CMC administrator account and SSO

SebastienGoiffon · November 16, 2006, 4:32pm

Hi all,

We have just implemented SSO using kerberos on win2003 IIS server and windows AD authentification.

Everything is ok using infoview.
All my users belong to my AD except the administrator account.
How must i manage this account ?
Must I create it in my AD ?
Or how could i connect to infoview using Administratot account ?

I want to apply sso only on infoview and not on CMC.
How could I connect to the CMC bypassing SSO …

Thanks for answers

Regards

system · November 16, 2006, 4:52pm

by default, I think there’s a login page before accessing the CMC. Use this page to enter administrator user/pass and use Enterprise as authentication method instead of WindowsAD. If there’s no login page and you automatically get authentified then try one of the following URL:

http://servername/businessobjects/enterprise115/admin/fr/admin.cwr?action=logoff&clgoff=true

http://servername//businessobjects/enterprise115/admin/fr/admin.cwr?draw=logon

GuillaumeA (BOB member since 2006-11-15)

system · November 16, 2006, 5:00pm

To bypass SSO when you access Infoview, use the following URL

https://servername/businessobjects/enterprise115/InfoView/logon.aspx?action=logoff&done=1

Also, I don’t think you should create the Administrator account in AD. It belongs to BO only. Use Enterprise authentication if you want to use this account.

GuillaumeA (BOB member since 2006-11-15)

SebastienGoiffon · November 16, 2006, 5:22pm

Hi,

Thanks for your quick answer.

But when I use these both url the server asks me for an AD login

Regards

system · November 16, 2006, 5:47pm

As I understand, there’s a popup asking for your credentials. This is an IIS security configuration “issue” and my knowledge of IIS is quite limited, but I can provide some hints.

You’re using a windows machine, you’re logged on the domain, and your browser is Internet Explorer: In that case, the message shouldn’t appear. Try to put your BO server in the trusted site list of IE (by default, an SSL connection is necessary, but you can deactivate this feature).
You’re not using Windows or you’re not logged to the same domain as the BO web server or Internet Explorer isn’t your web browser. I don’t think any other browser can pass the credentials directly to the server without asking the user for inputs beforehand. In thoses cases, I think you need to allow “anonymous” connections on the IIS server for the BO site.

I don’t know if you can both have SSO and anonymous connections enabled at the same time.

I hope this help !

GuillaumeA (BOB member since 2006-11-15)

SebastienGoiffon · November 17, 2006, 3:20pm

Hi Guillaume,

Thanks for this

Indeed I simply add my server to local intranet list and not in trusted sites.

We also put rights on IIS at infoview level and not Entreprise115.

Regards