Has anyone had success configuring AD Authentication with BO XIR2 and Tomcat? I am currently reading the Business Objects PDF “Configuring Active Directory Authentication using Java Application Server”, but I am skeptical that it will work. I am wondering if I am better off using IIS as my web server. Any ideas?
Thanks
Brian
bmcdowell (BOB member since 2005-03-14)
What is your rationale that IIS is any better than Tomcat? As far as I know, both implementations work. It simply boils down to your environment setup and of course your personal preference.
substring 
(BOB member since 2004-01-16)
If you want to use HTML Interactive, Tomcat is the way to go…
reginato 
(BOB member since 2003-04-24)
I guess I am making the assumption that AD Authenication in BO using IIS instead of Tomcat may be more reliable or at least easier to configure.
bmcdowell (BOB member since 2005-03-14)
Hi!
We have been using AD authentication with tomcat since the beginning of the summer. It works perfect. Just follow the instructions in the document you mentioned.
Regards
Jonas
johy 
(BOB member since 2004-09-01)
I have seen it(Ad w/Java App) work quite well actually. The setup is extremely sensitive and the slightest mistake in any of the steps may cause it to fail. You are best to follow the instructions you have and if you get to a specific error post it search BOB to review the numerous threads out there on the subject.
kmspsu93 (BOB member since 2006-04-06)
Our company has been Active Directory authentication with Tomcat for a few months now.
We haven’t come across any problems as yet!
LR
Lone Ranger (BOB member since 2003-07-10)
i just successfully deployed tomcat with ad authentication and so far so good.
you need to be a little savvy, but just follow the guide posted here and you will be good to go.
Business Objects XIR2 AD Configuration for BOB.doc (214 KB)
cheers,
Isaac
youngi (BOB member since 2006-10-09)
I upgraded the JDK on my Tomcat server from 1.4.2_08 to 1.5.0_09 which fixed my problem.
bmcdowell (BOB member since 2005-03-14)
Hi Folks,
looking at the BOBJ document “Configuring Active Directory Authentication using Java Application Servers” I see that we are asked to download and run a SETSPN utility. I have spoken with network folks that will not run this until I can provide them with specifics regarding:
What this utility does.
What are the risks in running it.
I have noticed that there is a ton of information if I just Google SETSPN, but I don’t have much experience with Active Directory so I’m looking for a simpler explanation.
Thanks
clarence (BOB member since 2005-11-18)
I’m not an expert on this, so someone feel free to chime in as necessary…
setspn is a utility to set a service principal name in active directory.
service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.
So in this example the client application is tomcat and the service is the cms service. You would create a user called say, cms, and set a service principal name for that user only on the cms service, so that you can authenticate to active directory using tomcat which passes its authentication token to the cms service.
As long as the cms user has limited access(mine is just an ordinary domain user), and the SPN is only set for the cms user on the cms service, then the security risk is not too high. Another example of a SPN i needed to set is for the NT authentication of the sql server service since I changed it to a non-admin account and by default only admins are allowed to set automatically set SPN’s in active directory.
youngi (BOB member since 2006-10-09)
I suggest follow the instruction given in document.
Business Objects XIR2 AD Configuration for BOB.doc (214 KB)
Involve a Windows AD system administrator to run SESPN utility on AD server.
niranjan_d (BOB member since 2003-11-21)