SCN Wiki upgrade to version 6.13 on Tuesday 19.11.2019 - beginning 07:30 am CET

During upgrade process new content will not be transported to new Wiki version

Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Configuration in the WINDOWS 2016 Domain Controller:

Step 1: Login to the Domain Controller Machine

Step 2: Open Active Directory Users and Computers.

Step 3: Create New User bo.service  for adding the SPN's to that User

Right Click → Users → New User  and select the option Password never expires.

Step 4: After creating the User go the properties of it and in the account tab provide the fully qualified name of the BOE server. And apply the save changes.

Step 5: In the command prompt add the following commands to create SPN's to bo.service user.

setspn -a BOEXI40SIAW2K16SRV/bo.service.W2K16.COM bo.service   //Fully Qualified name of the BOE Server

setspn -a W2K16SRV/bo.service.W2K16.COM bo.service  //BOE server Host Name

setspn -a W2K16SRV/bo.service bo.service

setspn -a http/W2K16SRV bo.service

setspn -a http/W2K16SRV.W2K16.COM bo.service

setspn -a http/192.168.2.100 bo.service  //Internal IP of the Domain Controller.

setspn -a http/192.168.2.107 bo.service  //Internal IP of the BOE server Machine.

setspn -a http/192.168.2.108 bo.service  //Internal IP of the Client Machine.

Step 6: After creating the SPN's right click the user Properties → Delegation Tab and select the option Trust the user to the delegation to any Kerberos service.

 

Step 7: For the Same user select the Account tab and select the AES 256 and AES 128 bit encryption.

 

 Sample bscLogin file:

com.businessobjects.security.jgss.initiate  {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Sample Krb5.ini

[domain_realm]

                .w2k16.com = <Domain Name>    //eg.W2K16.COM

                w2k16.com = <Domain Name>   //eg.W2K16.COM

[libdefaults]

    default_realm = <Domain Name>

    dns_lookup_kdc = true

    dns_lookup_realm = true

    forwardable = true 

    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96,AES128-CTS-HMAC-SHA1-96

    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96,AES128-CTS-HMAC-SHA1-96

 

[realms]

                <Domain Name> = {

                                admin_server = <Domain Controller Host name>

                                kdc = <Domain Controller Host fully Qualified Name>

                                default_domain = <Domain name>

                }

Create folder WINNT and save the krb5.ini and bscLogin file in the folder C:/WINNT

Create C:/WINNT folder in BOE server machine and also in the client Machine  and copy the same krb5.ini and bcsLogin file from the Domain controller to BOE server and the Client Machine.

Please Note: For AES encryption both 128 bit and 256 bit should  work with SHA-1 (Secure Hash Algorithm 1)

BOE Server Machine Configuration:

Step 1: Login to the BOE server Machine and Stop the SIA and right click properties and change the User to run on the bo.service account.
 

 

Step 2: Enter the password for the bo.service user and click on apply and start the SIA.

Step 3: Login to the CMC page and Go to the Authentication Tab

Step 4: Enter the AD Group which had been created in the Domain Controller Machine.

Step 5: Enter the Service principle name and select the option SSO Authentication.

Step 6: Select the Update the AD Group and Aliases now and  Update the Windows AD Authentication.

 

Tomcat Configuration

Step 1: Stop the Tomcat and open the Tomcat Configuration and in the Java tab append the following lines with the location of the krb5.ini and the bscLogin file.

-Djava.security.auth.login.config=C:\WINNT\bsclogin.conf

-Djava.security.krb5.conf=C:\WINNT\Krb5.ini

-Djcsi.kerberos.debug=true

Step 2: And Navigate to the following location and modify the BILaunchpad.Properties and Global.properties file

"C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\default"

Sample BILaunchpad.properties

Change the authentication default to secWinAD

# You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3
authentication.default=secWinAD

# Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used
authentication.visible=true

# You can specify the default CMS machine name here
cms.default=W4107SRV:6400

# Choose whether to let the user change the CMS name
cms.visible=true

Step 3: Edit the Service Principle name in the golbal.properties file

Sample global.properties

idm.realm=W2K16.COM
idm.princ=BOEXI40SIAW4107SRV/bo.service.W2K16.COM
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties

After this Configuration The Manual AD login will work.

Step 4: Restart the Tomcat and Check the SSO from client which logged in as the AD user.

Configuration for the AD SSO 

Step 1: Go to the Domain Controller Machine and Generate the Key tab file with respect to the AES Encryption and provide the Key tab file location in the Global.properties and restart the tomcat.

Step 2: Command to generate the key tab file.

ktpass -out C:\WINNT\W4107SRV.keytab -princ BOEXI40SIAW4107SRV/bo.service.W2K16.COM@W2K16.COM -mapuser bo.service@W2K16.COM -pass Password1 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

Note: The Keytab file name C:\WINNT\W4107SRV.keytab should be the same name as the host name of the BOE server machine host.

Step 3 : Append the following line in the global.properties and restart the tomcat.

idm.keytab= C:/winnt/W4107SRV.keytab

 


 

 

 

 

  • No labels