Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

SAP BI 4.1 SP5 - Vintela setup - No silent SSO issue

Hi,

Hope you experts can help me with this issue.

I am doing SSO setup on SAP BI 4.1 SP5 on Windows Server 2012 R2. I have followed the process as outlined in the article at http://scn.sap.com/blogs/josh_fletcher/2012/06/11/active-directory-sso-for-sap-businessobjects-bi4.

I am stuck at the Step 9, as I cannot get silent SSO no matter what. I understand lot of people have had this issue and there's been a lot of discussions in the SAP blog about it and I've read all of them.

However, does anyone have a solution for this problem ?

Here are my configurations (with sanitized domain names):

Environment:

Domain Name: XXXXCO (FQDN: CORP.XXXXCO.COM)

BO Service Account: CMS41SVC (password: F4M34!xl )

Domain Controller: VM-DC-GH-01.CORP.XXXXCO.COM

BusinessObjects Server: DEV-BOB-APP-01.CORP.XXXXCO.COM

BusinessObjects AD Group: XXXXCO\DL-Business Objects

krb5.ini file

----------------

[libdefaults]

default_realm = CORP.XXXXCO.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

CORP.XXXXCO.COM = {

kdc = VM-DC-GH-01.CORP.XXXXCO.COM

default_domain = CORP.XXXXCO.COM

}

bscLogin.conf file

---------------------------------

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

BIlaunchpad.properties file

--------------------------------------------

authentication.visible=true

authentication.default=secWinAD

sso.types.and.order=vintela

global.properties file

-------------------------------------

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=CORP.XXXXCO.COM

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Tomcat added options

-----------------------------------------

...

-Djava.security.auth.login.config=c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

-Dcom.wedgetail.idm.sso.password=F4M34!xl

-Djcsi.kerberos.debug=true

What I've done so far:

-All steps 1-8 verified (as per Josh's article above)

-(NOTE: Under Delegation tab for service account CMS41SVC, turned on ‘Trust this user for delegation to any service (Kerberos only)’.)

-I can get the ticket with kinit CMS41SVC.

-There are no duplicate SPNs.

-I got "commit succeeded" after step 8 and was able to get Manual AD access to the system with AD accounts.

-After application of step 9 I do not get silent SSO and, perhaps not surprisingly, cannot login with AD accounts any more.

I have not performed the keytab steps as this is a showstpper I guess.

What is wrong here ?? !! Any suggestions ?

Some additional questions:

- Does my service account CMS41SVC need to be member of BusinessObjects AD Group: XXXXCO\DL-Business Objects ? In my setup it is not.

- Further, what is the impact of SSO on deployment of Mobile server. If we manage to setup SSO, will it be propagated to Mobile clients ?

- Is there a special process on how to setup Mobile clients for platform with SSO setup ?

- Similarly, impact on SSO on integration with SharePoint ?

- Is there a special process on how to setup SharePoint integration for platform with SSO setup ?

Many thanks for your help in the past and your effort regarding this one.

Regards,

Davor Mitrasevic

Former Member
Former Member replied

Hi Davor,

Can you list the service account SPN's with command and paste the output.

setspn -l service_account

Also make sure there are no white spaces neither in global.properties file or Tomcat config >> Java options.

To delete tomcat cache, you can stop tomcat and navigate to <Tomcat install dir/work/Cataline> . Rename localhost to localhost_old and start tomcat. Starting it will rebuild the cache.

You can also clear browser cache and then try to execute the URL.

-Ambarish-

0 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question