[XI 3.1] BO + Kerberos

server administration XI Server Discussion
1

Hello,

First, sorry for my english, I try to do my best :slight_smile:

I have got a problem with my BO installation. This is my servers:

  • A windows 2008 server 64bits with Active Directory Kerberos
  • A windows 2008 server 64bits with BO XI3.1
  • This servers are on the same domain

Now, this is the steps that I do for the installation:
1 - Creation of an account on Active directory: BOXI
2 - This account is administrator on my BO server and “act as a part of OS”
3 - The SIA is executing with BOXI account
4 - Creation of th file: C:/winnt/krb5.ini:

5 - Creation of the file C:/winnt/bscLogin.conf:

6 - Add this two lines in Tomcat Java parameter:
-Djava.security.auth.login.config=c:/winnt/bscLogin.conf
-Djava.security.krb5.conf=c:/winnt/krb5.ini

7 - Test this configuration with this command line:
kinit.exe BOXI@MYDOMAIN.LOCAL BOXIpassword
And it return a new ticket, so it’s ok

8 - On my active directory server, i have executed this command:
Setspn -A BOBJPCentralMS/mydomain.local BOXI
And it’s working (no error, i see the SPN with SETSPN -L BOXI)

9- In the BOXI account properties, in “Delegation” part, i choose:
Trust this user for delegation to specified services only
and
Use Kerberos only
and in the list i have added the service BOBJPCentralMS (with a search on BOXI account)

10 - In CMC > authentification > Windows AD, this is my parameters:
- Activate Windows Active Directory (ok)
- AD administration name : mydomain\BOXI
- Default AD domain: mydomain.local
- Ad groups: mydomain\DROIT_BOXI (an AD group with all account who need access to BO)
- authentification options: I have choosen Use Kerberos authentification
- SPN: BOBJPCentralMS/mydomain.local

11 - When i valid this form, all accounts in my group DROIT_BOXI are added in CMC

12 - But when I try to log on InfoView, there is an error who say that my account it’s not valid

13 - And when i try to log to Designer, there is an error who say that BOBJPCentralMS/mydomain.local doesn’t exist.

Can you help me for my problems in steps 12 and 13?

Thank you

littleqi (BOB member since 2009-11-13)

2

Did you create your keytab file and copy it to the location where the bsclogin.conf and krb5.ini files are? By default c:\WINNT

From BO’s Doc on SSO for 3.1:

Steps for running KTPass (only installed on a DC by default)
KTPASS is a built in kerberos command (on DCÂ’s by default). With the options selected it will essentially
perform 3 functions.

  1. Create an RC4 encrypted keytab file with the password/filename specified in the command.
  2. Rename the windows 2003 user name (UPN) to the value specified in the idm.princ.
  3. Create an SPN for the service account with the value specified in the idm.princ.
    In order for vintela (role 3) to use a service account the UPN and SPN must match.
    Configuring Vintela SSO in Distributed Environments – Complete Guide
    SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
    © 2008 SAP AG 6
    KTPASS should be run on any account that will be used for vintela (just once per this doc and many times
    per legacy docs). Syntax that should be used is below.
    ktpass -out myname.keytab -princ BOSSO/bossosvcacct.mydomain.com@REALM.COM -mapuser
    bossosvcacct@REALM.COM -pass yourpw -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
  1. Replace myname with any name for your keytab such as BOSSO.keytab (also must be
    specified in web.xml)
  2. Replace mydomain.com with the full domain name where the service account was created
  3. Replace REALM.COM with the default domain (often the same value as above). This will be the
    value in your web.xml idm.realm (your default realm or domain in AD). Make sure this is in ALL
    CAPS whenever it is entered (java SDKÂ’s may requires this)
  4. Replace yourpw with your service account password (this password will also be used in your
    tomcat java options during the initial configuration)
    Sample ktpass command:
    ktpass -out vinsso.keytab -princ BOSSO/bossosvcacct.mydomain.com@WINAUTHTZ.COM -mapuser
    bossosvcacct@WINAUTHTZ.COM -pass password -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-
    HMAC-NT
    here is a sample output – notice there are no errors or warnings (if an error or warning should appear check
    syntax and contact Business Objects support).
    Targeting domain controller:bobj-w2k3-db-tz,winauthtz.com Successfully mapped
    BOSSO/bossosvcacct.winauthtz.com to bossosvcacct
    Key created.
    Output keytab to vinsso.keytab:Keytab version: 0x502
    keysize 81 BOSSO/bossosvcacct.mydomain.com@MYDOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno
    255 etype 0x17 (RC4-HMAC) keylength 16 (0x91c0c7b367db3f2d6684b6690a5ff6e2)
    NOTE: If you receive encryption not supported errors for RC4 try and download the windows 2003 SP2
    ktpass version or later.

sophist (BOB member since 2008-09-19)

3

Hi Sophist,

Did you find any specific doc on sso for 3.1 or is it the 3.1 admin doc ?

Thank you

Alex

agor :canada: (BOB member since 2005-03-29)

4

The info in the BOE 3.1 Admin documents is incomplete, you need to look up the “Configuring Vintela SSO in Distributed Environments_ Complete Guide.pdf” document and Excel checklist by Tim Ziemba on the SAP Support site.

MJRBIM :canada: (BOB member since 2007-03-23)

5

Hi Littleqi,

Can you tell me how you managed to install BO XI 3.1 on a windows 2008 64 bit server?
We have installed the software but face incompatibilites within IIS and .Net framework…

As for SAP BO, they told us we had to go back to an 32 bits platform, but we are a bit reluctant to do that as our IT policy is moving towards 64 bits platforms.

Thanks!

DJR_Boot (BOB member since 2005-06-10)

6

I know, it’s a bit late for this post.
I’ve installed BO R31 SP2 patchlevel 5 on a Windows 2008 R2 Server.
The only Problem is the database client. With a 32 bit database - client the BO - Server works fine.

But we took the tomcat, that was delivered with the installation and not the iis.

Ralph (BOB member since 2010-02-26)

7

I have successfully installed BOE XI3.1 Enterprise and Edge on 2008 64bit servers with both Java and IIS application servers so that is most likely not hte problem.

I agree with getting the full copy of Tim Z.'s document mentioned earlier and following the instructions word for word. The keytab file is only for the SSO portion of the setup, so if you are not successfully getting autheticated to the with a manual AD login then I would review your krb5.ini and bscLogin.conf settings.

To test if Kerberos configuration is working without including BOE in the test use the KINIT command (procedures are in Configuring Vintela SSO in Distributed Environments_ Complete Guide.pdf) to test ONLY Kerberos connectivity.

If you can successfully get a Kerberos ticket, then look at your settings in the AD authentication plug-in. Verify that the SPN is equal to the UPN of the user, and that the domain is in all caps. Kerberos and Java are case-sensitive.

Verify that you reset the service accounts password after issuing the KTPASS command. Not sure why, but the password is a little flaky after issuing the command.

Hope these suggestions help.

aroche :us: (BOB member since 2006-06-06)