on 04-06-2015 10:21 AM
Dear All,
I have BI 4.1 SP3 Server intsalled and running sucessfully.
I have enabled Windows Authentican SSO for the Launch Pad.
I can log on to the Web Intelligence Rich Client Sucessfully but
when I log in to BI Launch pad iam getting error:
Run following commands to return server names and IPs.
Step 1 Create an Active Directory service account, biservice (password: Password1). Make to set this user password never expireAdd Domain/biservice user to local Administrators group and assign biservice user the right 'Act as part of Operating System' in the Local Security Policy snap-in
Step 2In order to create appropriate Service Principal Names (SPNs), execute the following commands on Active Directory server:
Run ‘setspn -l biservice’to confirm SPNs have been created by running Step 3Make sure to change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’. Step 4In Central Management Console CMC under AD Authentication area perform the following tasks.
Hit Save to save all your entries. Also make sure to check under the Groups area to make sure your AD group has been added. Step 5Modify the Server Intelligence Agent (SIA) process on the BusinessObjects server to run as the DOMAIN\biservice user.
Step 6Here we can test this by logging into Web Intelligence Rich Client using an AD user who is part of the group. Single Sign On (SSO) should take place once you select ‘Windows AD’ authentication and click OK (There is no need to input your username or password). Step 7Now it is turn to create a file called ‘bscLogin.conf’. Save this file to C:\Windows\ directory on the BusinessObjects server, and put the following content into it using Notepad:
com.businessobjects.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule required debug=true;};
We are not done yet. Create another file called ‘krb5.ini’. Save this file to C:\Windows\ directory, and put the following content into it using Notepad: [libdefaults]default_realm = DOMAIN.INTERNALdns_lookup_kdc = truedns_lookup_realm = truedefault_tgs_enctypes = rc4-hmacdefault_tkt_enctypes = rc4-hmacudp_preference_limit = 1[realms]
kdc = ADSERVER.DOMAIN.INTERNALdefault_domain = DOMAIN.INTERNAL}
Make sure this file is save correctly by navigating to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\jdk\bin\ folder on the BusinessObjects server, and execute ‘kinit biservice’ in a command prompt. If a new ticket is stored, the file is correct. Step 8Here are we now on BOBJ Server. Stop Tomcat. Modify the BI Launch Pad’s .properties file to reveal the authentication dropdown. Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\custom and create a file called ‘BIlaunchpad.properties’ with the following text:
authentication.visible=trueauthentication.default=secWinAD
Open up the Tomcat Options, and add the following lines to the Tomcat Java Options:
-Djava.security.auth.login.config=c:\windows\bscLogin.conf-Djava.security.krb5.conf=c:\windows\krb5.iniOnce you are done there, Start Tomcat and do a manual logon to BusinessObjects, and check Tomcat trace logs for a ‘commit succeeded’. Step 9Stop Tomcat. Modify E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml, by adding ‘maxHttpHeaderSize=”65536″‘ in Connector Port 8080 tag.Navigate to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom and create a file called ‘global.properties’ with the following text:
sso.enabled=truesiteminder.enabled=falsevintela.enabled=trueidm.realm=DOMAIN.INTERNALidm.princ=biserviceidm.allowUnsecured=trueidm.allowNTLM=falseidm.logger.name=simpleidm.logger.props=error-log.properties
Open Tomcat Options Add the following lines to Tomcat Java Options:-Dcom.wedgetail.idm.sso.password=Password1-Djcsi.kerberos.debug=trueDelete logs in E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\ and C:\SBOPWebapp_BIlaunchpad_IP_PORT\.Start Tomcat, go to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\logs\, check stdout.log has ‘credentials obtained’ shown.Test silent single sign on is now working in a browser (not on the BusinessObjects server). Step 10Copy BIlaunchpad.properties and global.properties from E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom to E:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config\custom so that patches don’t overwrite them and SSO stops working. Step 11Create a keytab on the AD server by running the following command:ktpass -out bosso.keytab -princ biservice@DOMAIN.INTERNAL -pass Password1 -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NTCopy this file to c:\windows of BOBJ server.Stop Tomcat.Add the following line to E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom\global.properties
Open Tomcat Configuration, remove the Wedgetail line in Java Options, restart tomcat and make sure ‘credentials obtained’ still showing up in stdout.log.Now check silent single sign on. Step 12Remove debug=true from the C:\windows\bscLogin.conf file, and also remove the debugging line in Tomcat Configuration, Java Options.
Hi Sohail,
1) Is manual AD authentication working for you?
2) run KINIT serviceaccount@DOMAIN.COM and see if it stores a new ticket
(location: \SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin)
We'll proceed based on your replies to above queries.
Regards,
Nagendra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Well do you mean to run the KINIT by logging into the server by biservice@DOMAIN.COM
And i tried this but no ticket was created.
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: biservice@DOMAIN
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN
1) Is biservice account a member of a mapped AD group in BO?
2) Check if manual AD logins to BI launch Pad are failing for normal users as well, cause if they are i suspect the krb5.ini file has issues.
3) Screenshots of error messages received when trying the KINIT and BIlaunchpad logins will help have a clearer understanding of the issue
Once we have the manual AD working we'll work on the SSO login.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.