I am not quite sure what the process is to use SSO with BO XI . We are using Tomcat , Windows 2003 server and can’t figure out how to get it work. We tried to modify authetication in the CMC but nothing worked. We would appreciate some help on this ?
Cheers
fablaga (BOB member since 2007-11-04)
fablaga,
If you are using tomcat then you have to use Kerberos or put IIS in front of Tomcat to use WinAD.
I have only gotten SSO to work with the IIS + Tomcat route.
Here is a thread on setting up Kerberos and some on SSO:
https://bobj-board.org/t/76723
GigaGuy 
(BOB member since 2007-02-13)
You have two options and they depend largely on you current version and SP level.
For XI R2 SP1 then you can use IIS to redirect the session to Tomcat or since SP2 with Vintella you can achieve native Silent Single Sign On.
Search the kbase for “SSO JAVA” and both of these methods are documented in the first two or three results.
Blueprinter (BOB member since 2005-12-07)
Thanks for your reply. How and where can I check which SP of BO XI R2 I am running ? At the moment if I go to About in Designer it shows 11.5.0.0
fablaga (BOB member since 2007-11-04)
KBase Article ID:3608995
Article refers to: BusinessObjects Enterprise XI
Symptom
You are not sure what your current fix pack level is. You checked the following locations but there is not enough information:
UNIX:
/path/to/install/xir2/patch/history.txt
Windows:
\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Patches\history.txt
Resolution
* XIR2 RTM = 11.5.0.313
* SP1 = 11.5.0.313
* CHF12 = 11.5.0.313
* RTM + SP1, CHF12 = 11.5.3.417
* MHF1 = 11.5.7.608
* CHF13 = 11.5.7.676
* CHF14 = 11.5.7.723
* CHF15 + EDST = 11.5.7.770
* CHF16 = 11.5.7.811
* SP2 = 11.5.8.826
Blueprinter (BOB member since 2005-12-07)
Hi,
Single sign with JAVA application sever is very tricky thing.
As mentioned there are two ways.
Put IIS or any web server or you can write your own customised ASP page that can pass the logon token.
or
Configure vintela.
You should have JAVA ad working before you can configure vintela. You can’t run IIS on the same box on which you have Vintela configured.
If you have SP2 then it comes with Vintela library. you can get the document from the support site. Again configuring Vintela is not a piece of a cake. That document has some small tips missing without them vintela can’t be configured.
Some imp points about vintela.
You will have to create a seperate SPN account for vintela user. It can’t be same as for AD.
When it say reset password after you create the keytab file it should be the same password. You just have to change it back to the existing password. No change in that.
While creating the keytab file you have to use the argument -mapuser vintela user that is missing in that document.
Regards
Amit
BO Admin
XXX 
(BOB member since 2007-09-04)
i’m having the same problems, as described before, but now we’re are first concentrated on the problem with multiple AD domains (in the same forest).
W2003/XIR2 SP3/tomcat 5.0.27
i can login (both infoview and cmc) with the default domain only with the user name, but in the second (not default domain) only with username@ALL.THEDOMAIN.NAME, but not with ALL\username .
i created the SPN as described in the official bo documentation, used in the krb5.ini file ONLY upper cases for the hostnames. i deleted the admin_server line and i deleted the second domain controller.
we are trying since more than a week to set up also the vintela sso configuration, for now without success. so we isolated the both problems (multiple domain / sso).
if the login with the single username doesn’t work, also the sso won’t work.
i remember: most of the application based problems (null pointer exception on login form etc. are resolved with the SP3!!!
anyone have an idea? after thsi we must work on the vintela sso …
thanks in advance
Roland Jentsch (BOB member since 2006-02-07)
Roland,
I believe ALL\username is an NTLM authentication sequence, so without customizing your login page (editing the jsp page), this won’t work. When it’s submitted to the JSSE (Java library that infoview uses for AD auth), it has to be in a kerberos format, which is username@ALL.DOMAIN.COM. It’s theoretically possible to make some modifications to your krb5.ini file in order to make this more user friendly. For example, you can make ALL.DOMAIN.COM synonymous to all.domain.com in your JSSE environment.
The reason your username logins work (without @domain) is because your default domain is being filled in by infoview before it’s sent through JSSE.
Nate
natescott (BOB member since 2006-02-28)
thanks nate!
running the kerberos monitoring tools i saw, that the account trasmitted is user@full.domain.com, so this won’t be a problem (hope so).
now i’m on the vintela integration part and we have the problem, that the client machine doesn’t reiceives the ticket from the kdc …
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 28/11/2007
Time: 14.43.30
User: N/A
Computer: MILBOAPP0SV
Description:
A Kerberos Error Message was received:
on logon session MIL.ESSELUNGA.NET\BoxiAD
Client Time:
Server Time: 13:43:31.0000 11/28/2007 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
Extended Error:
Client Realm:
Client Name:
Server Realm: MIL
Server Name: krbtgt/MIL
Target Name: krbtgt/MIL@MIL
Error Text:
File: e
Line: 6c0
Error Data is in record data.
we created the keytab file in this way:
Ktpass -out MILBOAPP0SV.keytab -princ HTTP/http_bo_milboapp0sv.mil.our.domain@MIL.OUR.DOMAIN -pass XXXXX -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
the crypt “DES-CBC-MD5” works in under contexts fine …
any idea?
thanks a lot
Roland Jentsch (BOB member since 2006-02-07)
The error code is 0xe KDC_ERR_ETYPE_NOTSUPP.
There is an article (http://support.microsoft.com/kb/230476) that details this error.
I saw this before a while back. It fixed after I checked the “Use DES encryption types for this account” option for the SPN account.
Hope this helps.
natescott (BOB member since 2006-02-28)
newly thanks!
the reason here was, that we found the principal duplicated in the AD … we deleted the wrong one, and now the kerberos seems to be work.
no we receive a correct ticket for kerberos, but after the login page of the infoview shows “java.lang.NullPointerException” - and no output in stdout.log or jce_verbose.log.
this is the log, that confirms the kerberos ticket (directly before the null poiter exception)
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: No Subject found on the current thread
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: GSS: Acceptor supports: KRB5
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: Ticket service name is: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: GSS name is: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: Using keytab entry for: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
[DEBUG] Thu Nov 29 10:59:58 CET 2007 jcsi.kerberos: ** decrypting ticket … **
with key
Principal: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
Type: 1
TimeStamp: Thu Jan 01 01:00:00 CET 1970
KVNO: -1
Key: [3, c4 2c ea 40 38 16 c8 b3 ]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: decrypted ticket:
Ticket:
encryption type: 3 (DECRYPTED OK)
service principal: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
TransitedEncoding:
client: piod00@NEG.ESSELUNGA.NET
session key: [3, 1f d 64 e6 cb 75 c7 7f ]
ticket flags: forwardable renewable preauthent
valid from: Thu Nov 29 10:53:01 CET 2007
valid till: Thu Nov 29 20:51:48 CET 2007
valid for:
all addresses
auth data:
[1, 30 82 3 3a 30 82 3 36 a0 4 2 2 0 80 a1 82 3 2c 4 82 3 28 4 0 0 0 0 0 0 0 1 0 0 0 98 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 16 0 0 0 e0 2 0 0 0 0 0 0 6 0 0 0 14 0 0 0 f8 2 0 0 0 0 0 0 7 0 0 0 14 0 0 0 10 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc 88 2 0 0 0 0 0 0 0 0 2 0 f2 ba b6 75 6d 32 c8 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f d9 da f5 b6 f2 46 c3 1 d9 da f5 b6 f2 46 c3 1 ff ff ff ff ff ff ff 7f c 0 c 0 4 0 2 0 26 0 26 0 8 0 2 0 18 0 18 0 c 0 2 0 0 0 0 0 10 0 2 0 0 0 0 0 14 0 2 0 0 0 0 0 18 0 2 0 99 58 0 0 6a 4 0 0 1 2 0 0 5 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 c 0 e 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 10 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 6 0 0 0 70 0 69 0 6f 0 64 0 30 0 30 0 13 0 0 0 0 0 0 0 13 0 0 0 44 0 69 0 72 0 65 0 74 0 74 0 6f 0 72 0 65 0 20 0 50 0 69 0 6f 0 6c 0 74 0 65 0 6c 0 6c 0 6f 0 0 0 c 0 0 0 0 0 0 0 c 0 0 0 72 0 69 0 6d 0 62 0 6f 0 72 0 73 0 69 0 2e 0 62 0 61 0 74 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 0 0 0 b1 1d 0 0 7 0 0 0 84 1d 0 0 7 0 0 0 1 2 0 0 7 0 0 0 61 26 0 0 7 0 0 0 68 12 0 0 7 0 0 0 7 0 0 0 0 0 0 0 6 0 0 0 4e 0 45 0 47 0 44 0 43 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 4e 0 45 0 47 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 b7 1a 3 18 dc 43 b8 3c 1f 8 f4 2a 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 20 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 3b 78 29 9 2e 10 97 1b ab 15 5 2d ee 73 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 3b 78 29 9 2e 10 97 1b ab 15 5 2d d9 68 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 3b 78 29 9 2e 10 97 1b ab 15 5 2d d8 38 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 3b 78 29 9 2e 10 97 1b ab 15 5 2d ed 73 0 0 0 d2 3f 75 6d 32 c8 1 c 0 70 0 69 0 6f 0 64 0 30 0 30 0 0 0 76 ff ff ff 7e c6 ee 7a 5e 5 c3 b1 a6 82 7b 5c d8 91 4a f8 0 0 0 0 76 ff ff ff 6a e9 da ea ed 34 a6 66 44 55 f9 a9 fb 48 3e 4b 0 0 0 0 ]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: Setting context expiry to [1196365908000]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: Current wall time is [1196330399025]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: ** decrypting application request … **
with key
[3, 1f d 64 e6 cb 75 c7 7f ]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: decrypted application request:
++++ KRB-AP-REQ Message ++++
encryption type: 3 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 3
service principal: HTTP/milboapp0sv.mil.esselunga.net@MIL.ESSELUNGA.NET
client: piod00@NEG.ESSELUNGA.NET
subkey: [3, 80 2a 2 b5 ae d 79 1c ]
client time: Thu Nov 29 11:00:01 CET 2007
cusec: 236
sequence number: 436384517
++++++++++++++++++++++++++++
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: ** creating application response … **
with key
[3, 1f d 64 e6 cb 75 c7 7f ]
[DEBUG] Thu Nov 29 10:59:59 CET 2007 jcsi.kerberos: created application response:
++++ KRB-AP-REP Message ++++
encryption type: 3
sequence number: 207929828
sub session key: null
client time: Thu Nov 29 11:00:01 CET 2007
cusec: 236
++++++++++++++++++++++++++++
240807 [Business Objects - Sessions Clean up] DEBUG com.crystaldecisions.enterprise.ocaframework.ManagedSessions - Pinging
240807 [Business Objects - Sessions Clean up] DEBUG com.crystaldecisions.enterprise.ocaframework.ServiceMgr.APSServerHandler - queryServer(): results=[((GROUP_ID 0) (SERVER_VALID 0) (SI_NAME MILBOAPP0SV.cms.aps) (SI_SERVER_NAME MILBOAPP0SV.MIL.ESSELUNGA.NET) (SERVER_TIMESTAMP 1196330354289) (SI_SERVER_IS_ALIVE 1) (SERVER_NAME MILBOAPP0SV.MIL.ESSELUNGA.NET) (SI_SERVER_IOR IOR:010000003500000049444c3a696d672e73656167617465736f6674776172652e636f6d2f496d706c536572762f4f534341466163746f72793a332e310000000001000000000000004c000000010101000b00000031302e332e312e32303000001e044e00100000000000000000a34d47105c0c00010000000100000001000000140000000163f27e01000100000000000001010000000000) (APS_NAME MILBOAPP0SV.MIL.ESSELUNGA.NET) (PINGER IOR:000000000000001149444c3a50696e67657245783a332e300000000000000001000000000000004c010101000b00000031302e332e312e32303000001e044e00100000000000000000a34d47602b0b00000000000100000001000000140000000176f27e01000100000000000001010000000000) (SI_CLUSTER_NAME @MILBOAPP0SV.MIL.ESSELUNGA.NET) (SI_ID 332))]
240853 [Business Objects - Sessions Clean up] DEBUG com.crystaldecisions.enterprise.ocaframework.ManagedSessions - (pulse:408): done
Roland Jentsch (BOB member since 2006-02-07)
Try disabling the “Enable and update user’s Data Source Credentials at logon time” option in the CMC AD settings.
Thx[/url]
Burnside (BOB member since 2007-11-19)
our problem was a “dirty” active directory, having inside more than one principal (HTTP/… and BOBJCe…).
under the service pack 3 the principal in the CMC->Authentication->WinAD DOESN’T work, you must insiert user@full.domain.name.
Roland Jentsch (BOB member since 2006-02-07)
Thanks vm, good to know as I’ve make it on SP2 and may apply SP3 in the coming days
Burnside (BOB member since 2007-11-19)
to update you:
Windows 2003
Active Directory NATIVE 2003
XIR2 SP3 in cluster with 2 servers
we have the system running now in this way:
a) in the CMC->Authentication->Windows AD we use as access NOT the principal (SPN) (doesn’t work!), but user@domain
b) we deactivated the “DES encryption” - otherwise neither AD auth nor SSO are working
c) we have a hardware load balancer (nortel alteon) in front of the two application servers and we created the keytab file with the principal associated at the balancers name!
result:
the interactive login works for all domains (… logonForm.do)
the SSO only for the default domain (coming as another user, the login page goes in NULL pointer)
missing:
the SSO with a user from another domain …
is there someone, having a system like this, having sso for multiple domains (having a cluster)?
thanks
Roland Jentsch (BOB member since 2006-02-07)
sorry, we’re using tomcat 5.0.27, not IIS !!!
Roland Jentsch (BOB member since 2006-02-07)
Is this a fact? Is it not possible to run IIS and Tomcat on the same server and to get SSO Vintela/Kerberos working for both?
J0sh 
(BOB member since 2006-10-09)
hi josh,
YES, all documentantion say, that IIS must be stopped
today i will post a little how to for the SSO issue
Roland Jentsch (BOB member since 2006-02-07)
//////////////////////////////////////////////////////////////////////////
How to configure the following XIR2 SP3 environment for SSO with Vintela
Roland Jentsch, December 18 2007
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
Environment:
Windows 2003 SP1
Active Directory NATIVE 2003
Tomcat 5.0.27 (comes with installaton)
XIR2 SP3 (11.5.9.1076)
//////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////
// PRINCIPALS
//////////////////////////////////////////////////////////////////////////
you need 2 principals for using sso via kerberos:
//////////////////////////////////////////////////////////////////////////
// CONFIGURATION FOR APPLICATION SERVER
//////////////////////////////////////////////////////////////////////////
HTTP/hostname.my.domain.com@MY.DOMAIN.COM (for a standalone application server)
HTTP/balancername.my.domain.com@MY.DOMAIN.COM (for all application servers, that stands BEHIND a balancer)
to do:
a) create an AD user [for example: HTTPBOXI] and give him the “DES encryption” attribute
b) create the principal:
ktpass -princ HTTP/hostname.my.domain.com@MY.DOMAIN.COM -mapuser HTTPBOXI@MIL.ESSELUNGA.NET
c) reset the password of HTTPBOXI with the same
d) open user properties->Delegation->Check "trust this user for delegation to any service (Kerberos only)
e) create KEYTAB file:
ktpass -out HTTPBOXI.keytab -princ HTTP/hostname.my.domain.com@MY.DOMAIN.COM -pass myPassword -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
f) copy the file under c:\WINNT of the application server host
g) Uncomment the following filter and mapping to enable the filter for Vintela SSO in
$TOMCATDIR/webapps/businessobjects/enterprise115/desktoplaunch/WEB-INF/web.xml
the command ktpass must be launched on the domain controller!
[libdefaults]
default_realm = MY.DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.com
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.com
.my2.domain.com = MY2.DOMAIN.COM
my2.domain.com = MY2.DOMAIN.com
.my3.domain.com = MY3.DOMAIN.COM
my3.domain.com = MY3.DOMAIN.com
[realms]
DOMAIN.COM = {
kdc = DOMAINCONTROLLER.DOMAIN.COM
default_domain=DOMAIN.COM
}
MY.DOMAIN.COM = {
kdc = DOMAINCONTROLLERMY1.MY.DOMAIN.COM
kdc = DOMAINCONTROLLERMY2.MY.DOMAIN.COM
default_domain=MY.DOMAIN.COM
}
MY2.DOMAIN.COM = {
kdc = MY2DC2.MY2.DOMAIN.COM
kdc = MY2DC3.MY2.DOMAIN.COM
default_domain=MY2.DOMAIN.COM
}
MY3.DOMAIN.COM = {
kdc = MY3DC2.MY3.DOMAIN.COM
kdc = MY3DC3.MY3.DOMAIN.COM
default_domain=MY3.DOMAIN.COM
}
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
k) add the following parameter to the server.xml of tomcat
$TOMCATDIR/conf/server.xml
search the “Define a non-SSL Coyote HTTP/1.1 Connector”, where is defined the port
add the followong parameter in the connector tag: maxHttpHeaderSize=“16384” - otherwise the kerberos information is to large for the standard header size
j) set the parameters for tomcat
Start->Program Files->Tomcat->Configure Tomcat
Go to the JAVA tab and add the following lines at the end of the Java Options
-Djava.security.auth.login.config=C:\winnt\bscLogin.conf
-Djava.security.krb5.conf=C:\winnt\krb5.ini
-Dcrystal.enterprise.trace.configuration=verbose
-Djcsi.kerberos.debug=true
//////////////////////////////////////////////////////////////////////////
// CONFIGURATION FOR CMS SERVICE
//////////////////////////////////////////////////////////////////////////
a) create an AD user for the CMS service
the command ktpass must be launched on the domain controller!
b) go in the CCM and change the service user of the following services to the user MY\CMSUser:
Crystal Reports Page Server
Report Application Server (RAS)
Web Intelligence Report Server
Desktop Intelligence Report Server
Connection Server
c) go in the CMC
Home->Authentication->Windows AD
//////////////////////////////////////////////////////////////////////////
// COMMENTS
//////////////////////////////////////////////////////////////////////////
a) they will be some kerberos errors, but the system works. to see the kerberos errors, activate the follwing key in the registry:
Enabling Kerberos Event Logging on a Specific Computer
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
If the Parameters subkey does not exist, create it.
Roland Jentsch (BOB member since 2006-02-07)
fantastic review notes mate.
But in regards to IIS not working anymore, I’m sure I read that people got it working…at least that IIS still was working.
I got a problem that after setting up Vintela for tomcat just like you describes, the IIS doesn’t work much at all. If I try to access any web page, regardless if its BO or not gives me a login box which doesn’t work at all. This is of course if allow anonymously access is denied. If this will not work then we have to find a second web server to host the IIS 
J0sh (BOB member since 2006-10-09)