Skip to Content
SAP Data Services

EIM AD / SSO Tips & Tricks

Tags:

This paper combines all the steps from the BI4.x, DS 4.x, FIM 10 and Intercompany 10 Administrator’s Guide with the latest best practices and all the latest SAP KBAs regarding vintela, kerberos and java AD configuration. It is specifically written for Platform 4.x and will not work with earlier versions of XI.

Assumptions & Prerequisites

·         Review the BI4 and DS4 Product Availability Matrix (PAM) to ensure your client and server operating systems, browsers and Active Directory versions are supported.

·         Windows AD authentication only works if the CMS is run on Windows. For single sign-on to the database, the reporting servers must also run on Windows. These Windows machines must be joined to the appropriate AD domain.

·         For multiple AD Forest environments please refer to KBA 1323391

Section 1 – Configure IPS / BI Platform  for AD authentication

Refer to KBA 1631734 to configure Active Directory for IPS / BI Platform and Tomcat server. Following are the high level steps covered by this KBA

i)         AD Service Account Configuration on Windows AD server

ii)        Configure the AS plugin on CMC

iii)       Configure all services to run on new service account

iv)       Configure manual AD to Java Application Servers (Tomcat)

v)        Configure BI Launchpad and CMC for manual AD

vi)       Configure Active Directory SSO on Tomcat

The following sections focus on the additional configurations required to enable AD authentication and SSO (where supported) on client components for BI and EIM 4 stack.

Additional Tips: -

a)   SSO will not work from the Tomcat Server, use client machine for tests

b)   Create SPNs for all application URLs for hostnames and FQDN (Fully Qualified Domain Names)

c)   If load balancer is configured, create SPN for all URLs of load balancers (including FQDNs)

d)   If there are multiple domain controllers for AD authentication, configure all of them in the [Realms] section of krb5.ini

e)   If you are not able to locate Tomcat properties shortcut, run the following command on command line to open the configuration (Example is for Tomcat6)

Tomcat6w //ES/<Service Name>

Where <Service name> can be found from windows services i.e. the name under which Tomcat service is running. By default the name is BOEXI40Tomcat

f)    In multi-server architecture, KBA needs to be applied on all the machines running IPS / BI platform and application servers

g)   Not all products support SSO, however most of them support Windows AD. Refer to product admin guides for details

h)   SSO does not work for CMC for security reasons, however manual AD is supported

Section 2 – Configuring BI Clients for AD Authentication

In Section 1, we have already configured the CMC and BI Launchpad to run for AD and SSO. This section focuses on remaining client tools (where additional configuration is required)

Information Design Tool (IDT) AD Configuration

On each client machine, navigate to InformationDesignTool.ini at the following path

<LINK_DIR>\SAP BusinessObjects Enterprise XI 4.0\ win32_x86

Add the following configuration (Ensure that IDT application is not running)

-Djava.security.auth.login.config= c:\windows\bscLogin.conf

-Djava.security.krb5.conf=c:\windows\krb5.ini

Note: - While running the application, enter the SYSTEM name and Authentication method to ‘Windows AD’, leaving ‘User Name’ and ‘Password’ blank

Universe Designer AD Configuration

No additional configuration is required. While running the application, enter the SYSTEM name and Authentication method to ‘Windows AD’, leaving ‘User Name’ and ‘Password’ blank.

Web Intelligence Rich Client AD Configuration

No additional configuration is required. While running the application, enter the SYSTEM name and Authentication method to ‘Windows AD’, leaving ‘User Name’ and ‘Password’ blank.

LCM (Life Cycle Management) SSO Configuration

Create a file LCM.properties at the following path

<LINK_DIR>\Tomcat6\webapps\BOE\WEB-INF\config\custom\

Update the file with the following contents

  1. authentication.visible=true
  2. authentication.default=secWinAD
  3. cms.default=<cmc-name>:<cmc-port>

Note: - Tomcat restart is required for the changes to be effective and perform the changes on all application servers for .properties file change

Section 3 – Configuring Data Services 4.x and FIM 10 for AD Authentication

Data Services Designer AD Configuration

No additional configuration is required. While running the application, enter the SYSTEM name and Authentication method to ‘Windows AD’, leaving ‘User Name’ and ‘Password’ blank.

Data Services Management Console AD Configuration

Ensure that Section 1 is performed on all the application server machines where DS Management Console application is running

FIM AD Configuration

Navigate to FIM (Financial Information Management) administration console web application and select the option ‘Configure Financial Information Management Server’.

Check the option ‘Show Authentication Mode’. This will enable FIM application to show additional drop down for selecting the authentication mode

Section 4 – Configuring Intercompany 10 for AD authentication

Intercompany AD Configuration

Navigate to Intercompany Administration console web application and select ‘Authentication’. Set the authentication mode to ‘BusinessObjects’ from drop down and ensure that correct CMS server is set.

To configure the users on Intercompany application to use AD authentication, perform the following for each user

a)     Log on to Intercompany application for business users

b)    Navigate to Users tab to add new users

c)     Click ‘Add New’ and select the following options

Authentication Mode:- Business Objects Security

Code:- Domain ID for account for which AD authentication will happen

Associated External Login:- Domain ID for account

User Profile:- As per requirement

Note: -

1)     Intercompany application is an exception and does not re-use CMC users, however new users are required to be created and mapped in Intercompany application

2)   There will be no authentication drop down available for Intercompany business application. The application will decide based on account name and password supplied i.e. If account belongs to both enterprise and AD, the password will decide on authentication type (assuming both types of authentication is allowed on server)

References

BI 4 Documentation: http://help.sap.com/

EIM 4 Documentation: http://help.sap.com/

FIM 10 Documentation: http://help.sap.com/

Intercompany 10 Documentation: http://help.sap.com/

SAP Knowledge Base Articles: http://service.sap.com/bosap-support

SAP SDN Business Objects User  forums (requires free registration) https://www.sdn.sap.com/irj/sdn/businessobjects-forums

Appendix

Key Terms

Some terms or acronyms we will be referring to throughout this document

AD Plugin – The area in the CMC where the query account is entered, SPN is set, and group mapping rules are configured

AD – Active Directory – Microsoft’s directory server

CMC – Web Admin tool used to configure the CMS service and other parameters for Business Objects Enterprise

FQDN – The Fully Qualified Domain Name.  For example, the FQDN of your Tomcat server may be Tomcat01.SAP.COM

SPN – Service Principal Name refers to an additional alias and attribute to an AD account. Various tools can be used to add an SPN to an AD account. The SPN is a primary access point for kerberos applications.

SSO - Single Sign-On – The ability to access an application without entering login credentials also known as silent sign-on, automatic logon, etc

Service account – Refers to an Active Directory user with special permissions (such as a fixed, non- changing password or SPN)

Copyright

© Copyright 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.



No comments