Configuring Business Objects Enterprise XI 3.1 Info View ... · Note: With a Windows 2003 or 2008...

Configuring Business Objects Enterprise XI 3.1 Info View with Active Directory Single Sign-on Using Kerberos and .NET

Applies to: Business Objects Enterprise XI 3.1.

Summary This document will combine the key steps and troubleshooting needed to configure Business Objects Enterprise XI 3.1 InfoView with .NET and Active Directory authentication (including single sign-on using Kerberos in a Windows Server 2003 environment

Author: Miles Escow

Company: Business Objects an SAP company

Created on: 12th November 2008

Author Bio

Miles is a senior engineer working in the European Technical Assurance Centre in Ealing, London for the Authentication team.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com © 2008 SAP AG 1


Table of Contents Key Terms...........................................................................................................................................................3 Troubleshooting Tools that may be needed .......................................................................................................4 Related documentation.......................................................................................................................................4 Planning your Service account Configuration.....................................................................................................4 Section 1 - Setting up a service account ............................................................................................................6

Setting up a service account on a Windows 2003 or 2008 Domain ...............................................................6 Granting the service account rights ................................................................................................................7 Adding the Service Account to the servers’ Local Administrators group ........................................................9 Configuring the servers to use the service account........................................................................................9

Section 2 - Configuring the Authentication options in the Central Management Console (CMC)....................11 Section 3 - To configure Kerberos for .NET InfoView and IIS ..........................................................................13 Section 4 – Configuring client machines’ browser............................................................................................13 Section 5 - Configuring single sign-on for .NET InfoView ................................................................................14

To enable single sign-on in the CMC............................................................................................................14 Modifying web.config for impersonation and Windows authentication .........................................................15 Configure IIS for Integrated Windows Authentication ...................................................................................17 Configure the IIS host to be trusted for delegation .......................................................................................19 To configure IIS for AD domain access ........................................................................................................21 Configure the Internet Explorer browser .......................................................................................................23

Copyright...........................................................................................................................................................25



Key Terms Some terms or acronyms we will be referring to throughout this document:

• CMS – Central Management Service, a business objects service responsible for authorization among other tasks.

• CMC‐ Central Management Console, a web based admin tool used to configure the CMS service and other parameters for Business Objects Enterprise

• CCM – Windows utility found on Business Objects Enterprise servers that can be used to view Business Objects server/services/processes

• SSO ‐ Single Sign‐On – The ability to access an application without entering login credentials also known as silent sign‐on, automatic logon, etc

• Service account – Refers to an Active Directory user with special permissions (such as a fixed non‐ changing password or SPN)

• SPN – Service Principal Name refers to an additional alias and attribute to an AD account. Various tools can be used to add an SPN to an AD account. It’s much like a UPN or sam accountname except there can be multiple SPN’s per account. The SPN is a primary access point for kerberos applications.

• UPN – User Principal Name in AD (i.e. [email protected]).

• SAM Account Name – common logon name in AD (i.e. domain\user)

• JAS– Java application server.



Troubleshooting Tools that may be needed • DelegConfig ‐ A Tool To help resolve Kerberos authentication and delegation issues:

http://blogs.iis.net/bretb/archive/2008/03/27/How‐to‐Use‐DelegConfig.aspx

• AD Explorer ‐ Can be downloaded from Microsoft Sys internals , used to search and verify AD account attributes: http://technet.microsoft.com/en‐us/sysinternals/bb963907

• MMC ‐ Microsoft Management Console can be accessed from any windows 2000/2003 server

• Packet Scanner – The built in Microsoft Netmon, free 3rd party ethereal/wireshark, or other utility that can trace and record network packets between various hosts:

o http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=f4db40af‐1e08‐4a21‐a26b‐ec2f4dc4190d&displaylang=en

o http://www.wireshark.org/download.html

• Kerbtray – Microsoft utility used to display or purge kerberos tickets on a client workstation:http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be‐29f6‐49f6‐85be‐e866af8e7a88&displaylang=en

Related documentation

• XIR2 Java AD https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0edd98d‐c43e‐2b10‐e09a‐e0a89931cedc

• XIR2 Vintela https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/3097fb98‐c63e‐2b10‐e7b8‐fb7253566373

• XI 3.1 Admin Guide http://help.sap.com/businessobject/product_guides/boexir31/en/xi3‐1_bip_admin_en.pdf

Planning your Service account Configuration Prior to configuring SSO you must create at least 1 service account. There are 2 completely separate roles for a service account. These roles can be shared with 1 account or spread across many. A common naming convention can make troubleshooting easier and management simpler. • Role 1 ‐ CMC – Query AD ‐ Used by the CMS to perform LDAP searches against AD’s directory servers

(requires no delegation, no SPN, only read/query of AD). A typical domain user in AD will usually work. This account does not actually run any services or require any local permission unless combined with the CMS service account.

• Role 2 – CMS/SIA service account ‐ Used by the CMS to perform TGS requests against the KDC (Requires “act as part of the OS” right, Local admin, be a member of the local Administrators group on the BOE server, at least 1 SPN (CMC/Authentication/windows AD/Service Principal Name), no delegation) Must be configured for every CMS that will be authorizing AD users via kerberos protocol. o If using SSO to the DB this account will also require delegation be enabled, and will need to be

running the proper reporting server(s) as well as the CMS. If running the SIA then all processes under that SIA are also run by this account.

You can have as many or as few service accounts as you would like. If SPN’s are involved the less service accounts the less likely the chance for duplicate SPN’s (this is an issue where AD cannot respond to kerberos requests due to conflict of the same aliases (SPN) created for multiple accounts). The per role


http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx

http://technet.microsoft.com/en-us/sysinternals/bb963907

http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en

http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en

http://www.wireshark.org/download.html

http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0edd98d-c43e-2b10-e09a-e0a89931cedc

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0edd98d-c43e-2b10-e09a-e0a89931cedc

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/3097fb98-c63e-2b10-e7b8-fb7253566373

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/3097fb98-c63e-2b10-e7b8-fb7253566373

http://help.sap.com/businessobject/product_guides/boexir31/en/xi3-1_bip_admin_en.pdf

http://help.sap.com/businessobject/product_guides/boexir31/en/xi3-1_bip_admin_en.pdf


option is excellent as well and will make tracing a little easier if packet scanning is required. If you have any questions please open a message with support prior to executing these steps or you can post you questions on the SDN forums.

After planning you naming convention and service accounts then you are ready to create your service accounts. Service accounts will need to be created in Active Directory by a Domain Admin. Screenshots will be created with the newest version of Enterprise (there may be slight differences if using older versions). To note this configuration is only possible with Business Objects XI 3.1 or later.

Note: Even though there will be screenshots with steps completed in Active Directory throughout the rest of this document, please refer to your companies local AD Admins to complete these steps. The steps documented were tested in-house but your local AD admin is the only one familiar with your companies AD and its policies. If any questions arise please use the business objects user forums or open a message with support



Section 1 - Setting up a service account To configure BusinessObjects Enterprise for Kerberos and Windows AD authentication, you require a service account. You can either create a new domain account or use an existing domain account. The service account will be used to run the BusinessObjects Enterprise servers.

How you create this account varies slightly depending on what version of Active Directory Domain you are using:

Setting up a service account on a Windows 2003 or 2008 Domain 1. Create a new account on the domain controller or use an existing account. For detailed

instructions, refer to http://msdn.microsoft.com/

Note: With a Windows 2003 or 2008 Domain, RC4 is the default encryption type and should be used. You will need Business Objects Enterprise to be running with JDK 1.5 or higher. (It ships with Business Objects Enterprise and is installed by default.) If you want to use a lower JDK, you must check "Use DES encryption".

2. Check ‘User cannot change password’ and ‘Password never expires’ options.


http://msdn.microsoft.com/


3. Open a command prompt and enter this command:

SETSPN.exe –A BOBJCentralMS/NAME serviceaccount • Replace NAME with the fully qualified domain name of your machine running the CMS service.

For example: VEN‐W3S‐MESCO35.MILES.COM o (For clustered CMSs, use a generic name; do not use the host name of a CMS machine.)

• Replace serviceaccount with name of your service account that runs the CMS service. For example: SVC_XIr3

• Verify that you receive a message similar to the one seen in the screenshot below:

4. TEST 1: To verify that the SPN (BOBJCentralMS/VEN‐W3S‐MESCO35.MILES.COM) was configured

properly, run a setspn –l on the service account

5. Open the account properties, click the Delegation tab and select Trust this user for delegation to

any service (Kerberos only).

Note: You will not see the Delegation tab until after you have entered the SETSPN command.

6. Click OK.

Granting the service account rights In order to support AD and Kerberos, you must grant the service account the right to act as part of the operating system. This must be done on each machine running a Server Intelligence Agent (SIA) with the following servers:

• CMS • Crystal Reports Processing Server (required only for SSO2DB) • Report Application Server (required only for SSO2DB) • Web Intelligence Processing Server (required only for SSO2DB)

7. On the Business Objects machine, click Start > Control Panel > Administrative Tools > Local Security Policy.

8. Expand Local Policies, then click User Rights Assignment. 9. Double‐click Act as part of the operating system. 10. Click Add.



11. Enter the name of the service account you created, then click OK.

12. Repeat the above steps on each machine running a BusinessObjects Enterprise server.



Adding the Service Account to the servers’ Local Administrators group

In order to support Kerberos, the service account must be part of the local Administrators group for each server that has a SIA with one of the following services deployed:

• CMS • Crystal Reports Processing Server (required only for SSO2DB) • Report Application Server (required only for SSO2DB) • Web Intelligence Processing Server (required only for SSO2DB)

13. On the desired machine, right‐click My Computer and click Manage. 14. Go to System Tools > Local Users and Groups > Groups. 15. Right‐click Administrators, then click Add to Group. 16. Click Add and type the logon name of the service account. 17. Click Check Names to ensure that the account resolves. 18. Click OK, then click OK again.

19. Repeat these steps for each Business Objects server that has to be configured.

Configuring the servers to use the service account

To support Kerberos single sign‐on, you must configure the SIA that contains the following servers to log on as the service account:

• CMS server • Crystal Reports Processing Server (required only for SSO2DB) • Report Application Server (required only for SSO2DB)



• Web Intelligence Processing Server (required only for SSO2DB) 20. In the Central Configuration Manager (CCM), stop the Server Intelligence Agent (SIA).

Note: When you stop the SIA, all services managed by the SIA are stopped.

21. Double‐click the SIA to view its properties. 22. On the Properties tab, in the Log On As area, deselect the System Account check box. 23. Provide the user name and password for the service account you created earlier, click Apply, then

click OK.

24. Restart the SIA. 25. If necessary, repeat steps 1 through 5 for each SIA that is running a service that has to be

configured.



Section 2 - Configuring the Authentication options in the Central Management Console (CMC)

26. Go to the "Authentication" management area of the CMC. 27. Double‐click Windows AD. 28. Ensure that Enable Windows Active Directory (AD) box is selected. 29. In the Windows AD Configuration Summary area, click the link beside AD Administration Name.

Note: Before the Windows AD plug-in is configured, this link will appear as two double quotes. After the configuration has been saved, the link will be populated with the AD Administration names.

30. Enter the name and password of an enabled domain user account. BusinessObjects Enterprise will use this account to query information from AD. Administration credentials can use one of the following formats: • NT name (DomainName\UserName) • UPN (user@DNS_domain_name)

o BusinessObjects Enterprise never modifies, adds or deletes content from AD. It only reads information, therefore only the appropriate rights are required.

o Note: AD authentication will not continue if the AD account used to read the AD directory becomes invalid (for example, if the account's password is changed or expires or the account is disabled).

31. Complete the Default AD Domain field.

Note: Groups from the default domain can be mapped without specifying the domain name prefix.

• If you enter the Default AD Domain name, users from the default domain do not have to specify the AD domain name when they log on to BusinessObjects Enterprise via AD authentication.

32. In the "Mapped AD Member Groups" area, enter the AD domain\group in the Add AD Group (Domain\Group) field. Groups can be mapped using one of the following formats:

• Security Account Manager account name (SAM), also referred to as NT name (DomainName\GroupName)

• DN (cn=GroupName, ......, dc=DomainName, dc=com)

Note: If you want to map a local group, you can use only the NT name format (\\ServerName\GroupName). Windows AD does not support local users. This means that local users who belong to a mapped local group will not be mapped to BusinessObjects Enterprise. Therefore, they will not be able to access BusinessObjects Enterprise.

33. Click Add. The group is added to the list. 34. Under Authentication Options, select Use Kerberos authentication. 35. In the Service principal name field, enter the server principal name of the service account that you

created in step 2. Do not use the User Principal Name, Display name or any other format.

BOBJCentralMS/SERVER.DOMAIN.COM. • This field is case sensitive if you are using DES encryption for the account, it must match

with what is set up in your Active Directory domain. However RC4 encryption is not case sensitive in the same way, which is one of the many advantages of using RC4 encryption.



36. You can skip over the configuration of the "Authentication Options", "Synchronization of

Credentials" and "SiteMinder Options". For specific information on how to configure these options, please refer to Chapter 6 of the Admin guide for XI 3.1

37. TEST 2: Go to CMC/Groups, select the group you mapped in, and view the users for that group. This will generate a live query to AD (using the CMC query account) and display the current users in that group. It will also display any nested users in that group (users that belong to member AD groups).



Section 3 - To configure Kerberos for .NET InfoView and IIS 38. Open the web.config file for .NET InfoView with notepad. The file is by default installed in the

following directory: <INSTALLDIR> \Business Objects\BusinessObjects Enterprise 12.0\Web Content\InfoViewApp\InfoViewApp.

39. Modify the web.config file settings: To set Windows AD as default authentication option for InfoView, modify the

<add key="authentication.default" value="secEnterprise"/> section to

<add key="authentication.default" value="secWinAD"/> 40. If you want the user to select an authentication option before logging on to InfoView, modify the

<add key="authentication.visible" value="false"/> section to

<add key="authentication.visible" value="true"/>.

41. Save and close the web.config file. 42. Restart IIS.

Section 4 – Configuring client machines’ browser This procedure must be carried out on all client machines that should have access to InfoView. 43. Open Internet Explorer. 44. Select Tools from the menu then select Internet Options. 45. Click the Security tab. 46. Select the Local Intranet icon then click the Sites button 47. Enter the hostname of the Business Objects Enterprise server that hosts IIS

• Depending on how well DNS has been configured it may be necessary to add the fully qualified domain name (FQDN) of the server as well.

48. Click Add then close and then OK

Note: Close the browser and reopen it for the changes to take effect.

49. TEST 3: Users will now be able to use their AD usernames and passwords to logon to .NET InfoView via Kerberos authentication.

This is all that is required for manual AD authentication. If you wish to configure single sign‐on, please continue.



Section 5 - Configuring single sign-on for .NET InfoView This section described the steps required to configure single sign‐on and AD authentication using Kerberos for BusinessObjects Enterprise .NET InfoView. Before implementing these steps, make sure the manual authentication to .NET InfoView with Kerberos is working correctly. AD users must be able to provide their AD username and password to logon to .NET InfoView, and Kerberos has been enabled in the CMC.

To enable single sign-on in the CMC 50. Go to the "Authentication" management area of the CMC. 51. Double‐click Windows AD. 52. Select Enable Single Sign On for selected authentication mode in the "Authentication Options"

area. 53. Click Update.



Modifying web.config for impersonation and Windows authentication

To enable impersonal and Windows authentication, you need to modify the web.config files for the two applications below:

• InfoViewApp: <INSTALLDIR>\Business Objects\BusinessObjects Enterprise 12.0\Web Content\InfoViewApp\InfoViewApp

• PlatformServices: <INSTALLDIR>\Business Objects\BusinessObjects Enterprise 12.0\Web Content\PlatformServices\

54. Open the Web.config file for InfoView. 55. Locate the following line under <system.web>:

• <!‐‐identity impersonate="true"/‐‐> 56. Remove the comments on the line so that it looks like:

• <identity impersonate="true"/>

57. Edit the strings as indicated below:

• <add key="cmsDefault" value="" /> o Enter the CMS machine name in the cmsDefault value field.

• <add key=" ssoEnabled" value="false" />

o Change "false" to "true"

58. Save and close the Web.config file. 59. Open the Web.config file for PlatformServices. 60. Edit the lines under <system.web> as indicated below: • <Authentication mode="None" />

o Change "None" to "Windows" • <identity impersonate="true" />

o Ensure this line is set to "true"



61. Save and close the Web.config file. 62. Restart IIS. 63. Windows Authentication.



Configure IIS for Integrated Windows Authentication

To support single sign‐on you need to configure InfoView in IIS to use Integrated Windows Authentication.

64. Open the Internet Information Services (IIS) Manager (go to: Start > Settings > Control Panel > Administrative Tools.)

65. In the "Internet Information Services" window for IIS, expand the tree on the left and to InfoViewApp under Default Web Site.

66. Right‐click InfoViewApp and select Properties. 67. Click Edit in the "Directory Security" tab. 68. Unselect Anonymous Access if it is selected. 69. Select Integrated Windows Authentication and click OK. 70. Click OK to finish.



71. Repeat steps 64‐70 for PlatformServices .

72. Restart IIS.



Configure the IIS host to be trusted for delegation

You must ensure that either the machine hosting IIS must be trusted for delegation, or the account IIS is running under must be trusted for delegation. Implement the steps below to configure the machine hosting IIS for delegation. For instructions on how to set the account IIS is running under please refer to your Windows AD documentation.

73. Open the "Active Directory Users and Computers" snap in. 74. Expand the tree to the domain of the machine hosting IIS. 75. Double click Computers. 76. Right‐click the machine hosting IIS and select Properties 77. Select the "Delegation" tab. 78. Select Trust this computer for delegation to any service (Kerberos only) and click OK.

Note: If you do not want to trust the computer for delegation, please read step 81.





To configure IIS for AD domain access

IIS 6 should be running by default under the Network Service account which has sufficient rights for AD domain access.

79. In Internet Information Services (IIS) Manager, go to local computer > Application Pools 80. Right‐click DefaultAppPool and select Properties 81. Select the "Identity" tab. Ensure that Network Services is selected and not any of the Local

accounts.

Note: You can alternatively use "Configurable" and run the Application Pool under a domain account. This domain account should be trusted for delegation. To do this, steps 73 -78 should be applied to the domain account and not the computer. This account could be the same account that is used to run the CMS service.

82. Click OK.



83. Repeat steps 79 – 91 for the BOBJAppPool121

84. Restart IIS if you modified any of the Application Pool settings.



Configure the Internet Explorer browser

You need to configure the Internet Explorer browser on a BusinessObjects Enterprise client machine to support end‐to‐end single sign‐on. This implementation includes the following tasks:

• Configuring client machines for integrated Windows authentication

• Adding IIS to the local intranet sites (already covered in section 4) 85. On the client machine, open an Internet Explorer browser. 86. Go to Tools > Internet Options. 87. Select the "Advanced" tab. 88. Navigate to the "Security" settings. 89. Select Enable integrated windows authentication and click Apply.

90. Click OK twice to close the Internet Options dialog box. 91. Close the Internet Explorer browser, and then open it again for the changes to take effect. 92. Repeat steps 1‐4 for every client machine. 93. Test 4: Open Internet Explorer on a configured client machine and test the InfoView URL:

http://Servername/InfoViewApp • Replace Servername with the name of the server hosting IIS.


http://servername/InfoViewApp





Copyright © 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

Date post:	30-Mar-2019
Category:	Documents
Upload:	hadang
View:	216 times
Download:	0 times

Configuring Business Objects Enterprise XI 3.1 Info View ... · Note: With a Windows 2003 or 2008...

Documents