I have configured SSO successfully under Java SDK environment, the end users can directly access the InfoView by NT account, but I still have three questions:
1.How to batch import NT accounts into the BO central management console?
2.Who can tell me the BO account password will be modified automatically if our users modified their password in AD?
3.How to actualize the end users dont need to key in their NT account and password to logon the BO system? As you know, we use windows AD to validate user account information, I hope if the end users login our domain, they can access this system directly instead of keying in their account and password again.
I did the same steps and i was not successful in the setup for AD logon . Can you please explain what was you configuration of BO Server and AD server. Is it Windows 2000 or 2003. Were you able to get single sign on to database working in Tomcat?
Please help
If you are using AD for you authentication in BO you dont need to maintain the password in BO becuase it is automatically maintained through the network id and password.
I install BO on running windows 2003 enterprise sever, database is SQL 2005 and application server is tomcat. Pls. see the upper message, you can download the attached, note the server name ARE ALL UPPERCASE AND inFQDN format. also, the value for default_domain must match exactly what is entered in the CMS as Default Domain. Other, you must create a account in NT, pls. refer to attachment.
SSO can be realized under Java and Tomcat but not only use siteminder, I have already realized it. Using SSO, it is possible for a user who has logged on to a Windows NT workstation to log on to an Enterprise desktop without entering a user name or password. The system will log them on using their current Windows NT credentials.
can you please let me know if you are successful in using nt authentication from infoview. DeskI and Designer works but I’m not able t o get the infoview to work in single sign on. please let me know if you have it working and what changes you did to tomcat or other configuration files. thanks.
Were you able to get it working? I am not able to access the infoview from the client but it is working with SSO on the server. Mine is IIS +Tomcat AD SSO with kerberos. One another member had the same issue as I had but he did not mention how he resolved the issue. I don’t know what the heck I am missing.
i couldn’t get the sso working but ad works where users have to enter the username and password. i’m looking at sso where users just click on login button and they are logged into the application. did you get that working from the server atleast. do you mind sharing the information or any codes please? thanks for your help.
When I first started looking at Windows AD integration I did all the research, tried configuring Tomcat authentication via kerberos and was pleased when I was able to log in to the Tomcat Infoview manually using my AD username and password, but then I hit a brick wall when I tried to take the next step which is Single Sign On. The problem is the J2EE code running in Tomcat - it can’t pick up your credentials from the OS in the same way that the .NET/COM code does under IIS.
However there is workaround and its posted in a few places on this forum (search for SSO login with token) and also on the official BO knowledgebase site :-
If you do follow this solution, you need to install IIS (including ASP), configure your IIS website to support Integrated windows authentication, and configure the authentication for NTLM (not kerberos) in the CMC.
Perhaps there should be a ‘Sticky’ post about SSO and AD Authentication as it keeps cropping up?
thanks Rod. its working now. but when i access the page its erroring out saying windows ad cannot authenticate. do i need to hardcode the username and password in the asp file or we can leave it blank?
The solution that Rod mentioned has been implemented by many BO Admins but it has some limitations like security and also when the user session times out it prompts for the user name and password.
While browsing I came across “Java Open Single Sign-On Project” at http://www.josso.org/.
I have not done it myself but based on a little reading about it I found that it can do direct SSO with Tomcat against Microsoft AD which means no IIS Token Passing or no third party tools like Siteminder are required, but the configuration is time consuming and error prone.
<%@ Language=VBScript %>
<%
Dim CMS, UserID, Password, Report, Authorization, Viewer, oInfoObjects
CMS = “SERVER1”
UserID = “”
Password = “”
Authorization = “secWinAD”
Dim SessionManager
Set SessionManager = Server.CreateObject(“CrystalEnterprise.SessionMgr”)
Dim Sess
Set Sess = SessionManager.Logon(UserID, Password, CMS, Authorization)
Dim LogonTokenMgr
Set LogonTokenMgr = Sess.LogonTokenMgr
logonToken = LogonTokenMgr.CreateLogonTokenEx(“”, 10, 100)
Set LogonTokenMgr = Nothing
Set Sess = Nothing
Set SessionManager = Nothing
'response.write "TOKEN IS " & logonToken
response.redirect “http://SERVER1:8080/businessobjects/enterprise115/desktoplaunch/InfoView/logon/logon.do?token=” & logonToken
%>
The fact that the token appears as a string in the Address bar does pose a security risk and if you do not control the token timeout (set to 10 minutes in the above example) then anyone could copy and paste your URL and login as you - using the same token.
I accomplished SSO with one of my clients using a redirect with Java rather than Kerberos for a lot of reasons. We simply did a re-direct and passed a logon token along with the URL. This allows them to not enter a UID and PWD, basically the user clicks the link and gets their InfoView without seeing the logon screen
thank you very much rod for the code snippet. i tried to do that but when I access the page i get a http 500 internal server error. i created a virtual directory in IIS and then placed this file replacing the servernames appropriately. when i called the asp file from the webbrowser i get the http 500 error message. am i missing some settings or do i need to install asp version of XIR2. thanks for your help.
(BOB member since 2005-11-30)
. Can you please explain what was you configuration of BO Server and AD server. Is it Windows 2000 or 2003. Were you able to get single sign on to database working in Tomcat?
(BOB member since 2005-09-12)
(BOB member since 2003-04-15)
(BOB member since 2004-01-09)
(BOB member since 2005-05-18)
(BOB member since 2006-02-10)