system
May 22, 2018, 7:20pm
#1
We currently have BI 4.1 SP3 installed on working fine. We are now upgrading to BI 4.2 SP5. We are doing this by installing BI 4.2 SP5 onto a new server. Once it’s setup and working we’ll transfer all the content to it and start using it.
We got it installed and working with enterprise authentication. However, we’ve been unable to get Windows AD authentication to work. When we try to login we get the following error.
Following is the setup we’ve done.
The service account for authentication is bus.service. This is the same account we’re using for the current install of BI 4.1 SP3. We’ve added new SPNs to it. bc3busobject4 is the server for BI 4.1 SP3. bc3busobjects42 is the new server for BI 4.2 SP5. So it now looks like the following.
C:\Windows\system32>setspn -l bus.service
We then created krb5.conf in C:\Windows
And bcsLogin.conf in C:\Windows
We then successfully tested authentication through Java.
We then updated Java settings in Tomcat.
Java Virtual Machine:
Java Classpath:
Java Options:
The following is what we found in the Tomcat log stdout.log.
2018-05-22 14:48:12 Commons Daemon procrun stdout initialized
[Krb5LoginModule] user entered username: scott.macmaster@BC3CAMPUS.BC3.EDU
principal is scott.macmaster@BC3CAMPUS.BC3.EDU
What do we need to do to get this to work?
Thanks,
SkyeMacMaster (BOB member since 2013-05-15)
system
May 22, 2018, 8:27pm
#2
I think part of AD authentication requires keytab files. Your tomcat log seems to indicate you are not using them. I’ve had problems with AD authentication myself and never could get it to work without the wedgetail entry in the Java option panel of the Tomcat config like this:
-Dcom.wedgetail.idm.sso.password=mypassword
where password is the password for the AD account used to provide the AD authentication. In our case the user account that the SIA runs under.
Also in the CMC use must setup AD auth and have at least one group imported that has your users.
Also be careful creating SPNs against a production user. We had something flaky happen last week when we created an SPN and it somehow changed the login name of the account to HTTP/servername. This created problems later for jobs that use the account.
richardcottave (BOB member since 2006-03-30)
system
May 23, 2018, 2:01pm
#3
Ok, I created a new service account, svc-bus.service. Set the spn so it looks like
C:\Windows\system32>setspn -l svc-bus.service
I then added that line you suggested to the Tomcat Java settings.
I do have a group mapped in the CMC and about 74 users created from that.
I’m still getting them same error message.
Do you have any more ideas?
Thanks,
SkyeMacMaster (BOB member since 2013-05-15)
system
May 23, 2018, 2:27pm
#4
See if you can login into the central configuration manager with AD authentication. That will tell you if you are able to authenticate with AD. Once that works then there are several other steps you need to do including: There are more SPNs required. At least 3 listed in the admin guide. You also need keyab files. And you need to configure your BiLaunchPad.properties and Global.Properties files. I would suggest looking in the admin guide theres a bunch of info for setting up AD authentication.
richardcottave (BOB member since 2006-03-30)
system
May 23, 2018, 3:11pm
#5
I can log onto the ‘Manage Servers’ thing on CCM using AD. Is that what you mean by log into the CCM?
The sticky article for the forum, HOWTO BO4 SSO using AD and Kerberos , says only the one spn is needed. So I only added the one. I added the others that the manual lists. So it looks like this now.
C:\Windows\system32>setspn -l svc-bus.service
I have configured BiLaunchPad.properties. Do I need to change something in Global.Properties? We don’t have any thing configured in Global.Properties for the current working install of BI 4.1 SP3.
The manual indicates that keytab files are needed for SSO. I’m not trying to setup SSO. Do I still need them for AD authentication?
Thanks,
SkyeMacMaster (BOB member since 2013-05-15)
system
May 23, 2018, 3:38pm
#6
Yes if you can login to Manage Servers using CCM with AD then your AD Plugin is working. If you’re not doing SSO you won’t need keytab files. As far as I know you need entries in the Global.properties file.
richardcottave (BOB member since 2006-03-30)
system
May 24, 2018, 12:46pm
#7
Well, there are entries in global.properties. I meant we didn’t change anything from the defaults.
global.properties
DO NOT MODIFY THIS FILE!
To customize any of the settings, create a new file in <BOE_Install_Dir><Enterprise_DIR>\warfiles\webapps\BOE\WEB-INF\config\custom
and run wdeploy. Only changes in the custom directory will be maintained over patches. The new file has to have the same file name
as this one and shall only contain the properties that you would like to customize.
DEFAULT GLOBAL PROPERTIES
This file contains DEFAULT global properties. A property defined here can have one of two scopes:
Scope: global
- It can be overridden at a global level by specifying a value in the CUSTOM global.properties file.
Scope: application:
- In addition to being overridable globally, it can also be on a per app basis.
- This could happen in 1 of 2 ways:
o It can be set in the app’s CUSTOM config properties file.
o Alternatively it could be set internally by the app, in which any custom value
(either globally or for that application) is ignored. This would be indicated by comments in the
application’s DEFAULT properties file
========== SSO Related Default Global Core Web Properties ==========
Vintela single sign on properties
Scope: global.
Applicable if supported by app and included in its sso.types.and.order.
For BIP apps (CMC, BI Launchpad, OpenDocument): see below regarding legacy settings.
idm.realm=YOUR_REALM
You can specify the Siteminder Authentication type here: secLDAP, secWinAD.
Scope: application
Applicable if supported by app and included in its sso.types.and.order.
For BIP apps (CMC, BI Launchpad, OpenDocument): see below regarding legacy settings.
siteminder.authentication=secLDAP
Trusted authentication: session variable name to retrieve the shared secret; Leave empty if shared secret is not passed from web session.
Scope: application
Applicable if supported by app and included in its sso.types.and.order.
For BIP apps (CMC, BI Launchpad, OpenDocument): see below regarding legacy settings.
trusted.auth.shared.secret=
Trusted authentication: set to true to prefix external user name to secExternal:; Leave empty if external user name is mapped to same user name
Scope: application.
Applicable if supported by app and included in its sso.types.and.order.
For BIP apps (CMC, BI Launchpad, OpenDocument): see below regarding legacy settings.
trusted.auth.user.namespace.enabled=
Trusted authentication: set Header/URL parameter/Cookie/Session variable name to retrieve username. No need to set for REMOTE_USER or USER_PRINCIPAL.
Scope: application.
Applicable if supported by app and included in its sso.types.and.order.
For BIP apps (CMC, BI Launchpad, OpenDocument): see below regarding legacy settings.
trusted.auth.user.param=
========== General Default Global Core Web Properties ==========
Logoff all applications’ Enterprise Sessions on web session expiry.
You may wish to turn this off if your web servers run in a clustered environment.
Scope: global
logoff.on.websession.expiry=true
For turning persistent cookies on/off for the logon page. Defaults to true if this is not present.
Scope: application (consumed by app and sent to logon service)
persistentcookies.enabled=true
Controls if the Web Session Timeout Control feature is active. Typically it should be.
Scope: global
pinger.enabled=true
Whether or not to show the warning dialog with the message that the session will expire soon.
Does not apply to CMC & BILP. See BOE.war specific properties below
Scope: global
pinger.showWarningDialog=true
How many minutes before the session expiry that the warning dialog should be displayed, ie, give the user a 5 minute warning that the session will expire.
Scope: global
pinger.warningPeriod.lengthInMinutes=5
How often that a web server request should be sent while the warning message is displayed. This is important for synchronization of the warning dialog across applications.
Scope: global
pinger.warningPeriod.pingIncrementsInSeconds=15
========== BOE.WAR Specific Default Global Properties ==========
These are consumed by BOE.war, and not part of Core Web
— LEGACY SSO SETTINGS: Enable SSO
LEGACY SSO SETTING - Ignored when an application’s sso.types.and.order is set
Set to true to enable other single sign on.
Scope: application
sso.enabled=false
— OTHER LEGACY SSO SETTINGS
LEGACY SSO SETTING - Ignored when an application’s sso.types.and.order is set
Set to false to disable Siteminder single sign on.
Scope: application
siteminder.enabled=false
LEGACY SSO SETTING - Ignored when an application’s sso.types.and.order is set
Set to true to use SAP SSO as the primary SSO mechanism
Scope: application
sso.sap.primary=false
LEGACY SSO SETTING - Ignored when an application’s sso.types.and.order is set
Trusted authentication: set how to retrieve userID.
Set to “REMOTE_USER” for HttpServletRequest.getRemoteUser().
Set to “HTTP_HEADER” for HTTP header.
Set to “QUERY_STRING” for URL query string.
Set to “COOKIE” for cookie.
Set to “WEB_SESSION” for web session.
Set to “USER_PRINCIPAL” for user principal.
Reset to empty to disable trusted authentication.
Scope: application
trusted.auth.user.retrieval=
LEGACY SSO SETTING - Ignored when an application’s sso.types.and.order is set
Set to true to enable Vintela single sign on.
Scope: global
vintela.enabled=false
— Other BOE.WAR specific settings
HTTP proxy server user name and password
Scope: global
httpproxy.username=
Embed secret (enter your own)
A shared secret between a portal embedding BOE applications and the BOE application server which is used to
determine whether BOE applications can be safely embedded in other pages.
Make sure you change in both places.
logon.embed.secret=
Embed timeout
Number of seconds after which BOE applications like BI Launchpad will reject being
embedded into a portal. Make sure the system clocks on the BOE web server and portal server machines
are within this number of seconds of each other.
logon.embed.timeout=300
Set to true to enable immediate autologoff for SAP NetWeaver iViews
Scope: application (BILP & OD)
iview.autologoff=true
Whether or not to show the warning dialog with the message that the session will expire soon in BI launch pad
Scope: global (but used for BILP)
pinger.showWarningDialog.bilaunchpad=true
Whether or not to show the warning dialog with the message that the session will expire soon in CMC
Scope: global (but used for CMC)
pinger.showWarningDialog.cmc=true
Max number of JCo destinations cached.
Scope: global
system.com.sap.bip.jcomanager.destinations.maxsize=1000
Threshold at which the tree list control will not display all the nodes but instead a ‘too many children message’ will be printed
Scope: global
max.tree.children.threshold=200
History page refresh interval
The history page refresh time in milliseconds. This is applied when there are pending/running docs. It is
consumed by the URE HistoryPanel reusable component.
Scope: global
historypage.refresh.secmillis=10000
URE’s Request Queue Timeout
AJAX requests for URE need to be processed in order and are therefore managed in a queue.
This value is the number of seconds a request will wait for expected previous requests before timing out
Scope: global
ure.request.queue.timeout.seconds=20
true: to read from file, false:read from Server properties
destination.enabled=true
enabled destination option types : FileSystem, BIInbox, Email, streamwork, BIInbox, FTP, SFTP
destination.types=FileSystem,BIInbox
If the AD Plugin is working from CCM then what could be causing authentication to fail when I try to log onto BiLaunchPad?
Thanks,
SkyeMacMaster (BOB member since 2013-05-15)
system
May 24, 2018, 6:18pm
#8
I don’t think the default settings in the BiLaunchPad and Global properties files will work. They must be customized for your environment.
richardcottave (BOB member since 2006-03-30)
system
May 31, 2018, 3:18pm
#9
Figured out the problem. When I saved the krb file in the windows folder, I named it krb5.conf instead of krb5.ini.
Authentication is working perfectly now.
Skye
SkyeMacMaster (BOB member since 2013-05-15)