Archived discussions are read-only. Learn more about SAP Q&A

Kerberos SSO problem with windows AD authentication at BI 4.0

I have installed BI 4.0 on windows 2008 with Tomcat 6 / MSSQL. Authentication with AD is configured based on Admin guide. I can log in CMC / Bi Launch Pad manually with Windows AD Authentication.

Kerberos SSO with AD doesn't work. I got the error message as "Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)"

The error shows at trace file Webapp_BIlaunchpad_trace.000001.glf as follows:

com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAuthentication||Authentication failed.

java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!

at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)

at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)

Tomcat log shows:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

[Krb5LoginModule] user entered username: @XX.YY.COM

Using builtin default etypes for default_tkt_enctypes

default etypes for default_tkt_enctypes: 3 1 23 16 17.

There is no username passed.

I followed administator guide and created global.properties and BIlaunchpad.properties under custom folder. Kinit is OK. "setspn -l bodservice" looks good too.

global.properties:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=XX.YY.COM

idm.princ=BOSSO/bodservice.XX.YY.com

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:\winnt\BODvintela.keytab

BIlaunchpad.properties

authentication.default=secWinAD

cms.default=XXXX:6400

authentication.visible=true

bscLogin.conf

com.businessobjects.security.jgss.initiate

{com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Krb5.ini

[libdefaults]

default_realm = XX.YY.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

XX.YY.COM = {

kdc =XXXX.XX.YY.COM

default_domain = XX.YY.COM

}

We have XI 3.1 with AD SSO for InforView. I follows most configuration steps but there is no luck for 4.0. Any idea? Thanks for your help.

Edited by: Dong Li on Jul 28, 2011 11:16 PM

Update: I worked with SAP Support. SSO works for manually inputting the password at Tomcat configuration. It seems there is something wrong with Keytab. We will create new keytab.

replied

Hi guys, we had the exact same issue with BI 4.0 and SSO, and after much frustration got it to work the following way:

(remember to replace <at> with @)

Our setup:

-


Windows Domain Functional Level: 2003

Windows 2008 R2 SAP servers

Windows Domain: MYDOMAIN.COM

DNS Suffix (for FQDN): MYDOMAIN.COM (Note: your AD and DNS might have different names)

Windows Domain Controller: MYDC.MYDOMAIN.COM

BI Server FQDN: bi4dev.mydomain.com

BI Service User (UPN): SAPServiceBI4<at>MYDOMAIN.COM

BI Service User (SAM): MYDOMAIN\SAPServiceBI4

Cleanup for previous attempts:

-


In case you have already tried to configure SSO, cleanup all you have done:

- List current SPN's assigned to the Service User (setspn -l SAPServiceBI4) and delete all SPN's (setspn -D <SPN> SAPServiceBI4)

- Check for duplicate SPN's assigned to the Service User and delete them too: setspn -X

- Delete or rename current keytab file

- On AD ensure the UPN of the Service User is back to normal (usually when you run KTPASS it changes the Ad User name to the SPN you specified, ie. change HOST/server.com<at>MYDOMAIN.COM back to SAPServiceBI4<at>MYDOMAIN.COM)

- In the global.properties file, remove the SPN entry for idm.princ= and the keytab entry for idm.keytab=

- In the BI CMC > Authentication > Windows AD, uncheck/disable "Enable Windows Active Directory"

- Reboot the whole server to clear the cache etc for a clean start

SSO Config:

-


- Create new Service User or use previous one as per guide:

UPN=SAPServiceBI4<at>MYDOMAIN.COM, SAM=MYDOMAIN\SAPServiceBI4

- Add user to Local Administrators group and update Local Security Policy as per guide (Act as part of the Operating system, Log on as a Batch job, Log on as a service, Replace a Process Level Token)

- On Domain Controller run the KTPASS to create SPN and Keytab file (this is VERY important: for the SPN you need to specify the URL that users will be using in their webbrowser to access the BI Launchpad. (For example, if your server URL to BI Launchpad is http://server.domain.com:8080/BOE/BI, then use server.domain.com<at>DOMAIN.COM):

ktpass -princ HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM -mapuser SAPServiceBI4<at>MYDOMAIN.COM -pass passw123 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out SAPServiceBI4.keytab

- Now, on the AD goto Domain Users and check your Service Account. The UPN should now have changed to HTTP/bi4dev.mydomain.com<at>MYDOMAIN.COM, whilst the SAM is still MYDOMAIN\SAPServiceBI4. Also, RESET THE PASSWORD to the SAME password you had for the Service User (right-click user > Reset Password) - this prevents any funny Kerberos credential issues between AD and the keytab.

- Next, goto the Delegation tab and select "Trust this user for delegation to any service (Kerberos only)". If the Delegation tab is not visible, run the setspn commands below and retry.

- Run "setspn -l SAPServiceBI4". There should now already be an SPN registered (which is the FQDN), namely HTTP/bi4dev.mydomain.com. Register additional SPN's (shortname and IP):

setspn -a HTTP/bi4dev SAPServiceBI4

setspn -a HTTP/10.10.20.30 SAPServiceBI4

- Create folder C:\WINNT and copy the keytab file to it (you can use C:\Windows itself I guess, but I played it safe)

- Assign the Service User to the SIA service in the CCM as MYDOMAIN\SAPServiceBI4

- Create/edit the "global.properties" file under ..\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEBINF\config\custom\:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=MYDOMAIN.COM

idm.princ=HTTP/bi4dev.mydomain.com (!! Use the SPN defined in the KTPASS command above)

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

idm.keytab=C:/WINNT/SAPServiceBI4.keytab (!! VERY IMPORTANT !! Don't use backslashes (example C:\WINNT\SAPServiceBI4.keytab), use the forwardslash as it should be in Java format)

- Create the "BIlaunchpad.properties" file in the same location:

authentication.visible=true

authentication.default=secWinAD

cms.default=bi4dev:6400

- Increase the Tomcat header size limit in the "server.xml" file as per guide

- Create file "C:\WINNT\krb5.ini":

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[domain_realm]

.domain.com = MYDOMAIN.COM

domain.com = MYDOMAIN.COM

[realms]

MYDOMAIN.COM = {

default_domain = MYDOMAIN.COM

kdc = MYDC.MYDOMAIN.COM

}

- Create file "C:\WINNT\bscLogin.conf":

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Edited by: Bernardt Nel - Priv on Aug 2, 2011 10:39 AM

0 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question