Académique Documents
Professionnel Documents
Culture Documents
Overview
Business Objects Enterprise XI Release 2 has extended its Java
Application server functionality with Active Directory (AD) to include
single sign-on (SSO) capability in Service Pack 2. This document will
explain how to setup this configuration and will discuss some specific
configurations and explain how to configure this on common Java
applications servers.
Contents
INTRODUCTION ............................................................................................ 1
CONFIGURING ACTIVE DIRECTORY ............................................................... 1
How to determine the AD functional Level .................................................1
Windows 2000 Functional Level .................................................................2
Windows 2003 Functional Level .................................................................2
CREATING THE VINTELA SERVICE ACCOUNT ................................................. 3
Windows 2000 Domain Account Creation..................................................3
Windows 2003 Domain Account Creation..................................................3
CREATING THE KEYTAB FILE ........................................................................ 5
CONFIGURING THE JAVA APPLICATION SERVER FOR VINTELA ....................... 5
Increasing the header size limit of your Java application server ..................5
Apache Tomcat 5.0.27..................................................................................6
WebLogic specific information.....................................................................8
Updating the desktop.war package.............................................................10
CONFIGURING THE CENTRAL MANAGEMENT CONSOLE FOR JAVA SSO....... 10
CONFIGURING THE WEB BROWSER FOR SSO.............................................. 11
Configuring Firefox 2.0 .............................................................................11
Configuring IE 6.0 and IE 7.0 ...................................................................12
Testing Vintela SSO to InfoView..............................................................12
TROUBLESHOOTING VINTELA SSO TO INFOVIEW ....................................... 13
Alternate URL for Manual AD authentication.........................................13
Java Application server logs.......................................................................13
Java WCA Tracing.....................................................................................13
Kerberos Debugging ..................................................................................14
6/29/2007 2:07 PM
Page 1
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Configuring End to End SSO with AD for Java App servers using Vintela
Introduction
BusinessObjects XI Release 2 SP2 has extended AD authentication
through a Java application server. This has been made possible by
integrating a 3rd party application called Vintela into Service Pack 2.
In order to accomplish successfully implementing this solution, you
will need the following:
Do not proceed with this document until Java AD authentication is working properly.
Confirm you can log on to Java InfoView as an AD user account. This can be completed
by reading the following guide boe_xi_r2_AD_authentication_on_Java_App_Servers.pdf.
CAUTION
CAUTION
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 1
Configuring End to End SSO with AD for Java App servers using Vintela
Properties, and this will indicate what domain mode or functional level
your domain is operating at.
NOTE
You cannot determine the Domain Functional Level by the Operating system running on
the domain controller. It is possible for a domain controller with Windows 2003 installed to
be running a 2000 domain functional level.
Figure 1
6/29/2007 2:07 PM
In a 2003 Functional Level Domain, the right Account is trusted for delegation has
been replaced with the Delegation tab. This tab will only exist if an SPN has been set for
the account. This will be discussed later in this document.
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 2
Configuring End to End SSO with AD for Java App servers using Vintela
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 3
Configuring End to End SSO with AD for Java App servers using Vintela
After setting the SPN using the ktpass command, the actual logon name is modified in
AD. If you do not reset the password, you may receive Kerberos integrity check failures.
9. Select Trust this user for delegation to any service (Kerberos only).
NOTE
This user account created for Vintela does NOT run any services in the Business Objects
Enterprise framework or the application server.
This document talks about un-constrained delegation. If you intend on using constrained
delegation, configure the system as outlined in this document. Only after validating that
SSO works, take the additional steps to constrain the account.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 4
Configuring End to End SSO with AD for Java App servers using Vintela
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 5
Configuring End to End SSO with AD for Java App servers using Vintela
If you are using the version of Tomcat installed with BusinessObjects Enterprise
on Windows, and you did not modify the default installation location, replace
<TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\
If you are using any other supported web application server, consult the
documentation for your web application server to determine the appropriate
path.
2. Find the corresponding <Connector > tag for the port number you
have configured. If you are using the default port of 8080, find the
<Connector > tag with port=8080 in it.
For example:
<Connector URIEncoding="UTF-8" acceptCount="100"
connectionTimeout="20000" debug="0"
disableUploadTimeout="true" enableLookups="false"
maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" port="8080" redirectPort="8443" />
This discusses how to modify the web.xml as it exists on the file system as a temporary
file. These changes will be destroyed if the Java application WAR files are re-deployed.
Please see the Updating the desktop.war package section for more information.
1. Open the web.xml file for InfoView from its deployed location on
your web application server. This is where the InfoView web.xml
file is on Windows:
<DeployedLocation>\businessobjects\enterprise115\desktoplaunch
\WEB-INF.
NOTE
6/29/2007 2:07 PM
If you are using the version of Tomcat installed with BusinessObjects Enterprise on
Windows, and you did not modify the default installation location, replace
<DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 6
Configuring End to End SSO with AD for Java App servers using Vintela
Original<param-value>
New<param-value>
cms.default
authentication.default
secEnterprise
secWinAD
siteminder.enable
true
false
vintela.enabled
false
true
sso.enabled
false
false
Original<paramvalue>
New<param-value>
idm.realm
YOUR_REALM
idm.princ
YOUR_PRINCIPAL
idm.allowNTLM
false
false
idm.allowUnsecured
true
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 7
Configuring End to End SSO with AD for Java App servers using Vintela
When specifying the location of the keytab file, use the forward slash / for directory
locations. Make sure to place this section immediately after the idm.princ section in the
web.xml
NOTE
<init-param>
<param-name>idm.realm</param-name>
<param-value>YOUR_REALM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>HTTP/HOST.DOMAIN.COM</param-value>
</init-param>
<init-param>
<param-name>idm.keytab</param-name>
<param-value>PATH_TO_YOUR_KEYTAB</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 8
Configuring End to End SSO with AD for Java App servers using Vintela
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>/InfoView/logon/vintelaError.jsp</param-value>
<description>
The URL of the page to show if an error occurs during
authentication.
</description>
</init-param>
</filter>
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/InfoView/logon/logon.do</url-pattern>
</filter-mapping>
NOTE
6/29/2007 2:07 PM
WebLogic will overwrite your changes in the web.xml every time the WebLogic service is
restarted. To make these changes permanent see the next section Updating the
desktop.war package.
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 9
Configuring End to End SSO with AD for Java App servers using Vintela
The following steps will require for your Java JRE or J2SDKs bin folder to be added to
your PATH environment variable. By default, BOEXIR2 installs a version of the J2SDK in
the following location:
C:\Program Files\Business Objects\j2sdk1.4.2_08\bin
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 10
Configuring End to End SSO with AD for Java App servers using Vintela
Included with Windows 2003 operating systems are IE 6.0 and Internet Explorer
Enhanced Security Configuration. This feature of Windows 2003 may make it difficult
to make changes to IEs security configuration.
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 11
Configuring End to End SSO with AD for Java App servers using Vintela
8. Click OK.
To add more than one URL separate the values with a comma. For example:
http://devxir2.bobj.com,http://uatxir2.bobj.com,http://prodxir2.bobj.com
NOTE
6/29/2007 2:07 PM
For Windows 2003 clients using IE, make sure that Internet Explorer
Enhanced Security Configuration is not interfering with you
making the necessary configuration changes.
Confirm you are logging onto the Java InfoView with a typical AD
user account not a service or domain administrator account.
The SSO will not work if you are logged onto the same machine as
the Java application server. For example, machine A has Tomcat
installed and you log on to machine A with an AD account. If you
try to access Java InfoView, SSO will fail. This is a known Vintela
issue.
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 12
Configuring End to End SSO with AD for Java App servers using Vintela
This URL is case sensitive. Make sure you have a capital F in logonForm.do
Where $TOMCAT_INSTALL is the directory which Tomcat has been installed to.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 13
Configuring End to End SSO with AD for Java App servers using Vintela
Kerberos Debugging
By default, Kerberos messages are not logged to the application servers
log files. To enable Kerberos debugging, add the following to the
bscLogin.conf:
debug=true
Your bscLogin.conf file would then look like the following:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule
required debug=true;
};
These Kerberos messages will be written to the application servers log
files. For Tomcat, this file is the stdout.log discussed above.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 14
Configuring End to End SSO with AD for Java App servers using Vintela
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 15
Configuring End to End SSO with AD for Java App servers using Vintela
Remove this registry value when it is no longer needed so that performance is not
degraded on the computer. You can also remove this registry value to disable Kerberos
event logging on a specific computer.
You can find any Kerberos-related events in the system log. This is also
documented in Microsofts knowledgebase article 262177.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 16
Configuring End to End SSO with AD for Java App servers using Vintela
1. From the client machine, make sure you have reset the users
password.
2. On the Tomcat machine, navigate to Network Connections > Local
Area Connection > (right-click) Properties > Internet Protocol
(TCP/IP) > Properties > Advanced.
3. Confirm Use this connections DNS suffix in DNS registration is
selected.
4. Add the correct domain to the DNS suffix for this connection.
CAUTION
DO NOT proceed to the next section until SSO to the Java InfoView has been configured
and properly tested to be in working condition.
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 17
Configuring End to End SSO with AD for Java App servers using Vintela
6/29/2007 2:07 PM
Connection Server
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 18
Configuring End to End SSO with AD for Java App servers using Vintela
If the CMS cache expiry is greater than that of the ticket, the
system renews the ticket until the CMS cache expiry is reached.
If the CMS cache expiry is less than that of the ticket, the ticket
will expire when the CMS cache expiry is reached.
If the CMS cache expiry is zero, the system will use the globally
set ticket expiry.
The other servers use either the cache expiry or the ticket expiry,
whichever has the lowest value. Regardless of whether the cache expiry
for the server is greater or less than that of the ticket, the ticket will
expire when the lowest expiry value is reached. The system comes
configured with default values for the server cache expiry of 86400
seconds or 24 hours.
To change the default cache expiry value:
1. Go to the Servers management area of the CMC.
2. Click the link for the server.
3. Click the Single Sign-On tab.
4. Type in a new cache expiry value.
5. Click Update.
Note: If you are running multiple instances of a particular server, you
can control the cache expiry for each instance individually.
Creating Connections
This next section explains how to create various connections.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 19
Configuring End to End SSO with AD for Java App servers using Vintela
6. Click Next > Next > Finish > Test Data Source button and you
should see TEST COMPLETED SUCCESSFULLY!
7. Click OK and click OK to save your DSN.
8. Verify that your ODBC connections are using KERBEROS instead of
NTLM. Steps on how to do this are in the section Testing ODBC
Data source connections.
NOTE
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 20
Configuring End to End SSO with AD for Java App servers using Vintela
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 21
Configuring End to End SSO with AD for Java App servers using Vintela
5. Optionally, the Microsoft SQL Server 2005 can monitor the SQL
connections authentication package used. To collect this
information, log on to the SQL Server 2005 Management studio and
run the following SQL query:
select auth_scheme, client_net_address from
sys.dm_exec_connections
The result of this query should show the ODBC clients IP address as
well as KERBEROS under the auth_scheme column.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 22
Configuring End to End SSO with AD for Java App servers using Vintela
The third party products discussed in this white paper were not fully tested in conjunction
with BusinessObjects XI R2 prior to its release. Officially supported BusinessObjects XI
R2 platforms are listed on the supported platforms web site.
The information in this document is provided as a courtesy to assist our customers with
the configuration of our product in conjunction with these third party platforms.
In the event issues arise with an unsupported configuration, there is no escalation
support; however, they will be considered during the development of the next generation
of our product.
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 23
Configuring End to End SSO with AD for Java App servers using Vintela
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
Page 24