**Tip** You should now see the group and users in your CMC Users and Groups screen. Grant a test user some access at this point so you can test the SSO process.


Step3 – SERVER1 Configuration

Remember I have 2 BO servers each running Tomcat and an SIA in my example here so I’ve split the next part into two.
On SERVER1 create a folder called SSO (it doesn’t matter where as long as the service account can access it).
In the SAP documentation it tells you to create the next 2 files in the C:\Windows\ folder but it actually doesn’t matter. It’s up to you if you want to create them there. I chose to keep all my files in one location for easier administration in the future.
**Tip** Make sure you change your Windows Explorer settings so you can see file extensions before the next part.
1. Create a file called bscLogin.conf either in c:\windows\ or a folder of your choice. Edit this file in notepad and enter the following:-
com.businessobjects.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule required;};
2. Create a file called krb5.ini again either in c:\windows\ or a folder of your choice. Edit this file in notepad and enter the following:-
[libdefaults]
default_realm = UKCO.EMEA.GLOBALCO
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[domain_realm]
.domain.com = UKCO.EMEA.GLOBALCO
domain.com = UKCO.EMEA.GLOBALCO

[realms]
UKCO.EMEA.GLOBALCO = {
default_domain = UKCO.EMEA.GLOBALCO
kdc = DOMAIN_CONTROLLER.UKCO.EMEA.GLOBALCO
}

3. Navigate to [your BO install path]\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
Create a file called BIlaunchPad.properties
**Tip** Case of the file name is very important here and annoyingly is wrong in the SAP documentation. I had very little hair left after getting to the bottom of this one!!
Edit this file with notepad and enter the following:-
authentication.visible=true
authentication.default=secWinAD
cms.default=@BO_CLUSTER

4. Copy the keytab file created in Step1 to your server. For this example I’m going to put it in C:\BO\SSO\ with my bscLogin.conf and krb5.ini files.

5. Navigate to [your BO install path]\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
Create a file called global.properties
**Tip** Again case is important.
Edit this file with notepad and enter the following:-
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm= UKCO.EMEA.GLOBALCO
idm.princ= HTTP/BOHOST.ukco.emea.globalco
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.keytab=c:/BO/SSO/bo4_service.keytab
idm.logger.props=error-log.properties

**Tip** Yes I meant to put forward slashes in the keytab path.

6. Add the BO_SERVICE_ACCOUNT to the local administrators group on SERVER1. Use Local Security Policy editor and add the BO_SERVICE_ACCOUNT to the following on SERVER1:-
Act as part of the Operating system
Log on as a Batch job
Log on as a service
Replace a Process Level Token

7. Run Start > All Programs > Tomcat > Tomcat Configuration. Under the Java tab add the following lines:-
-Djava.security.auth.login.config=c:\BO\SSO\bscLogin.conf
-Djava.security.krb5.conf= c:\BO\SSO\krb5.ini
**Tip** Remember to specify your paths here.

8. The next part may seem overkill but I wanted to redeploy BO to make sure nothing would break after a future redeploy/upgrade. Please note that if you have customised your BO webfiles in any way a redeploy may overwrite your changes and you should only redeploy if you are confident to do so.
From the CCM stop both Tomcat and the SIA. Start > All Programs > SAP Business Intelligence > SAP BusinessObjects BI platform 4 > WDeploy.
Hit Run to redeploy Business Objects.
Now wait for an age!
Once finished Start the SIA and Tomcat.
**Tip** to check the redeploy has created the relevant SSO files browse to [your BO install path]\Tomcat6\webapps\BOE\WEB-INF\config\custom\. You should see the properties files created above.


Step4 – SERVER2 Configuration

Do exactly the same as you did in Step3 for SERVER1 but on SERVER2.


Step5 – Token Size Issues

In theory your SSO should now be working at this point but in my case it wasn’t and this is where I really went to town on my hair. It turns out that my AD account (the one I was testing with) was in lots (100’s) of groups and had a large Kerberos token. I didn’t know this at the time but I followed a number of Microsoft articles to increase the MaxTokenSize on both servers. I set the following registry keys:-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters
LogLevel 0x00000000 (0)
MaxPacketSize 0x00000001 (1)
MaxTokenSize 0x0000ffff (65535)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength 0x0000fffe (65534)
MaxRequestBytes 0x0000ffff (65535)

After a few reboots it still wasn’t working. I decided the problem had to be with the SAP documentation again so I started to question the maxHttpHeaderSize setting and sure enough increasing this to 32768 fixed the issue and my SSO started to work beautifully.
To set the maxHttpHeaderSize in BO perform the following on both servers:-
1. Navigate to [your BO install path]\Tomcat6\conf\
2. Edit server.xml with notepad
3. Find the connector section for the port you connect on (by default it’s 8080 or 8443 for HTTPS)
4. Add the following:-
maxHttpHeaderSize="32768"


Step6 – Security

Now that we have SSO working (hopefully) let’s tighten security around the service account. After all we have trusted it for delegation.
Ask your domain administrator to edit your service account so that it’s ONLY allowed to logon to your BO servers.
Once that’s done logon to your BO server and “Deny log on locally” and “Deny log on through Remote Desktop Services” in Local Security Policy editor for your service account. This effectively prevents anyone logging on as the service account anywhere.
Now restart all servers and make sure SSO is still working!




Tips

1. Save this document locally and do a find and replace on the following making sure you choose “match case”:-

Find - Replace with
UKCO.EMEA.GLOBALCO - YOUR DOMAIN FULLY QUALIFIED DOMAIN
DOMAIN_CONTROLLER - YOUR DOMAIN CONTROLLER
BO_SERVICE_ACCOUNT - YOUR BO SERVICE ACCOUNT
ukco\ - your domain\
ukco.emea.globalco - your fully qualified doamin
SERVER1 - NAME OF YOUR FIRST BO SERVER
SERVER2 - NAME OF YOUR SECOND BO SERVER
@BO_CLUSTER - @YOUR BO CLUSTER NAME
BOHOST - YOUR BO HOST NAME (IF YOU USE NLB)
BOALIAS - YOUR BO ALIAS (IF YOU HAVE ONE)
bo4_service.keytab - name of your keytab file
[your BO install path] - path to your BO install
c:\BO\SSO\ - Path to your sso files
c:/BO/SSO/ - Properties file path to your keytab folder

This will give you a good start and make the document more relevant and easy to follow for you.

2. Create a new domain account and add it to a new AD group called BOTESTGROUP. Add this BOTESTGROUP in the CMC (Step2.3). Once the BOTESTGROUP has been pulled into BO add it to the Administrators group. Use this new domain account to test the single sign on process. This will eliminate token size issues. Once you have this working you can then move on to test with other accounts. Remember to go back and delete this account and group.

3. If you do have issues this log file can help track them down - [your BO install path]\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt

4. Don’t run the spn command for all your server name combinations. This way if a user wants to sign on manually they can do so using http://SERVER1.ukco.emea.globalco:8080/BOE/BI/ instead of http://BOHOST.ukco.emea.globalco:8080/BOE/BI/

5. I can almost guarantee you won’t get it working first time so patience is required! Hopefully though this document may help you avoid some of the problems I had.
Back to top
dvitali
Forum Member
Forum Member



Joined: 12 Aug 2013

Posts: 2



PostPosted: Sun Aug 25, 2013 5:18 pm 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hello Clarej,

Thank you for this post it is fantastic. I have a quick question. Most other tutorials i have read online recomend to use BICMS/ BOHOST.ukco.emea.globalco as the SPN name assigning it to the BOBJ SSO AD account and then entering into the SPN section in CMC.

In this tutorial you have recomended to use HTTP/BOHOST.ukco.emea.globalco.

What is the difference between using the two? It seems that the SPN can be setup in different ways and affects other areas of SSO like Query as web services, explorer etc.

kind regards

david
Back to top
clarej
Senior Member
Senior Member



Joined: 22 Jan 2008

Posts: 44
Location: Sunny Crewe!


flag
PostPosted: Wed Sep 18, 2013 9:44 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hi David,

Thanks for your kind comments.

I don't think it matters what it's called (famous last words!) and I haven't found anything not working under the configuration I have suggested. However, the whole sso area is a minefield and if you find something that doesn't work due to the name of the SPN then I will certainly change my post. However, however.... I fell into the trap of thinking that the name of the SPN was causing me problems and it always turned out to be something else. At one point I had 7 SPN's setup on the service account trying to get it to work. As soon as I had it working properly I then went back and removed all the unwanted SPN's to prove they were not required.

Thanks,

John
Back to top
judia
Forum Associate
Forum Associate



Joined: 23 Jun 2008

Posts: 562



PostPosted: Wed Sep 18, 2013 10:59 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hi clarej,

I have to implement Single sign on in the qa environment of BO 4.0.
Could you please tell me which steps i need to follow?

Thanks

Regards
Judia
Back to top
vivek.b.nair
Forum Member
Forum Member



Joined: 31 Oct 2013

Posts: 3



PostPosted: Thu Oct 31, 2013 5:50 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hi Clarej,

We are upgrading to BI 4.0 from 3.x and have LDAP setup on the 3.x server. However, we need to migrate the security, access levels and users from 3.x system. Do we need to setup LDAP authentication before we migrate or post the migration. What are the steps to setup LDAP authentication on the BI 4.0 platform. Any inputs are highly appreciated.

Thanks,
Vivek Nair.
Back to top
clarej
Senior Member
Senior Member



Joined: 22 Jan 2008

Posts: 44
Location: Sunny Crewe!


flag
PostPosted: Thu Oct 31, 2013 6:41 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Apologies but I have never done this. You be better creating a new topic and asking the question to the excelent guys and gals on this forum. Good luck with your upgrade.
Back to top
JohnBClark
Forum Enthusiast
Forum Enthusiast



Joined: 27 Mar 2007
ASUG Icon
Posts: 1033
Location: Appleton, WI USA


flag
PostPosted: Fri Nov 01, 2013 7:58 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

vivek.b.nair wrote:
Do we need to setup LDAP authentication before we migrate or post the migration.
I assume that you would need to set up the LDAP authentication first. It works that way for AD. That is the process that I have used when we upgraded from XIR2 to XI3.1 and I am using the same process for our upgrade to BI4.0.
vivek.b.nair wrote:
What are the steps to setup LDAP authentication on the BI 4.0 platform.
You can find this in the Adminstrator's Guide.
_________________
BusinessObjects BI4.2sp4, SQL Server 2016 (CMS)
Clustered for fail over redundancy
Reporting Tools: Crystal Reports 2016sp4, Web Intelligence
Operating System: Windows 2016 running on VMWare
Reporting databases: SQL Server, Teradata, DB2, Oracle, Hive
Information Steward 4.2sp10
History: BO5, BO6, XIR2, XI3.1, BI4.1.x
Back to top
angelsd1
Principal Member
Principal Member



Joined: 21 Oct 2005

Posts: 372
Location: Atlanta, GA


flag
PostPosted: Tue Nov 05, 2013 12:43 pm 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Have you used this approach with BOE4.1?
_________________
Angel R. Davila
United States Navy, Retired
Cancer Survivor!

Business Intelligence Architect
Angel-Link.Com
Direct - 770-630-0377
Back to top
angelsd1
Principal Member
Principal Member



Joined: 21 Oct 2005

Posts: 372
Location: Atlanta, GA


flag
PostPosted: Wed Nov 20, 2013 6:24 pm 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Well; guess i will answer this myself. Yes; it does work with 4.1 with some variations and MUCH simpler. I actually followed the steps found here:

http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4

Worked first time for me.

Ang.

_________________
Angel R. Davila
United States Navy, Retired
Cancer Survivor!

Business Intelligence Architect
Angel-Link.Com
Direct - 770-630-0377
Back to top
cedrickb
Principal Member
Principal Member



Joined: 19 Aug 2005

Posts: 373
Location: FRANCE


flag
PostPosted: Mon May 19, 2014 9:09 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hi,
just one question!
We have 1 web server, 1 boe server and 1 db server.
In this kind of scenario, on your first step, should I do
Code:
setspn -a HTTP/BOHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT

or
Code:
setspn -a HTTP/TOMCATHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT

or both? like:
Code:
setspn -a HTTP/TOMCATHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT
setspn -a HTTP/BOHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT


All procedures I found deal with just 1 boe server (tomcat & boe), but if I have 2 separates server for each layer, what are the recommandations?

Thanks everyone for your inputs!

kind regards

_________________
..:: Cedrick ::..
Back to top
clarej
Senior Member
Senior Member



Joined: 22 Jan 2008

Posts: 44
Location: Sunny Crewe!


flag
PostPosted: Tue May 20, 2014 2:21 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

I think "think being the key word here!" that it is the TomCat Host however I have been caught out with these SPN's quite a lot and it's been a long time since I set it up.

I would do what I did. Add each SPN and test. When you get it working work backwards and remove SPN's until you have the minimum number of SPN's as possible.

Hope this helps.
Back to top
cedrickb
Principal Member
Principal Member



Joined: 19 Aug 2005

Posts: 373
Location: FRANCE


flag
PostPosted: Wed May 21, 2014 11:15 am 
Post subject: Re: HOWTO BO4 SSO using AD and Kerberos

Hello Clarej,

Here are the results after my brand new install:
You have to pass the set spn command on the tomcat side:
Code:
setspn -a HTTP/TOMCATHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT


No need for the boeserver...

Hope it will help someone icon_smile.gif

_________________
..:: Cedrick ::..
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> Server Administration, Installation, Upgrades -> XI Server Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0335 seconds using 17 queries. (SQL 0.0034 Parse 0.0009 Other 0.0292)
CCBot/2.0 (https://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo