Configure Windows AD Authentication For Business Object Enterprise XI 3.1

Configure Windows AD
Authentication for Business Object

Enterprise XI 3.1
Applies to:
SAP Business Object XI 3.1 SP3 FP 4, Data Federator 3.0 SP3. For more information, visit the Business
Objects homepage.
Summary
Part 1: Configure Web Intelligence for Windows AD-based authentication
Part 2: Configure for SSO against SAP data source using Crypto
Part 3: Configure Data Federator to use Windows AD authentication
Part 4: Configure Data Federator Universes for SSO using Crypto
Know issue and Troubleshooting
Author:
Hemant Kumar
Company: Self Employed/Contractor

Created on: 1 March 2011
Author Bio
Hemant Kumar is an SAP Basis Consultant. He is SAP Certified and has over seven years of experience in
implementing SAP products. As an SAP technical architect, he helps customers design, build and implement
SAP applications.
SAP COMMUNITY NETWORK

2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

1
Configure Windows AD Authentication for Business Object Enterprise XI 3.1
Table of Contents
Introduction ......................................................................................................................................................... 3
Product Version ............................................................................................................................................... 3
Configure BusinessObjects XI (InfoView) for Windows AD-based Authentication ............................................. 4
Create the Configuration File .......................................................................................................................... 4
Change the Local Security Policy ................................................................................................................... 4
Run BOE Application under Windows AD Service Account ........................................................................... 5
Configure CMC and Prepare for Windows AD Authentication........................................................................ 6
Related Content .................................................................................................................................................. 9
Disclaimer and Liability Notice .......................................................................................................................... 10

2011 SAP AG

2
Introduction
This document covers configuring InfoView for Windows Active Directory (AD) based authentication. It is
assumed that the reader required this to allow users to log in to the Central Management Console (CMC)
and Web Intelligence InfoView.
Product Version
Following product versions are using for this demo and during the preparation of this document:
Business Object XI 3.1 SP3 FP 1 or higher

Data Federator 3.0 SP3
SAP Integration Kit 3.1 SP3 FP1 or higher (equivalent to BOE version)
OS Windows 2008 x64
DB - SQL Server 2005 Standard
For a more detailed list, please refer to supported platform documentation.

2011 SAP AG

3
Configure BusinessObjects XI (InfoView) for Windows AD-based Authentication

Create the Configuration File
Under C:\, create a folder WINNT if one doesnt exist. Create two new files: Krb5.ini and bscLogin.conf.
Place these in C:\WINNT with following content:
Krb5.ini
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
[realms]
DOMAIN.COM = {
kdc = DOMAIN.COM
kdc = DOAMINSERVERNAME1.DOMAIN.COM
kdc = DOMAINSERVERNAME2.DOMAIN.COM
kdc = DOMAINSERVERNAME3.DOMAIN.COM
default_domain = DOMAIN.COM
}
bscLogin.conf
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
Change the Local Security Policy

Open the local security policy and change following settings as shown in the screenshot below.

2011 SAP AG

4
Run BOE Application under Windows AD Service Account

Configure BOE services to run under a Windows AD service account. Get a Windows AD service account
(for example, svc-edw-winad). Avoid using personal IDs as this can disrupt application if the ID is locked or
the password is expired. Ensure that the AD group sets the ID with a password that never expires.
Setup the web server. In this example, set Tomcat and BusinessObjects Enterprise application to run under
the newly created service account.
To stop application, start Central configuration Manager.
Once SIA is stopped, right-click SIA. Then click Properties.

2011 SAP AG

5
Configure CMC and Prepare for Windows AD Authentication

Log in to CMC using administrator account. Navigate to authentication.
Enter the required details as shown on the following screenshots. Use unique and meaningful names.

2011 SAP AG

6

2011 SAP AG

7
Click Update on the above screen and close the window.

Now run the following command on the Windows domain controller.
setspn -a BOBJ/BOEHostName.domain.COM svc-edw-winad
The command sets the Service Principal name. In the above example, svc-edw-winad is used as a sample.
Replace it with the actual service account name. Replication between different domain controllers might take
15-30 minutes. After that, try to log in to BOE using Windows AD as the authentication method.
If it is taking time, open a command promt and run the set command. Find the server name under
LOGONSERVER. Work with the Windows AD administrator to have the SETSPN command run on this
server first.

2011 SAP AG

8
Related Content
How to map SAP users and AD users in XI3.1 CMC
How to configure SNC in XI3.1 CMC
How to setup XI3.1 WebIntelligence SSO with SAP BW
For more information, visit the Business Objects homepage.

2011 SAP AG

9
Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not
supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document,
and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or
code sample, including any liability resulting from incompatibility between the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this
document.

2011 SAP AG

10

Configure Windows AD Authentication For Business Object Enterprise XI 3.1

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Configure Windows AD Authentication For Business Object Enterprise XI 3.1

Transféré par

Droits d'auteur :

Formats disponibles

Configure Windows AD

Authentication for Business Object

Company: Self Employed/Contractor

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com