Archived discussions are read-only. Learn more about SAP Q&A

WACS AD Kerberos SSO

Has anyone been able to get this working? I am using WACS, and was successful in setting up AD authentication. I then setup SSO according to the Admin Guide and WACS supplement, but the SSO still does not work. I am using BO Edge 3.1 in Windows Server 2003 SP2. When I try to open InfoView, it puts the username in, but no password. There is no error message provided. I can then enter the password without any problems and log in, but of course this defeats the purpose. I have searched both here and the BOB forum, but can't seem to find anyone that is actually using WACS (i did NOT install Tomcat).

After getting AD setup, I then setup another user for SSO. So "businessobjects" was the name of the AD user, and "businessobjectssso" was the name of the SSO user (this is how I had it running in XI R2 using Java, and it is still working). Almost everything was done exactly how I had it setup in XI R2 with Java

1. businessobjectssso was setup using all the correct properties (delegation, never expires, etc)

2. Ktpass /princ HTTP/COMPUTER.DOMAIN.COM<AT>DOMAIN.COM /mapuser businessobjectssso

3. Reset account pw

4. aKtpass u2013princ HTTP/COMPUTER.DOMAIN.COM<AT>DOMAIN.COM /mapuser businessobjectssso /crypto DES-CBC-MD5 /pass <PASSWORD> /ptype KRB5_NT_PRINCIPAL /out COMPUTERNAME.Keytab kvno 255

Note: "/" was used instead of "-" because "-" wasn't working (perhaps a copy/paste issue, but it did go through with "/". also note that <AT> is "@"

5. Moved the keytab to the BO computer, and setup the WACS, entering the domain and all that. I've restarted everything (SIA, WACS, Server), to no avail. Has ANYONE been successful with this?

Thanks.

  • SAP Employee
replied

The steps to troubleshoot it are a bit different and I don't have it documented fully yet. You can open a case with support and I'm pretty sure the authentication team will be able to resolve the issue or escalate it to me. The functionality offered in tomcat and WACS is the same in XI3.x but some of the more complex workflows such as setting up kerberos SSO need additional troubleshooting info so we can get proper logs. The tomcat config is documented pretty well now in my vintela docs as well as how to trace the problem. So either way you should be able to get this working...

Regards,

Tim

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question