Skip to end of metadata
Go to start of metadata

Prerequisites

Before you configure manual Java authentication, you must follow the steps for Setting up the Windows AD plugin.

Workflow and additional information

  • Configure the Service Account for use with the Active Directory (AD) plug-in.
    a) Create Service Principal Names (SPNs) for the Service Account.
    b) Set delegation for the Service Account.
  • Configure the BI platform for use with the Service Account.
    a) Add the SPN to the CMC.
    b) Set the Server Intelligence Agent (SIA) to run as the service account.
    c) Verify that the service account and Windows AD login accounts are working.
  • Configure Manual AD authentication to the Java Application Servers.
    a) Create the bsclogin.conf file.
    b) Create the krb5.ini file.
  • Configure the BI Launch Pad for manual AD login.
    Set the Authentication menu in BI Launch Pad to be visible.
  • Set the Application Server to the bscLogin.conf and krb5.ini files.

    For more detailed information about this topic, see the following SAP Knowledge Base Article SAP KBA 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4.

To configure the Service Account for use with the AD plug-in

Before setting up Manual Java Authentication, a few steps must be completed in Windows AD to prepare for use with Kerberos.

Step 1: To create Service Principal Names (SPNs) for the Service Account
  1. Open the CMC, and set a general SPN that you will enter into the SPN field of the Active Directory page of the CMC:
    setspn --a BICMS/SVC_PATTERN.BI4PATTERN.COM SVC_PATTERN
  2. Set the following SPN‘s for SSO (If needed):
    setspn --a HTTP/vantgvmwinpb02 SVC_PATTERN
    setspn --a HTTP/vantgvmwinpb02.BI4PATTERN.COM SVC_PATTERN
    setspn --a HTTP/vantgvmwinpb02.dhcp.pgdev.sap.corp SVC_PATTERN
    setspn --a HTTP/vantgvmwinpb03 SVC_PATTERN
    setspn --a HTTP/vantgvmwinpb03. BI4PATTERN.COM SVC_PATTERN
    setspn --a HTTP/vantgvmwinpb03.dhcp.pgdev.sap.corp SVC_PATTERN

Once completed running, the SETSPN --l SVC_PATTERN command will display the following:

Step 2: To set delegation for the Service Account
  1. Right-click the SVC_PATTERN service account, and click Properties.
  2. On the Delegation tab, click Trust this user for delegation to any service (Kerberos only).

To configure BI platform for use with the Service Account

Step 1: To add the SPN to the CMC
  1. In the CMC, under Authentication, go to the Windows AD plug-in section, and configure the Authentication options as shown here:
  2. To commit the changes, click Update.
Step 2: To set the Server Intelligence Agent (SIA) to run as the service account
  1. Add the service account to the local administrators group on any server where the SIA will be running as the service account.
  2. In the CMC, stop the SIA.
  3. When the SIA is stopped, access the properties of the SIA  and change the System Account credentials in Log On As area to the credentials for the Service Account.
  4. Click Ok, and start the SIA.

Step 3: To verify that the service account and Windows AD login account are working

Follow these steps to check if you can log in through the client tools. These next steps test an AD log in using the Central Configuration Manager‘s (CCM) Manage Servers tool.

  1. Open the CCM, and click on the Manage Servers icon.
  2. Ensure the name in the System field is correct, and in the Authentication drop-down list select Windows AD.
  3. Log in with an AD user account that exists inside the CMC.
    AD users that do not reside in the default domain must log in to client tools as domain\username.
  4. Check that no error message appears.
    A white screen with no services indicates issues with permissions, which are not a concern at this point. Provided no error message appears, the service account and Windows AD login account is working. 

To configure Manual AD authentication to Java Application Servers

Two files must be created when using the Java SDK: bsclogin.conf and krb5.ini. You must create those files new, and place them in the C:\windows folder on any Windows Application Server. Java will seek that path by default on a windows server. Because Windows 2008 servers by default hide extension suffix for known extension types, be sure to not end either file with a .txt or other extension.

Step 1: To create the bsclogin.conf file

bsclogin.conf is used to load the Java login module and trace login requests.

  1. On each of the web Application Servers, go to the C:\Windows folder, create a new text file, and save it as bsclogin.conf.
  2. Add the following lines to the file, and save it:
Step 2: To create the krb5.ini file

krb5.ini is used to configure the KDC‘s (Kerberos Key Distribution Center, its domain controllers) that will be used for the java login requests.

  1. On each of the web Application Servers, go to the C:\Windows folder, create a new text file, and save it as krb5.ini.
  2. Add the following lines to the file, and save it:

If connecting to a Windows AD domain other than the one specified in this Pattern, the settings in this file will be different than shown here. The KBA at the start of this topic can be used for obtaining the correct information.

To configure the BI Launch Pad for manual AD login

The Authentication menu in the BI Launch Pad is needed for manual AD log ins; however, by default the menu is hidden. These steps show how to set the Authentication menu to be visible.

Note that .properties files are used instead of .xml files in Business Intelligence Release 4. The .properties files are stored in a custom folder that is safe from being overwritten during patch installations.

  1. Go to C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\webapps\BOE\WEB-INF\config\custom.
  2. Create a text file named BIlaunchpad.properties, add the following lines to the file, and save it:
    authentication.visible=true
    authentication.default=secWinAD
    cms.default=vantgvmwinpb04:6400
  3. Restart Tomcat to ensure the Authentication menu in BI Launch Pad is visible.
To set the Application Server to the bscLogin.conf and krb5.ini files

To have AD users log in to BI Launch Pad and the CMC, you must ensure your application server has access to bscLogin.conf and krb5.ini.

  1. Navigate to the Tomcat Configuration utility, and click the Java tab.
  2. Add the following lines to the tomcat java options:
    -Djava.security.auth.login.config=c:\windows\bsclogin.conf
    -Djava.security.krb5.conf=c:\windows\krb5.ini
  3. Restart Tomcat to load the files into memory.