After
trying to think of of another useful topic, I realised that configuring Single
Sign On with Active Directory and Vintela in XI 3.1 is something that is rarely
covered, and I used to have quite a lot of trouble with it.
By
adapting a document on the SAP Support Portal, I now use a sure-fire method to
configure AD SSO with Tomcat, the default web application server that ships
with BusinessObjects Enterprise/Edge XI 3.1. It’s worked every time I’ve
used it.
Firstly,
let’s define our server names and IPs (you must obviously adjust these and the
commands below to reflect your server names and IPs – I have underlined
commands that need to be changed to help):
- Domain Name: POWI (FQDN: POWER.INTERNAL)
- Service Account: bo.service (password: admin)
- Domain Controller: vs-dev-ad-dc.POWER.INTERNAL (IP: 192.168.5.1)
- BO Server: vs-dev-ad-bo.POWER.INTERNAL (IP: 192.168.5.2)
- BusinessObjects AD Group: POWI\Business Objects
Step 1
Create
an Active Directory service account, bo.service (pass: admin). On the
BusinessObjects server, add the POWI/bo.service user to the Administrators
group. Also assign them the following rights in the Local Security Policy
snap-in:
• Act as part of Operating System
• Log on as a Batch Job
• Log on as a Service
• Replace a Process Level Token
• Act as part of Operating System
• Log on as a Batch Job
• Log on as a Service
• Replace a Process Level Token
Step 2
Run
the following command on the Active Directory server:
ktpass -out
BOSSO.keytab –princ BOSSO/bo.service.power.internal@POWER.INTERNAL -mapuserbo.service@POWER.INTERNAL -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
The
output from the above command should be similar to:
Targeting
domain controller: vs-dev-ad-dc.POWER.INTERNALUsing legacy password setting methodSuccessfully mapped BOSSO/bo.service.power.internal to bo.service.Key created.Output keytab to BOSSO.keytab:Keytab version: 0x502keysize 81 BOSSO/bo.service.power.internal@POWER.INTERNAL ptype 1
(KRB5_NT_PRINCIPAL) vno 255 etype 0x17 (RC4-HMAC) keylength 16
(0x209c6174da490caeb422f3fa5a7ae634)Step 3
Run
the following command on the Active Directory server:
setspn -l bo.service
The
output should be similar to:
Registered
ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:BOSSO/bo.service.power.internalStep 4
Go
to properties of the ‘bo.service’ user in Active Directory and
under the Delegation tab, set ”Trust this user for delegation to any service
(Kerberos only)’ to on.
Step 5
Move
the BOSSO.keytab file that was created on the Active Directory server (refer
Step 2) to c:\winnt\ of the BusinessObjects server.
Step 6
Generate
the requisite SPN’s by running the following commands on the Active Directory
server:
setspn -a
HTTP/vs-dev-ad-bo bo.servicesetspn -a HTTP/vs-dev-ad-bo.power.internal bo.servicesetspn -a HTTP/192.168.5.2 bo.service
The
output from the above commands should be similar to:
HTTP/vs-dev-ad-boUpdated objectRegistering ServicePrincipalNames for
CN=bo.service,CN=Users,DC=POWER,DC=INTERNALHTTP/vs-dev-ad-bo.power.internalUpdated objectRegistering ServicePrincipalNames for
CN=bo.service,CN=Users,DC=POWER,DC=INTERNALHTTP/192.168.5.2Updated objectStep 7
Run
the following command on the Active Directory server to view all of the created
SPNs:
setspn -l bo.service
The
output should be similar to:
Registered
ServicePrincipalNames for CN=bo.service,CN=Users,DC=POWER,DC=INTERNAL:HTTP/192.168.5.2HTTP/vs-dev-ad-bo.power.internalHTTP/vs-dev-ad-boBOSSO/bo.service.power.internalStep 8
Within
the BusinessObjects Central Management Console, within the Windows AD
Authentication area, do the following:
- Enable Windows AD
- Set the AD Administration Name: POWI\bo.service
- Set the Default AD Domain: POWER.INTERNAL
- Add AD Group: POWI\Business Objects
- Set ‘Use Kerberos Authentication’
- Set the Service Principal Name: BOSSO/bo.service.power.internal
- Set ‘Enable SSO for Selected Authentication Mode’
Step 9
Modify
the SIA service on the BusinessObjects server to run as thePOWI\bo.service domain user.
Step 10
You
should now be able to get SSO onto locally installed tools (ie Designer, Webi
Rich Client) by starting the application, selecting the authentication method
to be Windows AD, and without inputting a username and password, clicking
OK. You should be logged in as your AD user.
Step 11
Create
a file called c:\winnt\bsclogin.conf on the BusinsesObjects server, and put in
it the following text:
com.businessobjects.security.jgss.initiate
{com.sun.security.auth.module.Krb5LoginModule required debug=true;};Step 12
Create
a file called c:\winnt\krb5.ini on the BusinessObjects server, and put in it
the following text:
[libdefaults]default_realm = POWER.INTERNALdns_lookup_kdc = truedns_lookup_realm = trueudp_preference_limit = 1[realms]POWER.INTERNAL =
{kdc = VS-DEV-AD-DC.POWER.INTERNALdefault_domain = POWER.INTERNAL}Step 13
To
test that the krb5.ini file was created successfully, undertake the following:
- Navigate to \Program Files\Business Objects\javasdk\bin on the command line
- Execute ‘kinit bo.service‘, then input your password
- A ticket should be created
Step 14
On
the BusinessObjects server, open up the Tomcat Configuration application, then
go to the Java Options input, and add the following lines (restart Tomcat
once done):
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf-Djava.security.krb5.conf=C:\winnt\Krb5.iniStep 15
Modify
the \Program Files\Business
Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml file and allow users to
see authentication options by changing the authentication.visible tag to true.
Step 16
Modify
the \Program Files\Business Objects\Tomcat55\conf\server.xml file, by
change the following line to increase the MaxHttpHeaderSize element to
‘16384′:
Step 17
Modify
the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml
file as follows:
- Change authentication.default to ’secWinAD’
- Change siteminder.enabled to ‘false’
- Change vintela.enabled to ‘true’
- Remove comment tags (<!–, –>) from around the authFilter filter element
- Change idm.realm to ‘POWER.INTERNAL’
- Change idm.princ to ‘BOSSO/bo.service.power.internal‘
- Remove comment tags (<!–, –>) from around the authFilter filter-mapping element
Step 18
On
the BusinessObjects server, open up the Tomcat Configuration application, then
go to the Java Options input, and add the following lines:
-Dcom.wedgetail.idm.sso.password=admin (password for bo.service user)-Djcsi.kerberos.maxpacketsize=0-Djcsi.kerberos.debug=trueStep 19
Remove
the following from the Java Options input in the Tomcat Configuration (if
they exist):
• Debug =true in the bsclogin.conf (set by default)
• -Dbobj.logging.log4j.config=verbose.properties (may have been added to Java Options)
• -Dcrystal.enterprise.trace.configuration=verbose (may have been added to Java Options)
• -Djcsi.kerberos.debug=true (may have been added to Java Options)
• Dcom.wedgetail.idm.sso.password=admin (only remove if you have a valid keytab configured)
• Switch Tomcat 5.5 back to run as the local system (if running under service account for verbose tracing)
• Debug =true in the bsclogin.conf (set by default)
• -Dbobj.logging.log4j.config=verbose.properties (may have been added to Java Options)
• -Dcrystal.enterprise.trace.configuration=verbose (may have been added to Java Options)
• -Djcsi.kerberos.debug=true (may have been added to Java Options)
• Dcom.wedgetail.idm.sso.password=admin (only remove if you have a valid keytab configured)
• Switch Tomcat 5.5 back to run as the local system (if running under service account for verbose tracing)
Step 20
Encrypt
your service account password by coping the BOSSO.keytab (created during Step
2) to the c:\winnt directory on the BusinessObjects server, then specify the
following in the \Program Files\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\web.xml
(after the idm.princ setting):
idm.keytab c:\winnt\BOSSO.keytab Step 21
Remove
the wedgetail.password option from the Tomcat Configuration Java Options. At
this point your Vintela SSO should work with InfoView.
.png)