Home > Administrators, BI Platform > Real World Guide to Setting up Kerberos

Real World Guide to Setting up Kerberos

[UPDATED 10/1/2010 – See Below]

I was recently involved with the configuration of Kerberos with a customer and as I was reading about it in the documentation, I realized that there were a number of areas that lacked the clarity I needed to understand what information SAP BusinessObjects needed to know about my environment.

The Service Account

Permissions are one of the first areas that might trip you up.  In my case I used the same user for the service account that you use for configuring the SIA and that has read access to Active Directory.  It will simplify things for you.  You should also make the service account a local admin on the Business Objects Enterprise Servers.  The service should be a non-dialog user.

Step 1 – Create the SPN

As a Domain Admin, Create the SPN for all of your CMS Servers.  You will need to create an SPN for the fully qualified domain name, as well as the short name.  In my case I have two machines which are running a CMS on each.  I will refer to these machines as cms1 and cms2.

Example:

SETSPN.exe -A BOBJCentralMS/cms1 serviceaccountname
SETSPN.exe -A BOBJCentralMS/cms1.mydomain.local serviceaccountname
SETSPN.exe -A BOBJCentralMS/cms2 serviceaccountname
SETSPN.exe -A BOBJCentralMS/cms2.mydomain.local serviceaccountname

(In the above example:  host – cms1 and cms2, domain – mydomain.local, username  – serviceaccountname)

Step 2 – Confirm the SPN

In the Windows Server Support tools you will find lfifde.exe.  You can use this to application to confirm that the SPN has been correctly associated with the username.

Example:

ldifde -d "dc=mydomain,dc=local" -r "servicePrincipalName=BOBJCentralMS*" -p subtree -l "dn,servicePrincipalName" –f C:ldifdeoutput.txt

When you run the command, you should see something like:

Connecting to "adc1.mydomain.local"
Logging in as current user using SSPI
Exporting directory to file C:ldifdeoutput.txt
Searching for entries...
Writing out entries..
1 entries exported

When you open C:ldifdeoutput.txt, you should see something like:

dn: CN=mydomain, serviceaccountname,OU=Service Accounts,OU=Accounts, DC=mydomain,DC=local
changetype: add
servicePrincipalName: BOBJCentralMS/cms1.mydomain.local
servicePrincipalName: BOBJCentralMS/cms1
servicePrincipalName: BOBJCentralMS/cms2.mydomain.local
servicePrincipalName: BOBJCentralMS/cms2

Important Note: Keep track of the way that serviceaccountname is spelled within the first line of C:ldifdeoutput.txt.  You will need to use it later and it IS case sensitive.

Step 3 – Create Files for Kerberos

On your CMS Servers (cms1 & cms2 in this example) create two files for Kerberos.  The documentation indicates that you should be able to control the locations of the files using your java options.  I was unable to get Kerberos to work unless they were in the default location of C:WINNT, therefore I made a C:WINNT directory for the files.

File 1: krb5.ini

[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
MYDOMAIN.LOCAL = {
default_domain = MYDOMAIN.LOCAL
kdc = MYDOMAIN.LOCAL
}

NOTE:  If you want to query a particular domain controller you should be able to specify it on the line kdc=, however if AD is set up correctly then your domain name should resolve to the nearest domain controller.  You may want to check the configuration by typing “nslookup mydomain.local” at a command prompt.

File 2: bscLogin.conf

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

[UPDATE: 10/1/2010]
Notice that debug=true…this means that when you try to authenticate, you should get a message in the log.  If authentication is failing on you…look in the log to make sure that you are seeing an entry for the attempt.  If you do not see a login, then bscLogin.conf is not even getting loaded, and there is something misconfigured.  This is a great hint for troubleshooting later.
[END UPDATE]

Step 4 –Rights to the Service Account

Next we need to grant the Service Account rights to act as part of the operating system.  These 7 steps walk you through the process.

  1. Click Start > Control Panel > Administrative Tools > Local Security Policy.
  2. Expand Local Policies, then click User Rights Assignment.
  3. Double-click Act as part of the operating system.
  4. Click Add.
  5. Enter the name of the service account you created, then click OK.
  6. Ensure that the Local Policy Setting check box is selected, and click OK.
  7. Repeat the above steps on each machine running a BusinessObjects Enterprise.

[UPDATE: 10/1/2010]

Step 4b – Missing STEP

  1. Set your java options to look in your C:winnt folder.
  2. Go to start->Tomcat->Tomcat configuration
  3. Go to the java options tab and set the following java options:
    -Djava.security.auth.login.config=C:/winnt/bscLogin.conf
     -Djava.security.krb5.conf=C:/winnt/krb5.ini
  4. Hit OK and restart Tomcat

Thanks everyone for your feedback and pointing out this missing step.

[END UPDATE]

Step 5 – Testing Kerberos

We can now test Kerberos with the kinit.exe utility.   An example of this command for a service account called servact would be:

C:Program FilesBusiness Objectsjavasdkbinkinit.exe servact@TESTM03.COM Password

Syntax Example:

<InstallDirectory>Business Objectsjavasdkbinkinit.exe serviceaccountname@MYDOMAIN.LOCAL password

IMPORTANT NOTE: If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.  The easiest way to find the proper casing for the account is to look at the C:ldifdeoutput.txt file we created in Step 2 – Confirm the SPN.

Step 6 – Configuring Active Directory

We  can configure the Active Directory Plug-in within SAP BusinessObjects.

  1. Launch the CMC (http://yourserver:8080/CmcApp) and go to the Authentication section of the CMC (Central Management Console).
  2. Double-click on Windows AD
  3. Select “Enable” Windows AD
  4. Click the AD Administration Name.
    • For the user enter the NTLM name…for example: MYDOMAINserviceaccountname
    • For the password enter the password
    • For the Default AD Domain Enter the full domain name in all caps: MYDOMAIN.LOCAL
    • Click update.
  5. Add a Mapped AD Member Group by typing the group name in the box and clicking add…for example: MYDOMAINBOEUsers
  6. Under Authentication Options:
    1. Click Use Kerberos authentication and make sure the Cache Security Context is checked.
    2. For the Service Principal name enter the service account name with the casing exactly as it appears in the C:ldifdeoutput.txt created in step 2 followed by an @ sign followed by the domain in all caps.  EXAMPLE: serviceaccountname@MYDOMAIN.LOCAL
    3. Check the box that says Enable Single Sign on for selected authentication mode.
  7. Under AD Alias Options, configure the options here however are appropriate for your environment.
  8. Under Attribute Binding Options, we need to check both boxes
  9. Under AD Group Graph, configure as desired
  10. Under On-demand AD Update, configure as desired
  11. Click Update

Step 7 – Configuring Tomcat

Configure tomcat to use WinAD as the default Authentication mechanism for infoview:

  1. Open <Install Directory>Tomcat55webappsInfoViewAppWEB-INFweb.xml in your favorite text editor.
  2. Search for authentication.default and change the value to: secWinAD
  3. Use Central Configuration Manager (CCM) to restart Tomcat.

Conclusion

Please let me know if this guide was useful.  Setting up Kerberos with SAP BusinessObjects can be tricky and it’s only when I hear from you that I know whether or not these posts are hitting the mark.

«Good BI»

  1. Eric
    May 15th, 2009 at 15:03 | #1

    Hi David, I configured the BOXI 3.1 AD authentication exactly like you mentioned. However, I always get “Account Information Not Recognized (FWM 00005)” error when I log in InfoView with AD authentication. But I do can log in Web Intelligence and Desktop Intelligence with AD authentication.

    I really appreciate your answer.

    Thanks.

  2. May 18th, 2009 at 14:10 | #2

    Eric – let me look into this and see what I can find out. I hope I didn’t miss a step!

  3. Mike
    May 28th, 2009 at 15:31 | #3

    When entering the ‘Service principal name,’ you show the entry to be ‘serviceaccountname@MYDOMAIN.LOCAL.’ Isn’t this the account the service principal name is registered to and not the actual service principal name? In your example that could be BOBJCentralMS/cms1.

    I have several environments and have been able to get end-to-end SSO to work in only one of them by using the actual service principal name. Unfortunately, I’ve tried every combination for service principal name and have had no luck in the others.

  4. bastian
    July 14th, 2009 at 09:47 | #4

    Hi David,

    your “real world” explanation helped me a lot. But I still have trouble with the BOE – AD communication: KINIT works fine, but when I enter the AD user group in the CMC/Auth. section, I still get an error “secWinAD plugin cannot resolve the group domaingroupname.

    Do you have any helpful ideas?

    Thanks in advance & kind regards,

    Bastian

  5. Alexey
    July 16th, 2009 at 06:27 | #5

    David, thank a lot for your work. Your confirmation steps (#2,5) save me a day of work. The guide is very good. In step 2 you wrote “In the Windows Server Support tools you will find lfifde.exe” but you mean ldifde.exe, I think.
    I have saved the guide for future use ))

  6. Jason Brooks
    July 21st, 2009 at 12:45 | #6

    Thanks! This was a big help

    However, I had to use the Service Principal name: BOBJCentalMS/cms1@MYDOMAIN.LOCAL

    and users has to add @MYDOMAIN.LOCAL after their username to get the login to work. This is probaly configuration.

    Thanks again,
    -Jason

  7. Chee
    August 3rd, 2009 at 21:50 | #7

    I am trying to setup Kerberos via AD authentication for CMC WASC, and am running into issue logging into to CMC via AD authentication. In the Admin Guide it stated that use the command “SETSPN.exe –A / . Replace with any desired name. For example, BOBJCentralMS.”

    I replaced “BOBJCentralMS” with “bobjcms” in the entry e.g. bobjcms/

    Does “BOBJCentralMS” need to be exactly spell like that, and can i use a different name like bobjcms? Please help.

    • Jason Brooks
      August 20th, 2009 at 08:48 | #8

      Chee –
      You can name use the name “bobjcms” or any other name but the casing is important and you must reference the full domain name in the CMC. I just did this Kerberos setup 2 or 3 times and I think I hit every pain point. If you have more questions, send me an email and I can show you some screen shots from CMC.

      • Ba Posts
        September 24th, 2009 at 10:28 | #9

        Hi Jason, could you help me out can you send me your mail id to baposts@yahoo.com, I am running into issues, I think you might be able to help me.

  8. March 26th, 2010 at 05:17 | #10

    There are a few steps missing here. You wil find full instructions in the Business Objects Enterprise Administrator Guide. Chapter 4. You do need to do other stuff in AD GUI, the apps server Admin GUI and make a few changes to the Tomcat configuration panel.

  9. May 3rd, 2010 at 15:14 | #11

    There was a great webinar recently about setting up SSO called: Configuring Single Sign-On in BusinessObjects XI

    You need to be a member of ASUG to access the recording… here it is:
    http://jive.asug.com/servlet/JiveServlet/downloadBody/25055-102-1-31758/BO%20S&A%20Webcast%204.27.10-20100427%201502-1.arf

  10. February 7th, 2011 at 18:22 | #12

    I ran across another great SSO article that I thought I’d share from Josh Fletcher @josh_fletcher http://sboblog.infotrust.dk/index.php/2010/05/21/active-directory-sso-on-sap-businessobjects-xi-3-1/

  11. Arlene
    December 27th, 2012 at 17:38 | #13

    Hi David,

    I am working with Crystal Server 2008 V1. Your post was most helpful, but I still haven’t gotten this working yet. The AD users are showing up in the CMS, but I am not sure that the SPN was set up correctly. When I follow step 2, it says No Entries Found. This is very confusing. When I worked with Crystal Server XI R2 it was so simple to configure. I am not sure what I am doing wrong, so any help would be appreciated.

    Thanks,

    Arlene

  1. May 14th, 2009 at 12:40 | #1
  2. September 23rd, 2010 at 14:02 | #2
  3. February 18th, 2011 at 08:18 | #3