After
trying to think of of another useful topic, I realised that configuring Single
Sign On with Active Directory and Vintela in XI 3.1 is something that is rarely
covered, and I used to have quite a lot of trouble with it.
By
adapting a document on the SAP Support Portal, I now use a sure-fire method to
configure AD SSO with Tomcat, the default web application server that ships
with BusinessObjects Enterprise/Edge XI 3.1. It’s worked every time I’ve
used it.
Firstly,
let’s define our server names and IPs (you must obviously adjust these and the
commands below to reflect your server names and IPs – I have underlined
commands that need to be changed to help):
- Domain Name: POWI (FQDN: POWER.INTERNAL)
- Service Account: bo.service (password: admin)
- Domain Controller: vs-dev-ad-dc.POWER.INTERNAL (IP:
192.168.5.1)
- BO Server: vs-dev-ad-bo.POWER.INTERNAL (IP:
192.168.5.2)
- BusinessObjects AD
Group: POWI\Business
Objects
Step 1
Create
an Active Directory service account, bo.service (pass: admin). On the
BusinessObjects server, add the POWI/bo.service user to the Administrators
group. Also assign them the following rights in the Local Security Policy
snap-in:
• Act as part of Operating System
• Log on as a Batch Job
• Log on as a Service
• Replace a Process Level Token
Step 2
Run
the following command on the Active Directory server:
ktpass -out
BOSSO.keytab –princ BOSSO/bo.service.power.internal@POWER.INTERNAL -mapuserbo.service@POWER.INTERNAL -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
The
output from the above command should be similar to:
Targeting
domain controller: vs-dev-ad-dc.POWER.INTERNAL
Using legacy password setting method
Successfully mapped BOSSO/bo.service.power.internal to bo.service.
Key created.
Output keytab to BOSSO.keytab:
Keytab version: 0x502
keysize 81 BOSSO/bo.service.power.internal@POWER.INTERNAL ptype 1
(KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16
(0x209c6174da490caeb422f3fa5a7ae634)
Step 3
Run
the following command on the Active Directory server:
setspn -l bo.service
The
output should be similar to:
Registered
ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
BOSSO/bo.service.power.internal
Step 4
Go
to properties of the ‘bo.service’ user in Active Directory and
under the Delegation tab, set ”Trust this user for delegation to any service
(Kerberos only)’ to on.
Step 5
Move
the BOSSO.keytab file that was created on the Active Directory server (refer
Step 2) to c:\winnt\ of the BusinessObjects server.
Step 6
Generate
the requisite SPN’s by running the following commands on the Active Directory
server:
setspn -a
HTTP/vs-dev-ad-bo bo.service
setspn -a HTTP/vs-dev-ad-bo.power.internal bo.service
setspn -a HTTP/192.168.5.2 bo.service
The
output from the above commands should be similar to:
HTTP/vs-dev-ad-bo
Updated object
Registering ServicePrincipalNames for
CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/vs-dev-ad-bo.power.internal
Updated object
Registering ServicePrincipalNames for
CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL
HTTP/192.168.5.2
Updated object
Step 7
Run
the following command on the Active Directory server to view all of the created
SPNs:
setspn -l bo.service
The
output should be similar to:
Registered
ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:
HTTP/192.168.5.2
HTTP/vs-dev-ad-bo.power.internal
HTTP/vs-dev-ad-bo
BOSSO/bo.service.power.internal
Step 8
Within
the BusinessObjects Central Management Console, within the Windows AD
Authentication area, do the following:
- Enable Windows AD
- Set the AD
Administration Name: POWI\bo.service
- Set the Default AD
Domain: POWER.INTERNAL
- Add AD Group: POWI\Business Objects
- Set ‘Use Kerberos
Authentication’
- Set the Service
Principal Name: BOSSO/bo.service.power.internal
- Set ‘Enable SSO for
Selected Authentication Mode’
Step 9
Modify
the SIA service on the BusinessObjects server to run as thePOWI\bo.service domain user.
Step 10
You
should now be able to get SSO onto locally installed tools (ie Designer, Webi
Rich Client) by starting the application, selecting the authentication method
to be Windows AD, and without inputting a username and password, clicking
OK. You should be logged in as your AD user.
Step 11
Create
a file called c:\winnt\bsclogin.conf on the BusinsesObjects server, and put in
it the following text:
com.businessobjects.security.jgss.initiate
{
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Step 12
Create
a file called c:\winnt\krb5.ini on the BusinessObjects server, and put in it
the following text:
[libdefaults]
default_realm = POWER.INTERNAL
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
POWER.INTERNAL =
{
kdc = VS-DEV-AD-DC.POWER.INTERNAL
default_domain = POWER.INTERNAL
}
Step 13
To
test that the krb5.ini file was created successfully, undertake the following:
- Navigate to
\Program Files\Business Objects\javasdk\bin on the command line
- Execute ‘kinit bo.service‘, then input
your password
- A ticket should be
created
Step 14
On
the BusinessObjects server, open up the Tomcat Configuration application, then
go to the Java Options input, and add the following lines (restart Tomcat
once done):
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\Krb5.ini
Step 15
Modify
the \Program Files\Business
Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file and allow users to
see authentication options by changing the authentication.visible tag to true.
Step 16
Modify
the \Program Files\Business Objects\Tomcat55\conf\server.xml file, by
change the following line to increase the MaxHttpHeaderSize element to
‘16384′:
Step 17
Modify
the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml
file as follows:
- Change
authentication.default to ’secWinAD’
- Change
siteminder.enabled to ‘false’
- Change
vintela.enabled to ‘true’
- Remove comment tags
(<!–, –>) from around the authFilter filter element
- Change idm.realm to ‘POWER.INTERNAL’
- Change idm.princ to
‘BOSSO/bo.service.power.internal‘
- Remove comment tags
(<!–, –>) from around the authFilter filter-mapping element
Step 18
On
the BusinessObjects server, open up the Tomcat Configuration application, then
go to the Java Options input, and add the following lines:
-Dcom.wedgetail.idm.sso.password=admin (password for bo.service user)
-Djcsi.kerberos.maxpacketsize=0
-Djcsi.kerberos.debug=true
Step 19
Remove
the following from the Java Options input in the Tomcat Configuration (if
they exist):
• Debug =true in the bsclogin.conf (set by default)
• -Dbobj.logging.log4j.config=verbose.properties (may have
been added to Java Options)
• -Dcrystal.enterprise.trace.configuration=verbose (may have
been added to Java Options)
• -Djcsi.kerberos.debug=true (may have been added to Java
Options)
• Dcom.wedgetail.idm.sso.password=admin (only remove if you have a valid
keytab configured)
• Switch Tomcat 5.5 back to run as the local system (if
running under service account for verbose tracing)
Step 20
Encrypt
your service account password by coping the BOSSO.keytab (created during Step
2) to the c:\winnt directory on the BusinessObjects server, then specify the
following in the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml
(after the idm.princ setting):
idm.keytab
c:\winnt\BOSSO.keytab
Step 21
Remove
the wedgetail.password option from the Tomcat Configuration Java Options. At
this point your Vintela SSO should work with InfoView.
.png)