cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP BI 4.1 SP5 - Vintela setup - No silent SSO issue

Go to solution
Former Member

on ‎05-22-2015 1:10 AM

0 Kudos

Hi,

Hope you experts can help me with this issue.

I am doing SSO setup on SAP BI 4.1 SP5 on Windows Server 2012 R2. I have followed the process as outlined in the article at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4.

I am stuck at the Step 9, as I cannot get silent SSO no matter what. I understand lot of people have had this issue and there's been a lot of discussions in the SAP blog about it and I've read all of them.

However, does anyone have a solution for this problem ?

Here are my configurations (with sanitized domain names):

Environment:

Domain Name: XXXXCO (FQDN: CORP.XXXXCO.COM)

BO Service Account: CMS41SVC (password: F4M34!xl )

Domain Controller: VM-DC-GH-01.CORP.XXXXCO.COM

BusinessObjects Server: DEV-BOB-APP-01.CORP.XXXXCO.COM

BusinessObjects AD Group: XXXXCO\DL-Business Objects

krb5.ini file

----------------

[libdefaults]

default_realm = CORP.XXXXCO.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

CORP.XXXXCO.COM = {

kdc = VM-DC-GH-01.CORP.XXXXCO.COM

default_domain = CORP.XXXXCO.COM

}

bscLogin.conf file

---------------------------------

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

BIlaunchpad.properties file

--------------------------------------------

authentication.visible=true

authentication.default=secWinAD

sso.types.and.order=vintela

global.properties file

-------------------------------------

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.XXXXCO.COM

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Tomcat added options

-----------------------------------------

...

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

-Dcom.wedgetail.idm.sso.password=F4M34!xl

-Djcsi.kerberos.debug=true

What I've done so far:

-All steps 1-8 verified (as per Josh's article above)

-(NOTE: Under Delegation tab for service account CMS41SVC, turned on ‘Trust this user for delegation to any service (Kerberos only)’.)

-I can get the ticket with kinit CMS41SVC.

-There are no duplicate SPNs.

-I got "commit succeeded" after step 8 and was able to get Manual AD access to the system with AD accounts.

-After application of step 9 I do not get silent SSO and, perhaps not surprisingly, cannot login with AD accounts any more.

I have not performed the keytab steps as this is a showstpper I guess.

What is wrong here ?? !! Any suggestions ?

Some additional questions:

- Does my service account CMS41SVC need to be member of BusinessObjects AD Group: XXXXCO\DL-Business Objects ? In my setup it is not.

- Further, what is the impact of SSO on deployment of Mobile server. If we manage to setup SSO, will it be propagated to Mobile clients ?

- Is there a special process on how to setup Mobile clients for platform with SSO setup ?

- Similarly, impact on SSO on integration with SharePoint ?

- Is there a special process on how to setup SharePoint integration for platform with SSO setup ?

Many thanks for your help in the past and your effort regarding this one.

Regards,

Davor Mitrasevic

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member926196
Active Participant
‎05-22-2015 6:45 AM
0 Kudos

Hi Davor,

The idm.princ=service_account value is missing from the global.properties file.

-Ambarish-

Show replies
Show replies
Former Member
‎05-22-2015 6:59 AM
0 Kudos

Hi Ambarish,

Thanks for your prompt reply.

Sorry, the content of global.properties file I provided in my post is missing that line. My bad.

However, I do and did have it in the file while doing these tests as per below:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.XXXXCO.COM

idm.princ=CMS41SVC

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Reagrds,

Davor

former_member926196
Active Participant
‎05-22-2015 8:05 AM
0 Kudos

Hi Davor,

Can you list the service account SPN's with command and paste the output.

setspn -l service_account

Also make sure there are no white spaces neither in global.properties file or Tomcat config >> Java options.

To delete tomcat cache, you can stop tomcat and navigate to <Tomcat install dir/work/Cataline> . Rename localhost to localhost_old and start tomcat. Starting it will rebuild the cache.

You can also clear browser cache and then try to execute the URL.

-Ambarish-

Former Member
‎05-25-2015 12:13 AM
0 Kudos

Hi Ambarish,

Thank you for you input.

The result of setspn -l <service_account>  command is attached below:

I'll double check the global.properties and Tomcat Java options for empty spaces.

Many thanks,

Davor

Former Member
‎05-25-2015 12:41 AM
0 Kudos

Hi Ambarish,

Just checked, I have no white spaces in neither global.properties not Java options for Tomcat.

I also checked stderr file. I could not find entry "credentials obtained'. No errors whatsoever in the file.

When I am on the server I CAN log into BI Launchpad with network accounts, but if try the same thing from another machine on the network I get logon error as below:

"Account information not recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)"

Not sure what is going on here.

Kind regards,

Davor

former_member926196
Active Participant
‎05-25-2015 6:52 AM
0 Kudos

Hi Davor,

The below error indicates that the authentication being selected is enterprise authentication and not Windows AD authentication

Account information not recognized: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)"


The authentication.default in BI Launchpad.properties file should be secWinAD. I think its not picking the default authentication set in .properties.


Can you redo the changes. Stop tomcat, delete bi launchpad.properties from custom folder, copy bi launchpad.properties from default folder, make the authentication.default changes to secWinAD and authentication.visible to true, rename the latest tomcat cache to localhost_oldold and start tomcat.


Also let me know if you are manually able to login into BI launchpad using Windows AD authentication.


-Ambarish-

Former Member
‎05-25-2015 7:44 AM
0 Kudos

Hi Ambarish,

Thanks for your input.

You wrote:

"Can you redo the changes. Stop tomcat, delete bi launchpad.properties from custom folder, copy bi launchpad.properties from default folder, make the authentication.default changes to secWinAD and authentication.visible to true, rename the latest tomcat cache to localhost_oldold and start tomcat."

Pardon my ignorance, I do have some questions on this process:

1. Once I do above changes to BILaunchpad.properties file, do I need to run wdeploy ?  I am on BO 4.1 SP5 and my understanding that that tomcat webaps are auto-deployed i.e. no need to wdeploy them ?

2. So far, I haven't run wdeploy for my SSO setup. I just run original auto installation. Do I need to run wdeploy whenever I change any of the .properties files like "global" or "BILaunchpad" ?

How do I run GUI version on wdeploy and what does it do ?

3. When I copy a default BILaunchpad.properties file to the custom folder and edit it, do I just leave those 3 lines of config:

authentication.default=secWinAD

authentication.visible=true

sso.types.and.order=vintela ?

Many thanks for your help so far. I am really desperate to resolve this issue.

Regards,

Davor

former_member926196
Active Participant
‎05-25-2015 8:25 AM
0 Kudos

Hi Davor,

You don't need to use Wdeploy at the moment. The previously suggested steps should help.

Also in current configuration it's not required to mention sso.types.and.order=vintela

-Ambarish-

Former Member
‎05-26-2015 2:44 AM
0 Kudos

Hi Ambarish,

I've done what you've suggested and that fixed the problem. I now have silent SSO.

Many thanks for your help and persistency in trying to fix MY problem.

Cheers,

Davor

Former Member
‎05-28-2015 3:01 AM
0 Kudos

Hi Ambarish,

Hope you can help me again.

Problem: after successful silent SSO, I went on  and get produced keytab file with command:

ktpass -out bosso.keytab -princ CMS41SVC@CORP.XXXXCO.COM -pass F4M34!xl -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Command Result:

I then: Stoped Tomcat.

1. Removed wedgetail option in Tomcat (hardcoded password.)

2. Placed bosso.keytab in C:/WINDOWS

3. Modified global.properties to point to C:/WINDOWS/bosso.keytab

4. Started Tomcat

I found in the stderr file: that the "credentials obtained" and:

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: GSS: Acceptor supports: KRB5 :

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: Ticket service name is: HTTP/DEV-BOB-APP-01.corp.xxxxco.com@CORP.XXXXCO.COM

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: GSS name is: CMS41SVC@CORP.XXXXCO.COM

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: Using keytab entry for: CMS41SVC@CORP.XXXXCO.COM

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos: ** decrypting ticket .. **   with key   Principal: CMS41SVC@CORP.XXXXCO.COM

Type: 1   TimeStamp: Thu Jan 01 10:00:00 EST 1970   KVNO: -1   Key: [23,  dc b5 85 a7 a8 72 fa d4 92 a5 45 76 64 b6 d6 a8 ]

[DEBUG] Thu May 28 11:11:17 EST 2015 jcsi.kerberos:  decrypted ticket: Ticket:   encryption type: 23 (DECRYPTED OK)

So far so good.

BUT, when I test silent SSO from another machine I get AD Prompt dialog instead of going straight in. Before I included keytab file this worked !!

What's wrong now ?

Question:

1. I now understand that KeyTab method is optional. So I tried to revert back my changes for KeyTab but again , but I could not get silent SSO to work like it work 2 days ago . How do I revert my KeyTab changes ?

2. Is it even possible to easy revert KeyTab modifications ? What do I need to do ? Do I need to start again or from some point in the SSO setup process ?

Hope you can help me with this one.

Regards,

Davor

former_member926196
Active Participant
‎05-28-2015 6:51 AM
0 Kudos

Hi Davor,

Stop tomcat and remove the idm.keytab parameter from global.properties, Hardcode the password again in tomcat config >> Java options, clear cache by renaming the latest localhost under catalina folder, clear browser cache and start tomcat.

Regards,
Ambarish

Former Member
‎05-28-2015 7:05 AM
0 Kudos

Hi Ambarish,

Thanks for your help.

Done all of what you suggested earlier and still no go.

What's worse, I can't even get into CMC anymore as I am getting this error:

"Account information not recognized: Could not reach CMS. Specify the correct host and port and check for network issues. (FWM 20030)"

What do I do now ?

I am thinking of starting again with SSO , create a fresh service account, etc. Any gothchas here ?

And , NO MORE KEYTAB crap, as it is completely optional.

I fear I'll have to reinstall everything and start from scratch. I hope and pray I won't have to do this.

Kind Regards,

Davor

former_member926196
Active Participant
‎05-28-2015 7:14 AM
0 Kudos

Hi Davor,

Can you check if you observe any changes in the service account properties on AD Server?

As far as the below error is concerned

Account information not recognized: Could not reach CMS. Specify the correct host and port and check for network issues. (FWM 20030)


Can you check if you are able to login into CMC from BO server ? Try restarting SIA and check in the task manager >> process to verify if the process are visible.


Regards,

Ambarish


Former Member
‎05-28-2015 7:30 AM
0 Kudos

Hi Ambarish,

There were no service account changes on AD.

As I said, I can't log into CMC on BO server even through Enterprize authentication because of the "Account information cannot be recognized..." error.

I've tried restarting SIA still no go. I stopped CIA and inspected what is it running under: it is my service account.

Task manager: couldn't find CIA there. Maybe it is under different name.

This is crazy.   It looks as if I can't get into the CMC that means I have to install. Damn!! Damn!!

What do I do now ?

Many thanks Ambarish for all of your effort here.

Kind Regards,

Davor

former_member926196
Active Participant
‎05-28-2015 7:40 AM
0 Kudos

Hi Davor,

Check event viewer under application logs for any possible error.

Verify if you are able to login into CCM >> Manage server using administrator account. Observe the CPU usage and memory consumption of CMS.exe in task manager

Regards,
Ambarish

Former Member
‎05-29-2015 2:34 AM
0 Kudos

Thanks, Ambarish.

As of this morning at least I can log onto CMC via Enterprize Authentication. Yesterday, I could not.

As far as my problem with silent SSO setup involving KeyTab file, it is still not working.

I'll repeat the whole SSO setup without the last KeyTab file step.

This is what I am planning to do:

1. Create new service account

2. Delete SPNs for old service account

3. Create SPNs for new service account

...etc, continue the SSO process

Any gotchas here that I need to be mindful of ?

Many thanks for your help.

former_member926196
Active Participant
‎05-29-2015 6:43 AM
0 Kudos

Well you need to change the SIA service account, CMC >> AD Authentication >> AD Administration Name as well.

Regards,

Ambarish

Former Member
‎05-29-2015 6:48 AM
0 Kudos

Thanks, Ambarish.

I am in the process of re-doing SSO.

Many thanks for your help.

Regards,

Davor

Answers (1)

Answers (1)

former_member205064
Active Contributor
‎05-22-2015 6:39 AM
0 Kudos

Your Service account is not required to be a member of BusinessObjects AD Group.

I think Mobile SSO is still not possible. but for sharepoint its possible

For Sharepoint can refer these link:-

what is the error msg you getting for manual as well SSO after step 9.

Also try checking after restating the tomcat and rebuilding the tomcat cache.

-Raunak

Show replies
Show replies
Former Member
‎05-22-2015 7:09 AM
0 Kudos

Hi Raunak,

Thank you for your response.

I examined stderr log. Could not find any errors there except these warnings:

WARNING: [SetContextPropertiesRule]{Context} Setting property 'trusted' to 'false' did not find a matching property.

Or

WARNING: [SetContextPropertiesRule]{Context} Setting property 'debug' to '0' did not find a matching property.

You suggested rebuilding the tomcat cache. Does this mean deleting Catalina folder ?

Regards,

Davor

former_member205064
Active Contributor
‎05-22-2015 12:07 PM
0 Kudos

Stop the tomcat rename the localhost folder inside the Catalina folder and start the tomcat.

What is the error you get?

Ask a Question