Hi,

We are planning to setup AD with BO XI R3.1- Windows Srvr 2003. I have gone through other links and got the following steps to begin with.

1. Determine the service account that will be used for running the BO services
2. Create Service Principal Name (SPN’s) for the service account on the DC:
   setspn –a BOBJCentralMS/NETBIOS_DOMAIN_NAME accountname
   setspn –a BOBJCentralMS/FQDN_DOMAIN_NAME accountname
   Ex: setspn –a BOBJCentralMS/TESTDOMAIN account1
   Setspn –a BOBJCentralMS/TESTDOMAIN.ABC.COM account1
   Note: It’s important to note that SPN’s are case sensitive. Note the case in which you created the SPN’s
   ===========================

Can anyone help me out what info. do I need to give ?

1. How to determine the Service Account ? where I will get this Info?
2. In the above step 2 “setspn” is executed two times. So, do we need to run two times ? What is the difference ? We have BOXI R3.1 installed on just one Windows 2003 srvr.

Can any one please advise

Thanks in advance.

kch (BOB member since 2005-04-08)

You have choosen the correct steps to proceed with . Setspn executed two times…one with Netbios name and other with domain. giving service name is of ur choice for furture reference. Upon execution of SETSPN-L option what so ever displayed just add the same with case in SPN name of your CMC --> AD configuration …Hope u will have successfule setup.

akk_006 (BOB member since 2006-10-10)

I have created a simplified step by step instructions for the AD authentication and SSO peice using Tomcat and Vintela on a windows server. I hope this helps.
AD Authentication and Single Sign On document (Generic).doc (81.0 KB)

mcliffordgoo (BOB member since 2003-02-13)

Hi McCliff,

Thanks for your response and attachment. I was going through the steps, just some questions.
Please clarify:

1. I am trying to config. on BO XI R3.1 version;
   Are these steps for the same version or some other version ?

2. In Step 2
   SETSPN.exe -A BOBJCentralMS/Server Service_account ? Do we need to give the 'server name in place of ‘Server’ or the domain name.

3. Step 4. where in our BO Srvr i need to check for “ACTIVE DIRECTORY Users and Groups”

If you have any other document with some example will be greatly appreciated.

Thanks in advance.

kch (BOB member since 2005-04-08)

Hi…havnig completed all steps as suggested in SSO for BO XI 3.1doc , with no changes in the WEB.XML ( /tomcat55/Webapps/InfoViewApp/Web-INF/web.xml) I am able to login using Windows AD authentication. Upon given changes in Web.xml …infoview login page throws error …HTTP 404. The stdout doesnot show any entry as suggested in the docs .My kinit BOBJ/servicename.domain.com@ domain.com is success …if more information needed will post…would appreciate if guide me to look into which log for next steps …Thnx in adv for solution…

akk_006 (BOB member since 2006-10-10)

CHK,

1. These are the steps for XI 3.1.
2. Yes the server denotes the physical server name.
3. This should be done on the ad server and I believe on the server itself. The service accounts need to have full admin rights anyways.

mcliffordgoo (BOB member since 2003-02-13)

Thanks mcliff for your prompt reply.

My network team is asking me give the syntax for ‘SETSPN’ and not certain about what to provide for the netbios_domain_name and the fqds_domain_name.

In one of the Steps:

Create Service Principal Name (SPN’s) for the service account on the DC:
setspn –a BOBJCentralMS/NETBIOS_DOMAIN_NAME accountname
setspn –a BOBJCentralMS/FQDN_DOMAIN_NAME accountname

Do we need to run SETSPN two times ? what values we need to replace for

NETBIOS_DOMAIN_NAME and FQDN_DOMAIN_NAME.
Any inputs for this is appreciated.

kch (BOB member since 2005-04-08)

NETBIOS_DOMAIN_NAME and FQDN_DOMAIN_NAME should be the physical server names (fully qualified) and you will need to run the setspn command for each account.

In the instructions attached to this post had two seperate service accounts. One is used to run the SIA and Tomcat the second is for SSO. In this instance we ran the setspn command for each account. if you are using a single account for both then you need to run it only once per BOE cluster.

mcliffordgoo (BOB member since 2003-02-13)

mcliff,

We are having our BO server and Tomcat both on the same Windows 2003 enterprise server, so we do not have any clusters. In this case, can I give the following setspn ?

Please correct me if I am wrong

setspn -a BOBJCentralMS/.Domain.com

And need to run only once ? Do you have any other document with this scenario ?

kch (BOB member since 2005-04-08)

Yes the syntax is correct except for one item.

.Domain.com needs to be the BOE cluster name. If it is a single physical server you did a default configuration and installation then the BOE cluster name is typically hte server name. You can verify the cluster name within the CMC.

mcliffordgoo (BOB member since 2003-02-13)

Mcliff,

I verified and noticed that
in CMC the following string with port no. So, I have sent to the network team as follows

setspn -a BOBJCentralMS/Server_Host_name.Domain.com:6400

Hope this will be fine.
What is the importance of BOBJCentralMS is it have any relevance ?

kch (BOB member since 2005-04-08)

You don’t need any of that information. Just the server_host_name.

mcliffordgoo (BOB member since 2003-02-13)

Hi …I got AD with SSO worked with minor change in web.xml …sso.enabled vlaue changed to “false” .along with others steps as followed from the docs…now need to work with client tools to login automatically …if some one post me the steps would be a great help …thnx …

akk_006 (BOB member since 2006-10-10)

Hi,

Network team has created service account and they did an SPN.
When checking it is giving the following output.
Just want to check if the output is correct or not?

setspn -L <service_Account>

Registered ServicePrincipalName for CN=<Service_Account>,OU=user,OU=USA,DC=domain;DC=com:
BOBJCentral/.domain.com:6400

Is this fine? can i go ahead and do the configuration ?
The reason for my doubt is that CN=ServiceCMS in couple of the other topics.

Thanks in advance

kch (BOB member since 2005-04-08)

Hi CHK,
ServiceCMS is the account name mentioned in the document. In your case it can be any service account which u have created on the AD server. follow the next steps to assign this for HTTP and with IP address and FQDN. Hope this works now …

Hi all,
After SSO working successfully on Infoview, I tried for CMC which is not possible with AD ( siteminder allowed which i am not using). for client tools to login through SSO i tried by adding the command line with == -user “your AD user name” -pass “Your password” -system “hostname:6400” -auth “AD” == for all the client tools. Designer and Deski are logging in with out asking any credentials.

Problems:

(a) Webi Rich client not able to login (prompting for credententials)
(b) How to replace the username and password with system current login username and password.

Is this the right way or any other approach. Appreciate any help on this.

Thnx …

akk_006 (BOB member since 2006-10-10)

About CMC SSO not supportive information i refered from page no. 9 of this document
http://www.sdn.sap.com/irj/boc/index?rid=/library/uuid/d01d4069-8143-2b10-649f-dfbce1803b93&overridelayout=true

Pls. check …thnx

akk_006 (BOB member since 2006-10-10)

I am getting the following message when I try to add the groups

The secWinAD plugin failed to look up the account for the group “secWinAD:CN=,OU=Users,DC=company name,DC=com”. Please enter non-local groups as DomainName\GroupName and local groups as \ServerName\GroupName.

i have not yet created krb5 and bsclogin files. Do I need to do that before adding groups ? Do I need to change the SIA properties before adding groups ?

Any suggestions is appreciated ?

Thanks in advance

kch (BOB member since 2005-04-08)

Are you trying to achieve SSO where the BO system picks up the user credentials from the system logon? If yes then you need to follow Vintela SSO. The steps that you are following will not allow you to do SSO

setspn -a BobjCentralMS/BOSERVER USERNAME

is not needed.

I’d not recommend to follow BO ADMIN guide to achieve SSO. Rather I’d suggest you to follow the below white paper

https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0f6ac3c-b3ac-2b10-1b95-c9bd46194977

Follow each and every step carefully and you should be able to achieve SSO. Once all steps are complete always make sure to login from client environment. Logging to Infoview on Tomcat server will not allow you to SSO.

Regards,
Vijay

vijaydsaradhi (BOB member since 2005-06-07)

Hi CHK, Am not sure where you struck …attaching the document which i followed rather altered after successful config of SSO at my end. May be helpful to you. …let me know if something not clear
Configuring AD SSO Authentication.doc (41.0 KB)

akk_006 (BOB member since 2006-10-10)

Hi akk_006,

Thanks for your attachment. I have followed similar steps but there are slight variations.
As Tomcat(installed along with BOE)and SIA both are on the same box, I executed only one SPN as below.

setspn -a BOBJCentralMS/Server_Host_name.Domain.com:6400
and the following are the results

setspn -L <service_Account>
Registered ServicePrincipalName for CN=<Service_Account>,OU=user,OU=USA,DC=domain;DC=com:
BOBJCentral/.domain.com:6400

As per your doc. you have mentioned
NETBIOS NAME = ORG
FQDN = ORG.MY.EXAMPLE.COM.
setspn –a BOBJ/ORG boadm
setspn –a BOBJ/ORG.MY.EXAMPLE.COM boadm

1. So, even though my Tomcat and SIA(everything) is on one Server I need to execute the above two SPNs ? What is NETBIOS name?
   Does your environment is also same - one BO Server with Tomcat or is it different ?
2. Is there any relevance to BOBJ, you added in setspn ?
3. Can you please explain step 13 of your document. In CMC ->Authentication->AD, can we see all the AD users or we need to add each individual user. Please elaborate.

Have been working on this for two weeks.

Thanks in advance.

kch (BOB member since 2005-04-08)