SSO with BOXI 3.1 SP5
I'm setting up a SSO on BusinessObjects XI 3.1 SP5 and after reading some guides like in KB "1483762 - Configuring Manual Kerberos Authentication and/or SSO in Distributed Environments with XI 3.1 SP3 ***Best Practice***", I can't retrieve my mapped AD groups in CMC>Authentification>Windows AD.
I follow the guide and that's what I've done until now (reproducing step by step) :
- Create an AD user (no password expires, can't change logon) wich is "bossosvcacct"
- use "setspn" on my BusinessObjects server which is in my domain MYDOMAIN.COM
For the CMS
setspn -A BOCMS/bossosvcacct.mydomain.com bossosvcacct
For TOMCAT (Tomcat 5.5.33)
setspn -A HTTP/BOSERVERNAME.mydomain.com bossosvcacct
setspn -A HTTP/BOSERVERNAME bossosvcacct
setspn -A HTTP/100.100.100.100
- Choose "Trust this user....(Kerberos only)" for delegation for bossosvcacct
- In the CMC, I've enabled "Windows AD"
- AD Administration Name : MYDOMAIN\bossosvcacct
- Default AD Domain : MYDOMAIN.COM
- I choose "Use Kerberos authentication" with service principal name : "BOCMS/bossosvcacct.mydomain.com"
And after this configuration similar to the best practices, I can't map my AD groups and it seems that it doesn't work.
If you want more informations to resolve this issue, no problem.
WILLIAM MARCY replied
Ok TIM, it works !
the last problem was the keytab and parameters in JAVA options with Tomcat configuration.
Now, it works like a charm and SSO is OK, I've deleted password option in Tomcat configuration and I've done KTPASS with all the option in order to generate a correct keytab file.
Thanks for your advices and your time, it was really helpful !