Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

SSO with BOXI 3.1 SP5

Hi everyone,

I'm setting up a SSO on BusinessObjects XI 3.1 SP5 and after reading some guides like in KB "1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 ***Best Practice***", I can't retrieve my mapped AD groups in CMC>Authentification>Windows AD.

I follow the guide and that's what I've done until now (reproducing step by step) :

- Create an AD user (no password expires, can't change logon) wich is "bossosvcacct"

- use "setspn" on my BusinessObjects server which is in my domain MYDOMAIN.COM

For the CMS

setspn -A BOCMS/ bossosvcacct

For TOMCAT (Tomcat 5.5.33)

setspn -A HTTP/ bossosvcacct

setspn -A HTTP/BOSERVERNAME bossosvcacct

setspn -A HTTP/

- Choose "Trust this user....(Kerberos only)" for delegation for bossosvcacct

- In the CMC, I've enabled "Windows AD"

- AD Administration Name : MYDOMAIN\bossosvcacct

- Default AD Domain : MYDOMAIN.COM

- I choose "Use Kerberos authentication" with service principal name : "BOCMS/"

And after this configuration similar to the best practices, I can't map my AD groups and it seems that it doesn't work.

If you want more informations to resolve this issue, no problem.

Best Regards,


Ok TIM, it works !

the last problem was the keytab and parameters in JAVA options with Tomcat configuration.

Now, it works like a charm and SSO is OK, I've deleted password option in Tomcat configuration and I've done KTPASS with all the option in order to generate a correct keytab file.

Thanks for your advices and your time, it was really helpful !

Best regards,

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question