Skip to end of metadata
Go to start of metadata

Configuration in the WINDOWS 2016 Domain Controller:

Step 1: Login to the Domain Controller Machine

Step 2: Open Active Directory Users and Computers.

Step 3: Create New User bo.service  for adding the SPN's to that User

Right Click → Users → New User  and select the option Password never expires.

Step 4: After creating the User go the properties of it and in the account tab provide the fully qualified name of the BOE server. And apply the save changes.

Step 5: In the command prompt add the following commands to create SPN's to bo.service user.

setspn -a BOEXI40SIAW2K16SRV/bo.service.W2K16.COM bo.service   //Fully Qualified name of the BOE Server

setspn -a W2K16SRV/bo.service.W2K16.COM bo.service  //BOE server Host Name

setspn -a W2K16SRV/bo.service bo.service

setspn -a http/W2K16SRV bo.service

setspn -a http/W2K16SRV.W2K16.COM bo.service

setspn -a http/ bo.service  //Internal IP of the Domain Controller.

setspn -a http/ bo.service  //Internal IP of the BOE server Machine.

setspn -a http/ bo.service  //Internal IP of the Client Machine.

Step 6: After creating the SPN's right click the user Properties → Delegation Tab and select the option Trust the user to the delegation to any Kerberos service.


Step 7: For the Same user select the Account tab and select the AES 256 and AES 128 bit encryption.


 Sample bscLogin file:  { required debug=true;


Sample Krb5.ini


       = <Domain Name>    //eg.W2K16.COM

       = <Domain Name>   //eg.W2K16.COM


    default_realm = <Domain Name>

    dns_lookup_kdc = true

    dns_lookup_realm = true

    forwardable = true 

    default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96,AES128-CTS-HMAC-SHA1-96

    default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96,AES128-CTS-HMAC-SHA1-96



                <Domain Name> = {

                                admin_server = <Domain Controller Host name>

                                kdc = <Domain Controller Host fully Qualified Name>

                                default_domain = <Domain name>


Create folder WINNT and save the krb5.ini and bscLogin file in the folder C:/WINNT

Create C:/WINNT folder in BOE server machine and also in the client Machine  and copy the same krb5.ini and bcsLogin file from the Domain controller to BOE server and the Client Machine.

Please Note: For AES encryption both 128 bit and 256 bit should  work with SHA-1 (Secure Hash Algorithm 1)

BOE Server Machine Configuration:

Step 1: Login to the BOE server Machine and Stop the SIA and right click properties and change the User to run on the bo.service account.


Step 2: Enter the password for the bo.service user and click on apply and start the SIA.

Step 3: Login to the CMC page and Go to the Authentication Tab

Step 4: Enter the AD Group which had been created in the Domain Controller Machine.

Step 5: Enter the Service principle name and select the option SSO Authentication.

Step 6: Select the Update the AD Group and Aliases now and  Update the Windows AD Authentication.


Tomcat Configuration

Step 1: Stop the Tomcat and open the Tomcat Configuration and in the Java tab append the following lines with the location of the krb5.ini and the bscLogin file.\WINNT\bsclogin.conf\WINNT\Krb5.ini


Step 2: And Navigate to the following location and modify the BILaunchpad.Properties and file

"C:\Program Files (x86)\SAP BusinessObjects\tomcat\webapps\BOE\WEB-INF\config\default"


Change the authentication default to secWinAD

# You can specify the default Authentication types here. secEnterprise, secLDAP, secWinAD, secSAPR3

# Choose whether to let the user change the authentication type. If it isn't shown the default authentication type from above will be used

# You can specify the default CMS machine name here

# Choose whether to let the user change the CMS name

Step 3: Edit the Service Principle name in the file



After this Configuration The Manual AD login will work.

Step 4: Restart the Tomcat and Check the SSO from client which logged in as the AD user.

Configuration for the AD SSO 

Step 1: Go to the Domain Controller Machine and Generate the Key tab file with respect to the AES Encryption and provide the Key tab file location in the and restart the tomcat.

Step 2: Command to generate the key tab file.

ktpass -out C:\WINNT\W4107SRV.keytab -princ BOEXI40SIAW4107SRV/bo.service.W2K16.COM@W2K16.COM -mapuser bo.service@W2K16.COM -pass Password1 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

Note: The Keytab file name C:\WINNT\W4107SRV.keytab should be the same name as the host name of the BOE server machine host.

Step 3 : Append the following line in the and restart the tomcat.

idm.keytab= C:/winnt/W4107SRV.keytab






  • No labels