Configuring BusinessObjects Enterprise XI R2 SP2 End-To-End SSO With AD For Java Application Servers Using Vintela

T
BusinessObjects Enterprise XI Release

2 Service Pack 2
Configuring End to End SSO with Active Directory for Java
Application servers using Vintela
Overview
Business Objects Enterprise XI Release 2 has extended its Java
Application server functionality with Active Directory (AD) to include
single sign-on (SSO) capability in Service Pack 2. This document will
explain how to setup this configuration and will discuss some specific
configurations and explain how to configure this on common Java
applications servers.
Contents
INTRODUCTION ............................................................................................ 1
CONFIGURING ACTIVE DIRECTORY ............................................................... 1
How to determine the AD functional Level .................................................1
Windows 2000 Functional Level .................................................................2
Windows 2003 Functional Level .................................................................2
CREATING THE VINTELA SERVICE ACCOUNT ................................................. 3
Windows 2000 Domain Account Creation..................................................3
Windows 2003 Domain Account Creation..................................................3
CREATING THE KEYTAB FILE ........................................................................ 5
CONFIGURING THE JAVA APPLICATION SERVER FOR VINTELA ....................... 5
Increasing the header size limit of your Java application server ..................5
Apache Tomcat 5.0.27..................................................................................6
WebLogic specific information.....................................................................8
Updating the desktop.war package.............................................................10
CONFIGURING THE CENTRAL MANAGEMENT CONSOLE FOR JAVA SSO....... 10
CONFIGURING THE WEB BROWSER FOR SSO.............................................. 11
Configuring Firefox 2.0 .............................................................................11
Configuring IE 6.0 and IE 7.0 ...................................................................12
Testing Vintela SSO to InfoView..............................................................12
TROUBLESHOOTING VINTELA SSO TO INFOVIEW ....................................... 13
Alternate URL for Manual AD authentication.........................................13
Java Application server logs.......................................................................13
Java WCA Tracing.....................................................................................13
Kerberos Debugging ..................................................................................14
6/29/2007 2:07 PM
Copyright 2007 Business Objects. All rights reserved.
Page 1
Manually testing the Keytab file................................................................14

Java Crypto and Security Implementation Debugging .............................14
Check for Duplicate SPN Entries ..............................................................15
Kerberos Event Log messages ....................................................................15
Hard-coded password Keytab workaround ................................................16
COMMON ERROR MESSAGES ..................................................................... 16
Ticket Service Name and the GSS name do not match ..............................16
CONFIGURING SINGLE-SIGN-ON TO THE DATABASE ................................... 17
Configuring the Database server ...............................................................17
Configuring the Java Application server ...................................................18
Configuring the BOEXIR2 Processing servers .........................................18
Server cache expiry ....................................................................................19
CREATING CONNECTIONS .......................................................................... 19
Creating SYSTEM ODBC Data source connections ................................19
Creating Universe connections..................................................................20
Creating Crystal Reports Connections ......................................................21
TESTING VINTELA SSO TO THE DATABASE ................................................ 21
Testing ODBC Data source connections...................................................21
Testing Data source connections from Crystal Reports ............................23
Testing Data source connections from Designer for Universes.................23
Testing Reports from Infoview ..................................................................23
FINDING MORE INFORMATION .................................................................... 24
6/29/2007 2:07 PM
boe_xi_r2_end_to_end_sso_for_java_using_vintela.pdf
BusinessObjects Enterprise XI R2 SP2
Configuring End to End SSO with AD for Java App servers using Vintela
Introduction
BusinessObjects XI Release 2 SP2 has extended AD authentication
through a Java application server. This has been made possible by
integrating a 3rd party application called Vintela into Service Pack 2.
In order to accomplish successfully implementing this solution, you
will need the following:
Do not proceed with this document until Java AD authentication is working properly.
Confirm you can log on to Java InfoView as an AD user account. This can be completed
by reading the following guide boe_xi_r2_AD_authentication_on_Java_App_Servers.pdf.
CAUTION
CAUTION
Service Pack 2 for BusinessObjects XI Release 2 must be installed.

The Vintela libraries are not included with any Service Pack 1
releases.
The Domain Functional Level in which the AD is running in (2000

mixed mode, 2000 native mode, or 2003 native mode).
Administrative rights to the AD domain controller.
Administrative rights to the BusinessObjects Enterprise XI Release 2

system.
Administrative rights to the Java application server.
The Windows 2000/2003 support tools KTPASS.EXE and

SETSPN.EXE are required. The installation program for this suite of
tools SUPTOOLS.MSI is located in the \SUPPORT\TOOLS\
directory of the Windows installation CD.
If you are enabling Vintela SSO for Java InfoView on Windows, confirm IIS is not being
used on the same machine. The steps in this documentation will add a service principal
name (SPN), which will clash with the IIS SPN. This will cause IIS to no longer be able to
decrypt Kerberos tickets and IIS Windows Integrated Authentication to fail.
Configuring Active Directory

Vintela will require a separate service account to enable SSO. This must
be a separate account than the service account created for the Central
Management Server (CMS) service. This Vintela service account will
need to have the rights to delegate on the domain. This guide will
discuss how to do this on a Windows 2000 domain and a Windows 2003
domain.
How to determine the AD functional Level

To determine the AD functional level, click Start > Settings > Control
Panel > Administrative Tools > Active Directory users and computers.
Right-click your domain name at the top of the hierarchy, click
6/29/2007 2:07 PM
Page 1
Properties, and this will indicate what domain mode or functional level
your domain is operating at.
NOTE
You cannot determine the Domain Functional Level by the Operating system running on
the domain controller. It is possible for a domain controller with Windows 2003 installed to
be running a 2000 domain functional level.
Figure 1
Windows 2000 Functional Level

Windows 2000 AD is Microsofts first implementation of AD supporting
Kerberos. Windows 2000 AD does not support the more advanced
features of Kerberos, which are only available in Windows 2003 Active
Directory. Because of this the two AD modes provide different account
rights.
To confirm if you are running a Windows 2000 domain, choose the
properties of a user account and view the user rights. If the right
Account is trusted for delegation is available then your domain is a
Windows 2000 domain. This specific right does not exist in Windows
2003 domains.
Windows 2003 Functional Level

In Windows 2003 AD, Microsoft extended the Kerberos functionality to
allow for a more secure directory. Because of this, Kerberos
configuration is slightly different and Windows 2003 user accounts do
not have the right Account is trusted for delegation.
NOTE
6/29/2007 2:07 PM
In a 2003 Functional Level Domain, the right Account is trusted for delegation has
been replaced with the Delegation tab. This tab will only exist if an SPN has been set for
the account. This will be discussed later in this document.
Page 2
Creating the Vintela service account

Now that we have determined which mode your AD domain is running
under, we can create the Vintela service account. Vintela will require a
separate service account to enable SSO. This account will need the rights
to delegate on the domain. This guide will explain how to create the
account on both Windows 2000 and Windows 2003 domains.
Windows 2000 Domain Account Creation

1. Launch Active Directory Users and Computers from the
Administrative Tools program group
2. Navigate to the desired container and click the Create a new user in
the current container button on the toolbar.
3. Fill out the desired user ID and password.
4. Now that the account is created, select Properties of the user
account.
5. Give this user account the following rights:
Account is trusted for Delegation
Password never expires
Use DES encryption types for this account
6. On the domain controller run the following command at the

command-line:
ktpass -princ HTTP/HOST@REALM -mapuser user
For example:
ktpass princ HTTP/DEVXIR2.BOBJ.COM@BOBJ.COM
mapuser vintelauser@BOBJ.COM
7. Reset the users password in AD. After setting the SPN using the
ktpass command, the actual logon name is modified in AD. If you
do not reset the password, you may receive Kerberos integrity check
failures.
Windows 2003 Domain Account Creation

1. Launch Active Directory Users and Computers from the
Administrative Tools program group
2. Navigate to the desired container and click Create a new user in the
current container button on the toolbar.
3. Fill out the desired user ID and password.
4. Now that the account is created, select Properties of the user
account.
6/29/2007 2:07 PM
Page 3
5. Give this user account the following rights:
Password never expires.
Use DES encryption types for this account
6. On the domain controller run the following command at the

command-line:
ktpass -princ HTTP/HOST@REALM -mapuser user
For example:
ktpass princ HTTP/DEVXIR2.BOBJ.COM@BOBJ.COM
mapuser vintelauser@BOBJ.COM
7. Reset the users password in AD.
NOTE
After setting the SPN using the ktpass command, the actual logon name is modified in
AD. If you do not reset the password, you may receive Kerberos integrity check failures.
8. In Active Directory users and computers, right-click the vintelauser

account and select Properties.
Figure 2
9. Select Trust this user for delegation to any service (Kerberos only).
NOTE
This user account created for Vintela does NOT run any services in the Business Objects
Enterprise framework or the application server.
This document talks about un-constrained delegation. If you intend on using constrained
delegation, configure the system as outlined in this document. Only after validating that
SSO works, take the additional steps to constrain the account.
6/29/2007 2:07 PM
Page 4
Creating the Keytab file

A keytab contains the user accounts principal name and its encryption
keys. This method is how the vintelauser is able to authenticate users
and obtain Kerberos tickets. This next section will guide you through
creating a keytab for the vintelauser account.
1. On the domain controller, run the following command:
ktpass -out keytab_filename -princ HTTP/host@REALM -pass
user_password -kvno 255 crypto DES-CBC-MD5 ptype
KRB5_NT_PRINCIPAL
For example:
ktpass -out vintelauser.keytab -princ
HTTP/DEVXIR2.BOBJ.COM@BOBJ.COM -pass rocketbooster -kvno
255 crypto DES-CBC-MD5 ptype KRB5_NT_PRINCIPAL
2. The outcome of this command should be similar to the following:
Output keytab to vintelauser.keytab
Keytab version: 0x502
keysize 67 HTTP/DEVXIR2.BOBJ.COM@BOBJ.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 255 etype 0x3 (DES-CBC-MD5)
keylength 8 (0x12a34b56c12345)
3. The file vintelauser.keytab has been created in the current working
directory. Copy this file to the Java application server machine that
we will use to service the Java InfoView.
Configuring the Java Application server for Vintela

In this section, we will explain how to configure your specific Java
application server to recognize that you intend on using Vintela and
where the keyfile exists on the Java application server.
Increasing the header size limit of your Java

application server
AD creates a Kerberos token, which is used in the authentication process.
This token is stored in the HTTP header. Your Java application server
will have a default HTTP header size and you should ensure a minimum
size of 16384 bytes to avoid failures.
The following will explain how to configure the HTTP header size with
Tomcat:
6/29/2007 2:07 PM
Page 5
1. On the server with Tomcat installed, open the server.xml file. On

Windows, this file is located at <TomcatDeployedLocation>/conf
NOTES
If you are using the version of Tomcat installed with BusinessObjects Enterprise
on Windows, and you did not modify the default installation location, replace
<TomcatDeployedLocation> with C:\ProgramFiles\Business Objects\Tomcat\
If you are using any other supported web application server, consult the
documentation for your web application server to determine the appropriate
path.
2. Find the corresponding <Connector > tag for the port number you
have configured. If you are using the default port of 8080, find the
<Connector > tag with port=8080 in it.
For example:
<Connector URIEncoding="UTF-8" acceptCount="100"
connectionTimeout="20000" debug="0"
disableUploadTimeout="true" enableLookups="false"
maxSpareThreads="75" maxThreads="150"
minSpareThreads="25" port="8080" redirectPort="8443" />
3. Add the following value within the <Connector > tag:

maxHttpHeaderSize=16384
For example:
<Connector URIEncoding="UTF-8" acceptCount="100"
connectionTimeout="20000" debug="0"
disableUploadTimeout="true" enableLookups="false"
maxSpareThreads="75" maxThreads="150"
maxHttpHeaderSize=16384 minSpareThreads="25"
port="8080" redirectPort="8443" />
4. Save and close the server.xml.

5. Restart Tomcat.
Apache Tomcat 5.0.27

NOTE
This discusses how to modify the web.xml as it exists on the file system as a temporary
file. These changes will be destroyed if the Java application WAR files are re-deployed.
Please see the Updating the desktop.war package section for more information.
1. Open the web.xml file for InfoView from its deployed location on
your web application server. This is where the InfoView web.xml
file is on Windows:
<DeployedLocation>\businessobjects\enterprise115\desktoplaunch
\WEB-INF.
NOTE
6/29/2007 2:07 PM
If you are using the version of Tomcat installed with BusinessObjects Enterprise on
Windows, and you did not modify the default installation location, replace
<DeployedLocation> with C:\Program Files\Business Objects\Tomcat\webapps
Page 6
2. Inside this file are a few parameters that need to be modified to

allow for Vintela to work properly. Please see the following table for
the changes required.
<param-name>
Original<param-value>
New<param-value>
cms.default
Your CMSname and port number
Your CMS name and

port number
authentication.default
secEnterprise
secWinAD
siteminder.enable
true
false
vintela.enabled
false
true
sso.enabled
false
false
3. Find the following section in the web.xml file:

<!- - Uncomment the following filter and mapping to enable the filter
for Vintela SSO. Set idm.realm to the Active Directory realm where
the server is in and idm.princ to the service principal name. - - >
Remove the comment start tag that immediately follows this
comment as well as the corresponding end tag.
4. In this section find the following parameters and make the
appropriate changes.
<param-name>
Original<paramvalue>
New<param-value>
idm.realm
YOUR_REALM
Default realm for AD. This should be

the same value you set when you
configured the default_realm in your
krb5.ini file Note: Value must be in
upper case.
idm.princ
YOUR_PRINCIPAL
The SPN you created using ktpass. It

must follow the format:
HTTP/HOSTNAME.DOMAIN.COM
idm.allowNTLM
false
false
idm.allowUnsecured
true
true (false if you are using SSL)
5. An additional parameter must be created to allow us to specify the

keytab location. Please add the following code immediately after the
idm.princ parameter and values.
<init-param>
<param-name>idm.keytab</param-name>
<param-value>PATH_TO_YOUR_KEYTAB_FILE</param-value>
</init-param>
6/29/2007 2:07 PM
Page 7
When specifying the location of the keytab file, use the forward slash / for directory
locations. Make sure to place this section immediately after the idm.princ section in the
web.xml
NOTE
6. Save and close the web.xml file.

7. Restart the application server.
WebLogic specific information

The configuration procedure for WebLogic is very similar to the Apache
Tomcat configuration explained above. However, WebLogic uses
WebLogic Builder which automatically removes any uncommented
sections out of the web.xml file. Because of this, you may not find the
section for Vintela specific configuration. Listed below is the
configuration which needs to be added to the web.xml immediately
before the closing-parameter </web-app> at the end of the file.
Open the WEB-INF/web.xml and find </web-app> at the end of this file
and add the following section immediately before it:
<filter>
<filter-name>authFilter</filter-name>
<filterclass>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filterclass>
<init-param>
<param-name>idm.realm</param-name>
<param-value>YOUR_REALM</param-value>
</init-param>
<init-param>
<param-name>idm.princ</param-name>
<param-value>HTTP/HOST.DOMAIN.COM</param-value>
</init-param>
<init-param>
<param-value>PATH_TO_YOUR_KEYTAB</param-value>
</init-param>
<init-param>
<param-name>idm.allowUnsecured</param-name>
<param-value>true</param-value>
</init-param>
6/29/2007 2:07 PM
Page 8
<init-param>
<param-name>idm.allowNTLM</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>idm.logger.name</param-name>
<param-value>simple</param-value>
<description>
The unique name for this logger.
</description>
</init-param>
<init-param>
<param-name>idm.logger.props</param-name>
<param-value>error-log.properties</param-value>
<description>
Configures logging from the specified file.
</description>
</init-param>
<init-param>
<param-name>error.page</param-name>
<param-value>/InfoView/logon/vintelaError.jsp</param-value>
<description>
The URL of the page to show if an error occurs during
authentication.
</description>
</init-param>
</filter>
<filter-mapping>
<filter-name>authFilter</filter-name>
<url-pattern>/InfoView/logon/logon.do</url-pattern>
</filter-mapping>
NOTE
6/29/2007 2:07 PM
WebLogic will overwrite your changes in the web.xml every time the WebLogic service is
restarted. To make these changes permanent see the next section Updating the
desktop.war package.
Page 9
Updating the desktop.war package

This next section will walk you though updating the desktop.war file to
make your changes permanent in the event that the war files need to be
re-deployed. This is not required but recommended if you would like to
make sure that your new configuration settings will not be lost in the
future. Before doing this, make sure that you configuration has been
tested thoroughly and that you would like to save your configuration by
updating the war file.
NOTE
The following steps will require for your Java JRE or J2SDKs bin folder to be added to
your PATH environment variable. By default, BOEXIR2 installs a version of the J2SDK in
the following location:
C:\Program Files\Business Objects\j2sdk1.4.2_08\bin
1. Locate the desktop.war file. By default this is located in C:\Program

Files\Business Objects\BusinessObjects Enterprise
11.5\java\applications\desktop.war)
2. Open a Command-Prompt and navigate to the folder C:\Program
Files\Business Objects\BusinessObjects Enterprise
11.5\java\applications\
3. Extract the web.xml from the .war file to a temporary location on the
disk using the jar command:
jar xf desktop.war WEB-INF/web.xml
4. In the WEB-INF folder, replace the web.xml file with the web.xml
file that you created in the previous sections.
NOTE
This should be located in C:\Program Files\Business

Objects\Tomcat\webapps\businessobjects\enterprise115\desktoplaunch\WEBINF\web.xml
5. After over-writing the web.xml file, now we need to inject the

web.xml back into the desktop.war file using the following
command:
jar uf desktop.war WEB-INF/web.xml
After completing these steps, your desktop.war file is now updated with
your Vintela configuration changes. In the event that you need to
redeploy the war file, your Vintela configuration settings will remain.
Configuring the Central Management Console for Java SSO

In order for the AD plug-in to use KERBEROS instead of NTLM, we
need to modify the configuration of the Central Management Console
(CMC). The following section will explain how this is done for use with
Vintela SSO.
6/29/2007 2:07 PM
Page 10
Some of these options should already have been configured from

following the guide:
boe_xi_r2_AD_authentication_on_Java_App_Servers.pdf
Figure 3
1. Confirm you have Use Kerberos authentication selected

2. Select Cache security context only if you are using SSO to the
database.
3. Enter the SPN from the CMS service account.
4. Select Enable Single Sign On for selected authentication mode.
5. Click Update.
Configuring the web browser for SSO

In some cases, your web-browser may require additional configuration
to enable it for Kerberos authentication. Supported web browsers are
Firefox 2.0 and Internet Explorer (IE) 6.0 and above.
NOTE
Included with Windows 2003 operating systems are IE 6.0 and Internet Explorer
Enhanced Security Configuration. This feature of Windows 2003 may make it difficult
to make changes to IEs security configuration.
Configuring Firefox 2.0

1. Launch Firefox.
2. In the browser URL type about:config. This will show a list of
properties that you can configure.
3. Double-click the network.negotiate-auth.delegation-uris Property
to configure it.
4. Enter the URL of the machine, for example: http://devxir2.bobj.com
5. Click OK.
6. Double-click the network.negotiate-auth.trusted-uris Property and
to configure it.
7. Enter the URL of the machine, for example: http://devxir2.bobj.com
6/29/2007 2:07 PM
Page 11
8. Click OK.
To add more than one URL separate the values with a comma. For example:
http://devxir2.bobj.com,http://uatxir2.bobj.com,http://prodxir2.bobj.com
NOTE
Configuring IE 6.0 and IE 7.0

Internet explorer must have Enable Integrated Windows
Authentication selected and also the website must be part of IEs
Trusted Sites.
1. Launch IE.
2. Click Tools > Internet Options > Advanced tab
3. Scroll down to the Security section and select Enable Integrated
Windows Authentication if it is not already checked and click
Apply.
4. Click on the Security tab > Trusted Sites > Sites button.
5. Type in the website URL and click Add.
6. Click OK to save your changes.
7. Close and restart your IE browser for changes to take effect.
Testing Vintela SSO to InfoView

At this point, your BusinessObjects XI Release 2 system should be
properly configured for Vintela. The following section will describe
the best scenarios for properly testing the Java InfoView for SSO.
6/29/2007 2:07 PM
Your Active Directory user account must be physically logged into

the Windows XP/2000/2003 client machine, which is joined to the
same domain. This way your client machine has obtained a
Kerberos ticket from the KDC.
Your Active Directory user account must be part of the mapped

groups in the CMC
For Windows 2003 clients using IE, make sure that Internet Explorer
Enhanced Security Configuration is not interfering with you
making the necessary configuration changes.
Confirm you are logging onto the Java InfoView with a typical AD
user account not a service or domain administrator account.
The SSO will not work if you are logged onto the same machine as
the Java application server. For example, machine A has Tomcat
installed and you log on to machine A with an AD account. If you
try to access Java InfoView, SSO will fail. This is a known Vintela
issue.
If you are enabling Vintela SSO for Java InfoView on Windows,

before you begin confirm IIS is not being used on the same machine.
The steps in this documentation will add an SPN that will clash with
the IIS SPN. This will cause IIS to no longer be able to decrypt
Kerberos tickets and Windows Integrated Authentication to fail.
Page 12
When making Active Directory configuration changes, make sure to

log out of the client, log back on and/or restart services. This will
fetch a new Kerberos ticket from the KDC.
Troubleshooting Vintela SSO to InfoView

This section will discuss how to get more information about what is
going wrong when things fail to work. Error messaging in the InfoView
logon screen can be misleading and there are a few different ways to
capture logging from the system. We will also talk about some common
problems and how to resolve them
Alternate URL for Manual AD authentication

After configuring Vintela, the system will automatically try to log the
user into the InfoView using SSO. Verify that you can still manually
login to the InfoView by manually entering your username and
password. This can be done by using the following URL from your
clients web-browser :
http://<hostname>:8080/businessobjects/enterprise115/desktoplaunch
/InfoView/logon/logonForm.do
NOTE
This URL is case sensitive. Make sure you have a capital F in logonForm.do
Java Application server logs

Most Java application servers log messages by default to a log file. For
Tomcat, this log file is the stdout.log which is located in the following
location:
$TOMCAT_INSTALL\logs\stdout.log
NOTE
Where $TOMCAT_INSTALL is the directory which Tomcat has been installed to.
See below to add more verbose Kerberos messages to this log
Java WCA Tracing

When Kerberos fails to work, messages are typically logged in the
wcatrace logs when they are set to verbose level. To enable Java WCA
verbose logging add the following to the JAVA tab of the Tomcat
configuration:
-Dcrystal.enterprise.trace.configuration=verbose
If your Tomcat is running under local system, the log files will be placed
in the following location:
C:\Documents and Settings\Default User\.businessobjects\jce_verbose.log
6/29/2007 2:07 PM
Page 13
Kerberos Debugging
By default, Kerberos messages are not logged to the application servers
log files. To enable Kerberos debugging, add the following to the
bscLogin.conf:
debug=true
Your bscLogin.conf file would then look like the following:
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule
required debug=true;
};
These Kerberos messages will be written to the application servers log
files. For Tomcat, this file is the stdout.log discussed above.
Manually testing the Keytab file

If the keytab file was not created properly, possibly with the wrong
principal name or the wrong encryption type, the system will not allow
you to log on. To verify that your keytab file is in proper working order,
run the following command from the command-line of your application
server. This may require for you to copy the ktpass.exe application to
the application server system :
Ktpass in c:\winnt\kerberos.keytab
The result should be similar to the following output:
> ktpass -in kerbsso1.keytab
** 0x1 Failed to read leading bytes (probably done)
Tacking on to existing keytab:
Keytab version: 0x502
keysize 67 HTTP/HOSTNAME.DOMAIN.COM@DOMAIN.COM ptype
1 (KRB5_NT_PRINCIPAL)
vno 255 etype 0x3 (DES-CBC-MD5) keylength 8 (0xb52a263b1f49b664)
Type "ktpass /help" for usage
Java Crypto and Security Implementation

Debugging
Java Crypto and Security Implementation (JCSI) debugging is probably
one of the most useful traces possible. It will add additional information
from the Vintela component to the Java application server logs. This is
enabled by adding the following line to the application servers Java
options environment variable. For Tomcat, this is done my running the
Tomcat configuration application and clicking on the JAVA tab:
-Djcsi.kerberos.debug=true
6/29/2007 2:07 PM
Page 14
These Kerberos messages will be written to the application servers log

files. For Tomcat, this file is the stdout.log discussed above. The
additional messages will be prefixed with [DEBUG] as in the example
below:
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: No Subject found
on the current thread
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: GSS: Acceptor
supports: KRB5
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: Ticket service name
is: HTTP/hostname.domain.com@DOMAIN.COM
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: GSS name is:
HTTP/HOSTNAME.DOMAIN.COM@DOMAIN.COM
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: Using keytab entry
for: HTTP/HOSTNAME.DOMAIN.COM@DOMAIN.COM
[DEBUG] Fri Apr 27 09:28:17 EDT 2007 jcsi.kerberos: ** decrypting ticket
.. **
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: decrypted ticket:
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: Setting context
expiry to [1177716182000]
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: Current wall time is
[1177680498034]
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: ** decrypting
application request .. **
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: decrypted
application request:
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: Got delegated
credential
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: Delegated
credential:
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: ** creating
application response .. **
[DEBUG] Fri Apr 27 09:28:18 EDT 2007 jcsi.kerberos: created application
response:
Check for Duplicate SPN Entries

Multiple SPNs mapped to different user accounts can cause problems
with Vintela. The following command can be run on the Domain
controller to identify if multiple SPNs exist.
ldifde -f c:\spn_out.txt -d "DC=bobj,DC=com" -l serviceprincipalname -r
"(serviceprincipalname=HTTP/HOSTNAME*)" -p subtree
Be sure to replace DC=bobj, DC=com with your domain name.
Kerberos Event Log messages

The Microsoft Event Viewer will log messages in the security log about
failed or successful login attempts. To get more information about
Kerberos messages enable Kerberos event logging by doing the
following on the server or client:
6/29/2007 2:07 PM
Page 15
1. Start Registry Editor.

2. Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa\Kerberos\Parameters
NOTE
Create the Parameters subkey if it does not exist.
3. Click Edit > New > DWORD Value.

4. Add the following registry value:
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
5. Quit Registry Editor, and then restart the computer.
NOTE
Remove this registry value when it is no longer needed so that performance is not
degraded on the computer. You can also remove this registry value to disable Kerberos
event logging on a specific computer.
You can find any Kerberos-related events in the system log. This is also
documented in Microsofts knowledgebase article 262177.
Hard-coded password Keytab workaround

This solution will expose the password to any user that has console
access to the physical machine running the Java application server. This
is less secure than using a keytab file. To enable this, add the following to
the Java Options of your Application server:
-Dcom.wedgetail.idm.sso.password=<password>
You must also remove the following section from your web.xml:
<init-param>
<param-value>PATH_TO_YOUR_KEYTAB</param-value>
</init-param>
Common Error Messages

This section explains any common error messages and the resolutions.
Ticket Service Name and the GSS name do not

match
In your stdout.log file with Kerberos logging enabled, you see that the
Ticket Service Name and the GSS name do not match, one is Fully
Qualified Domain Name (FQDN) and the other is not. This is typically a
DNS issue, where your client machine has a ticket for the unqualified
machine name but the keytab is using the FQDN so a match will not
occur. To resolve this do the following:
6/29/2007 2:07 PM
Page 16
1. From the client machine, make sure you have reset the users
password.
2. On the Tomcat machine, navigate to Network Connections > Local
Area Connection > (right-click) Properties > Internet Protocol
(TCP/IP) > Properties > Advanced.
3. Confirm Use this connections DNS suffix in DNS registration is
selected.
4. Add the correct domain to the DNS suffix for this connection.
CAUTION
DO NOT proceed to the next section until SSO to the Java InfoView has been configured
and properly tested to be in working condition.
Configuring Single-Sign-On to the Database

Now that Vintela single-sign-on to the Java InfoView is configured and
working, there are a few additional steps required to take this one step
further to enable SSO to the database back-end. End-to-end SSO is only
supported with Microsoft SQL Server 2000 or SQL Server 2005.
Configuring the Database server

In order for Kerberos SSO to work the machines running the SQL Server
database must be trusted for delegation. Setting up security delegation
varies depending on whether SQL Server has been configured to run
under the LocalSystem account or under a service account.
If SQL Server is running under the LocalSystem account, no

additional configuration is required. SQL Server registers itself
when it starts and the system registers the SPN. When SQL
Server shuts down, the system automatically un-registers the
SPNs for the LocalSystem account.
If SQL Server is running under a service account, you have to

configure to be trusted for delegation.
To run SQL Server under a service account:

1. Add an SPN for the service account of the SQL Server by running the
following command:
setspn -A MSSQLSvc/host:port mssqluser
Where host:port is the name of the machine running SQL Server and
the port, and mssqluser is the name of the SQL Server service
account.
2. Select Start > Programs > Administrative Tools > Active Directory
Users and Computers.
3. Right-click the domain account and select Properties.
4. On the Accounts tab, make sure the following options are selected:
6/29/2007 2:07 PM
Page 17
In Windows 2000, ensure that the Account is trusted for

delegation option has been selected for the account.
In Windows 2003, ensure that Trust this user for delegation to

any service (Kerberos only) is selected on the Delegation tab.
More information about this can be found in the Microsoft article

Understanding Kerberos and NTLM authentication in SQL Server
Connections.
Configuring the Java Application server

For the Java application server to be able to pass the users credentials to
the database, the krb5.ini must have forwarding enabled:
1. Open the krb5.ini located in c:\winnt, or where the Java Option Djava.security.auth.login.config points to.
2. Find the [libdefaults] section of this configuration file
3. Enter the following in the [libdefaults] section immediately before
the [realms] section:
forwardable = true
4. Save this file and restart your application server.
Your [libdefaults] section should look like the following example:
[libdefaults]
default_realm = BOBJ.COM
dns_lookup_kdc = true
dns_lookup_realm = true
forwardable = true
[realms]
Configuring the BOEXIR2 Processing servers

The processing tier of BusinessObjects XI Release 2 services must be
configured to use Kerberos by running them as an account that has
delegation rights. The account that is configured to run the CMS can be
used since it is already configured for Kerberos delegation. Please note
that end-to-end SSO is only possible with On-Demand reporting. Here is
a list of services that should be configured to run under this domain
account:
6/29/2007 2:07 PM
Crystal Reports Page Server
Report Application Server (RAS)
Web Intelligence Report Server
Desktop Intelligence Report Server
Connection Server
Page 18
Server cache expiry

When the system is using AD and Kerberos SSO, it uses the cache expiry
for certain BusinessObjects Enterprise servers to determine whether a
logon ticket is still valid. This applies to the CMS, Page Server, RAS, and
Web Intelligence Report Server.
The CMS uses the cache expiry as follows:
If the CMS cache expiry is greater than that of the ticket, the
system renews the ticket until the CMS cache expiry is reached.
If the CMS cache expiry is less than that of the ticket, the ticket
will expire when the CMS cache expiry is reached.
If the CMS cache expiry is zero, the system will use the globally
set ticket expiry.
The other servers use either the cache expiry or the ticket expiry,
whichever has the lowest value. Regardless of whether the cache expiry
for the server is greater or less than that of the ticket, the ticket will
expire when the lowest expiry value is reached. The system comes
configured with default values for the server cache expiry of 86400
seconds or 24 hours.
To change the default cache expiry value:
1. Go to the Servers management area of the CMC.
2. Click the link for the server.
3. Click the Single Sign-On tab.
4. Type in a new cache expiry value.
5. Click Update.
Note: If you are running multiple instances of a particular server, you
can control the cache expiry for each instance individually.
Creating Connections
This next section explains how to create various connections.
Creating SYSTEM ODBC Data source

connections
When creating ODBC or OLEDB data source connections, always use
FQDN whenever possible. The following steps will walk through
creating an ODBC data source connection for both the client and the
server:
6/29/2007 2:07 PM
Page 19
1. Login to the system as a domain user that has access to a database on

the database server. This is an important step since the ODBC DSN
will not be created if the connection test fails.
2. Click Start > Settings > Control Panel > Administrative tools >
Data Sources (ODBC).
3. Click System DSN tab > Add button > SQL Server > Finish button.
4. Type a name for the DSN and select the appropriate SQL Server
database to use.
5. Select With Windows NT authentication using the network login
ID for authentication.
Figure 4
6. Click Next > Next > Finish > Test Data Source button and you
should see TEST COMPLETED SUCCESSFULLY!
7. Click OK and click OK to save your DSN.
8. Verify that your ODBC connections are using KERBEROS instead of
NTLM. Steps on how to do this are in the section Testing ODBC
Data source connections.
NOTE
For Universe connections, once an ODBC DSN is created using Windows NT

authentication it can only be used with Kerberos SSO. To create a universe connection
with specific login credentials, an ODBC DSN with SQL server authentication must also
be created.
Creating Universe connections

For SSO to work with Desktop Intelligence or Web Intelligence do
the following:
1. Login to a system as a domain user that can connect to the database
server to successfully test the connection.
6/29/2007 2:07 PM
Page 20
2. Log on to Designer as an AD user.

3. Click Tools > Connections > Add > Microsoft SQL Server 2000 or
Microsoft SQL Server 2005 ODBC Drivers
4. Confirm this connection is a Secured connection. Give your
connection a name and select the DSN that was created earlier.
5. Select Use Single Sign On when refreshing reports at view time.
6. Confirm no other options are selected and that the username and
password fields are blank.
7. Click Next and read the Information message. Click OK.
8. Test your connection. This connection can still be saved if this test
fails.
Creating Crystal Reports Connections

For SSO to work with Crystal Reports connections a few changes will
have to be made to the Crystal Reports connections themselves. Crystal
reports should be designed with their data sources set to Trusted
Connection for ODBC and Integrated Security for OLE DB. Once this
report is published to BusinessObjects XI R2, enable Use SSO Context
for database logon for this report in the CMC.
Figure 5
Testing Vintela SSO to the Database

By this point, we should now have verified that Vintela SSO to the
InfoView is working properly, made the extra configuration changes to
XIR2 and the Java Application server and created our data source
connections. Next we must test and make sure that SSO to the database
is working properly.
Testing ODBC Data source connections

When you test your connectivity to the database server, make sure that
the User ID being passed to the database is the correct User ID and not
Anonymous. Troubleshooting this can be difficult, so this following
section will allow us to identify which part of the process could be
6/29/2007 2:07 PM
Page 21
failing. Here is how to validate what credentials are being passed to

your SQL server:
1. Logon to your client system using your domain user ID.
2. Click Start button > Settings > Control Panel > Administrative
tools > Data Sources (ODBC) and click the DSN you configured
earlier to test the connection.
3. Click Configure button > Next button > Next button > Next button
> Finish button > Test Data Source button and you should see
TESTS COMPLETED SUCCESSFULLY!.
4. At the same time, on the SQL server system, click Start > Settings >
Control Panel > Administrative tools > Event Viewer > Security to
monitor the Security event log for successful connections. Your user
ID should be displayed in the User column. The details of this
should also indicate Authentication Package: Kerberos
Figure 6
5. Optionally, the Microsoft SQL Server 2005 can monitor the SQL
connections authentication package used. To collect this
information, log on to the SQL Server 2005 Management studio and
run the following SQL query:
select auth_scheme, client_net_address from
sys.dm_exec_connections
The result of this query should show the ODBC clients IP address as
well as KERBEROS under the auth_scheme column.
6/29/2007 2:07 PM
Page 22
Testing Data source connections from Crystal

Reports
1. Log on to the client system using a domain User ID.
2. Open Crystal Reports and create a new report using ODBC or OLE
DB. Confirm the option Trusted Connection for ODBC or
Integrated Security for OLE DB is selected.
3. Once you are logged into the data source, check the security log or
run the SQL query above to identify if the correct user ID was
passed.
Testing Data source connections from Designer

for Universes
1. Login to the client system as a domain User ID.
2. Run the Designer application and login as your AD user ID.
3. Click Tools, click Connections and select the universe connection we
created previously.
4. Click the Test button and monitor the SQL servers security log or
run the query above to identify if the correct user ID was passed.
Testing Reports from Infoview

Please remember that end-to-end SSO technology is only available for
on-demand reporting. This means Crystal Reports, Desktop Intelligence
or Web Intelligence on-demand viewing. Ad-hoc reporting with Crystal
Reports and Web Intelligence are also supported. To test reports from
InfoView do the following:
1. Log on to the client system with a domain user ID.
2. Log on to the Java InfoView, it should recognize your user ID and
automatically log you on.
3. Find your published Crystal reports or create an ad-hoc query
against a published universe that has been created with an SSO
connection.
If any problems occur, note what user ID attempted to access the
database. Problems here usually indicate insufficient rights on a
service account, or the services have not been configured to run
under the appropriate service account.
DISCLAIMER
The third party products discussed in this white paper were not fully tested in conjunction
with BusinessObjects XI R2 prior to its release. Officially supported BusinessObjects XI
R2 platforms are listed on the supported platforms web site.
The information in this document is provided as a courtesy to assist our customers with
the configuration of our product in conjunction with these third party platforms.
In the event issues arise with an unsupported configuration, there is no escalation
support; however, they will be considered during the development of the next generation
of our product.
6/29/2007 2:07 PM
Page 23
Finding More Information

For more information and resources, refer to the product documentation
below and visit the support area of the web site at:
http://support.businessobjects.com
BusinessObjects XI R2 Deployment and Configuration guide
BusinessObjects XI R2 AD Authentication using Java Application Servers
6/29/2007 2:07 PM
Page 24

Configuring BusinessObjects Enterprise XI R2 SP2 End-To-End SSO With AD For Java Application Servers Using Vintela

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Configuring BusinessObjects Enterprise XI R2 SP2 End-To-End SSO With AD For Java Application Servers Using Vintela

Transféré par

Droits d'auteur :

Formats disponibles

T

BusinessObjects Enterprise XI Release

Copyright 2007 Business Objects. All rights reserved.

Manually testing the Keytab file................................................................14

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

Service Pack 2 for BusinessObjects XI Release 2 must be installed.

The Domain Functional Level in which the AD is running in (2000

Administrative rights to the AD domain controller.

Administrative rights to the BusinessObjects Enterprise XI Release 2

Administrative rights to the Java application server.

The Windows 2000/2003 support tools KTPASS.EXE and

Configuring Active Directory

How to determine the AD functional Level

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

Windows 2000 Functional Level

Windows 2003 Functional Level

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

Creating the Vintela service account

Windows 2000 Domain Account Creation

Account is trusted for Delegation

Password never expires

Use DES encryption types for this account

6. On the domain controller run the following command at the

Windows 2003 Domain Account Creation

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

5. Give this user account the following rights:

Password never expires.

Use DES encryption types for this account

6. On the domain controller run the following command at the

8. In Active Directory users and computers, right-click the vintelauser

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

Creating the Keytab file

Configuring the Java Application server for Vintela

Increasing the header size limit of your Java

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

1. On the server with Tomcat installed, open the server.xml file. On

3. Add the following value within the <Connector > tag:

4. Save and close the server.xml.

Apache Tomcat 5.0.27

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

2. Inside this file are a few parameters that need to be modified to

Your CMSname and port number

Your CMS name and

3. Find the following section in the web.xml file:

Default realm for AD. This should be

The SPN you created using ktpass. It

true (false if you are using SSL)

5. An additional parameter must be created to allow us to specify the

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

6. Save and close the web.xml file.

WebLogic specific information

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI R2 SP2