[Moderator note - now a sticky - Nick]
Business Objects 4 SSO using Windows AD and Kerberos
Im currently (2013) performing an upgrade from BO3.1 to BO4 and made the decision to move away from my .Net Single Signon solution to a more out of the box approach AD. Should be straight forward right? - Sadly not. The hardest part was trying to find the solution hidden in inconsistent and hard to follow documentation from both SAP and Forums. I never managed to find a nice easy to follow document which covered all my requirements so I thought I would try to right (or write!) that wrong here.
So lets start with the setup. I have 2 Windows 2008R2 BI4 SP6 Patch1 servers which both have Tomcat and SIA installed. Our domain (Im going to call it ukco) is part of a much larger global domain (going with globalco here) so for the purpose of this document Im going to refer to the two servers as SERVER1.ukco.emea.globalco and SERVER2.ukco.emea.globalco. Our domain controller is going to be called DOMAIN_CONTROLLER.
Business Objects is running on both servers under the same domain account called ukco\BO_SERVICE_ACCOUNT and the Business Objects cluster name is @BO_CLUSTER
Straight forward so far so now lets spice things up a bit! I wanted more resilience on the Web server side and a single URL for the users so I setup Microsoft Network Load Balancing across SERVER1 and SERVER2. I created a host name in DNS for this called BOHOST.ukco.emea.globalco and this points to the NLB shared IP of the two servers. Just to give myself a headache I decided to keep the alias we already use so I also have an alias of BOALIAS.ukco.emea.globalco and this points to the BOHOST address.
Its not really relevant but just for completeness I also configured SSL which uses the alias in the certificate.
Step1 AD configuration
As a domain administrator the following setspn command needs to be run:-
setspn -a HTTP/BOHOST.ukco.emea.globalco BO_SERVICE_ACCOUNT
Tip There is a real gotcha here which drove me mad! ALWAYS type this command in manually and NEVER copy it from Outlook. Outlook messes around with the hyphens and the command will fail but not tell you why.
Next we need to create a keytab file on the Domain controller. So again as a domain administrator and on the domain controller run the following command:-
ktpass -princ HTTP/BOHOST.ukco.emea.globalco@UKCO.EMEA.GLOBALCO -mapuser BO_SERVICE_ACCOUNT@UKCO.EMEA.GLOBALCO -pass password_of_the_service_account -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out c:\bo4_service.keytab
Again do not copy and paste this command!
Tip If you want to check what SPNs have been created anyone can run this:-
setspn -l ukco\BO_SERVICE_ACCOUNT
Tip To check that the ktpass command has worked the UPN of the service account should have changed. Anyone can check this by right clicking on a folder on your pc > properties > security tab > edit button > add button > type in the service account name > check name button. This should resolve the account and show you the UPN in brackets. For our example here it would show:-
BO_SERVICE_ACCOUNT(HTTP/BOHOST.ukco.emea.globalco@UKCO.EMEA.GLOBALCO)
You can of course then cancel out of all the folder properties windows.
Tip After running the ktpass command on an account you should reset the password for that account back to what it was.
Finally ask the domain administrator to edit the account for the BO_SERVICE_ACCOUNT and select the Trust this user for delegation to any service (Kerberos only) option.
Step2 CMC configuration
Launch your CMC as a BO administrator and go to the Authentication tab. Double click on Windows AD and apply the following settings:-
- Check the Enable Windows Active Directory (AD) checkbox.
- Click the link next to AD Administration Name and enter the details for the BO_SERVICE_ACCOUNT. Default AD Domain should be UKCO.EMEA.GLOBALCO. Click the Update button.
- Add and groups that you want to pull in from AD into the Mapped AD Member Groups.
- Under the Authentication Options select Use Kerberos authentication. In the Service principal name enter:-
HTTP/BOHOST.ukco.emea.globalco
Make sure the Enable Single Sign On for selected authentication mode is checked. - Now choose if and when to pull in AD accounts to BO and set the rest of the settings accordingly. If you want to pull them in now under the On-Demand AD Update section choose Update AD Groups and Aliases now.
- Click the Update button and then close the window.
Tip You should now see the group and users in your CMC Users and Groups screen. Grant a test user some access at this point so you can test the SSO process.
Step3 SERVER1 Configuration
Remember I have 2 BO servers each running Tomcat and an SIA in my example here so Ive split the next part into two.
On SERVER1 create a folder called SSO (it doesnt matter where as long as the service account can access it).
In the SAP documentation it tells you to create the next 2 files in the C:\Windows\ folder but it actually doesnt matter. Its up to you if you want to create them there. I chose to keep all my files in one location for easier administration in the future.
Tip Make sure you change your Windows Explorer settings so you can see file extensions before the next part.
- Create a file called bscLogin.conf either in c:\windows\ or a folder of your choice. Edit this file in notepad and enter the following:-
com.businessobjects.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule required;}; - Create a file called krb5.ini again either in c:\windows\ or a folder of your choice. Edit this file in notepad and enter the following:-
[libdefaults]
default_realm = UKCO.EMEA.GLOBALCO
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com = UKCO.EMEA.GLOBALCO
domain.com = UKCO.EMEA.GLOBALCO
[realms]
UKCO.EMEA.GLOBALCO = {
default_domain = UKCO.EMEA.GLOBALCO
kdc = DOMAIN_CONTROLLER.UKCO.EMEA.GLOBALCO
}
-
Navigate to [your BO install path]\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
Create a file called BIlaunchPad.properties
Tip Case of the file name is very important here and annoyingly is wrong in the SAP documentation. I had very little hair left after getting to the bottom of this one!!
Edit this file with notepad and enter the following:-
authentication.visible=true
authentication.default=secWinAD
cms.default=@BO_CLUSTER -
Copy the keytab file created in Step1 to your server. For this example Im going to put it in C:\BO\SSO\ with my bscLogin.conf and krb5.ini files.
-
Navigate to [your BO install path]\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom
Create a file called global.properties
Tip Again case is important.
Edit this file with notepad and enter the following:-
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm= UKCO.EMEA.GLOBALCO
idm.princ= HTTP/BOHOST.ukco.emea.globalco
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.keytab=c:/BO/SSO/bo4_service.keytab
idm.logger.props=error-log.properties
Tip Yes I meant to put forward slashes in the keytab path.
-
Add the BO_SERVICE_ACCOUNT to the local administrators group on SERVER1. Use Local Security Policy editor and add the BO_SERVICE_ACCOUNT to the following on SERVER1:-
Act as part of the Operating system
Log on as a Batch job
Log on as a service
Replace a Process Level Token -
Run Start > All Programs > Tomcat > Tomcat Configuration. Under the Java tab add the following lines:-
-Djava.security.auth.login.config=c:\BO\SSO\bscLogin.conf
-Djava.security.krb5.conf= c:\BO\SSO\krb5.ini
Tip Remember to specify your paths here. -
The next part may seem overkill but I wanted to redeploy BO to make sure nothing would break after a future redeploy/upgrade. Please note that if you have customised your BO webfiles in any way a redeploy may overwrite your changes and you should only redeploy if you are confident to do so.
From the CCM stop both Tomcat and the SIA. Start > All Programs > SAP Business Intelligence > SAP BusinessObjects BI platform 4 > WDeploy.
Hit Run to redeploy Business Objects.
Now wait for an age!
Once finished Start the SIA and Tomcat.
Tip to check the redeploy has created the relevant SSO files browse to [your BO install path]\Tomcat6\webapps\BOE\WEB-INF\config\custom. You should see the properties files created above.
Step4 SERVER2 Configuration
Do exactly the same as you did in Step3 for SERVER1 but on SERVER2.
Step5 Token Size Issues
In theory your SSO should now be working at this point but in my case it wasnt and this is where I really went to town on my hair. It turns out that my AD account (the one I was testing with) was in lots (100s) of groups and had a large Kerberos token. I didnt know this at the time but I followed a number of Microsoft articles to increase the MaxTokenSize on both servers. I set the following registry keys:-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters
LogLevel 0x00000000 (0)
MaxPacketSize 0x00000001 (1)
MaxTokenSize 0x0000ffff (65535)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
MaxFieldLength 0x0000fffe (65534)
MaxRequestBytes 0x0000ffff (65535)
After a few reboots it still wasnt working. I decided the problem had to be with the SAP documentation again so I started to question the maxHttpHeaderSize setting and sure enough increasing this to 32768 fixed the issue and my SSO started to work beautifully.
To set the maxHttpHeaderSize in BO perform the following on both servers:-
- Navigate to [your BO install path]\Tomcat6\conf\
- Edit server.xml with notepad
- Find the connector section for the port you connect on (by default its 8080 or 8443 for HTTPS)
- Add the following:-
maxHttpHeaderSize=“32768”
Step6 Security
Now that we have SSO working (hopefully) lets tighten security around the service account. After all we have trusted it for delegation.
Ask your domain administrator to edit your service account so that its ONLY allowed to logon to your BO servers.
Once thats done logon to your BO server and Deny log on locally and Deny log on through Remote Desktop Services in Local Security Policy editor for your service account. This effectively prevents anyone logging on as the service account anywhere.
Now restart all servers and make sure SSO is still working!
Tips
- Save this document locally and do a find and replace on the following making sure you choose match case:-
Find - Replace with
UKCO.EMEA.GLOBALCO - YOUR DOMAIN FULLY QUALIFIED DOMAIN
DOMAIN_CONTROLLER - YOUR DOMAIN CONTROLLER
BO_SERVICE_ACCOUNT - YOUR BO SERVICE ACCOUNT
ukco\ - your domain
ukco.emea.globalco - your fully qualified doamin
SERVER1 - NAME OF YOUR FIRST BO SERVER
SERVER2 - NAME OF YOUR SECOND BO SERVER
@BO_CLUSTER - @YOUR BO CLUSTER NAME
BOHOST - YOUR BO HOST NAME (IF YOU USE NLB)
BOALIAS - YOUR BO ALIAS (IF YOU HAVE ONE)
bo4_service.keytab - name of your keytab file
[your BO install path] - path to your BO install
c:\BO\SSO\ - Path to your sso files
c:/BO/SSO/ - Properties file path to your keytab folder
This will give you a good start and make the document more relevant and easy to follow for you.
-
Create a new domain account and add it to a new AD group called BOTESTGROUP. Add this BOTESTGROUP in the CMC (Step2.3). Once the BOTESTGROUP has been pulled into BO add it to the Administrators group. Use this new domain account to test the single sign on process. This will eliminate token size issues. Once you have this working you can then move on to test with other accounts. Remember to go back and delete this account and group.
-
If you do have issues this log file can help track them down - [your BO install path]\Tomcat6\work\Catalina\localhost\BOE\sbInitLog.txt
-
Dont run the spn command for all your server name combinations. This way if a user wants to sign on manually they can do so using http://SERVER1.ukco.emea.globalco:8080/BOE/BI/ instead of http://BOHOST.ukco.emea.globalco:8080/BOE/BI/
-
I can almost guarantee you wont get it working first time so patience is required! Hopefully though this document may help you avoid some of the problems I had.
Business Objects 4 SSO.doc (56.0 KB)
clarej 
(BOB member since 2008-01-22)
(BOB member since 2008-01-22)
(BOB member since 2005-10-21)
(BOB member since 2005-08-19)