Real World Guide to Setting up Kerberos

[UPDATED 10/1/2010 – See Below]

I was recently involved with the configuration of Kerberos with a customer and as I was reading about it in the documentation, I realized that there were a number of areas that lacked the clarity I needed to understand what information SAP BusinessObjects needed to know about my environment.

The Service Account

Permissions are one of the first areas that might trip you up.  In my case I used the same user for the service account that you use for configuring the SIA and that has read access to Active Directory.  It will simplify things for you.  You should also make the service account a local admin on the Business Objects Enterprise Servers.  The service should be a non-dialog user.

Step 1 – Create the SPN

As a Domain Admin, Create the SPN for all of your CMS Servers.  You will need to create an SPN for the fully qualified domain name, as well as the short name.  In my case I have two machines which are running a CMS on each.  I will refer to these machines as cms1 and cms2.

Example:

SETSPN.exe -A BOBJCentralMS/cms1 serviceaccountname

SETSPN.exe -A BOBJCentralMS/cms1.mydomain.local serviceaccountname

SETSPN.exe -A BOBJCentralMS/cms2 serviceaccountname

SETSPN.exe -A BOBJCentralMS/cms2.mydomain.local serviceaccountname

(In the above example:  host – cms1 and cms2, domain – mydomain.local, username  – serviceaccountname)

Step 2 – Confirm the SPN

In the Windows Server Support tools you will find lfifde.exe.  You can use this to application to confirm that the SPN has been correctly associated with the username.

Example:

ldifde -d "dc=mydomain,dc=local" -r "servicePrincipalName=BOBJCentralMS*" -p subtree -l "dn,servicePrincipalName" –f C:ldifdeoutput.txt

When you run the command, you should see something like:

Connecting to "adc1.mydomain.local"
Logging in as current user using SSPI
Exporting directory to file C:ldifdeoutput.txt
Searching for entries...
Writing out entries..
1 entries exported

When you open C:ldifdeoutput.txt, you should see something like:

dn: CN=mydomain, serviceaccountname,OU=Service Accounts,OU=Accounts, DC=mydomain,DC=local
changetype: add
servicePrincipalName: BOBJCentralMS/cms1.mydomain.local
servicePrincipalName: BOBJCentralMS/cms1
servicePrincipalName: BOBJCentralMS/cms2.mydomain.local
servicePrincipalName: BOBJCentralMS/cms2

Important Note: Keep track of the way that serviceaccountname is spelled within the first line of C:ldifdeoutput.txt.  You will need to use it later and it IS case sensitive.

Step 3 – Create Files for Kerberos

On your CMS Servers (cms1 & cms2 in this example) create two files for Kerberos.  The documentation indicates that you should be able to control the locations of the files using your java options.  I was unable to get Kerberos to work unless they were in the default location of C:WINNT, therefore I made a C:WINNT directory for the files.

File 1: krb5.ini

[libdefaults]
default_realm = MYDOMAIN.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
MYDOMAIN.LOCAL = {
default_domain = MYDOMAIN.LOCAL
kdc = MYDOMAIN.LOCAL
}

NOTE:  If you want to query a particular domain controller you should be able to specify it on the line kdc=, however if AD is set up correctly then your domain name should resolve to the nearest domain controller.  You may want to check the configuration by typing “nslookup mydomain.local” at a command prompt.

File 2: bscLogin.conf

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

[UPDATE: 10/1/2010]
Notice that debug=true…this means that when you try to authenticate, you should get a message in the log.  If authentication is failing on you…look in the log to make sure that you are seeing an entry for the attempt.  If you do not see a login, then bscLogin.conf is not even getting loaded, and there is something misconfigured.  This is a great hint for troubleshooting later.
[END UPDATE]

Step 4 –Rights to the Service Account

Next we need to grant the Service Account rights to act as part of the operating system.  These 7 steps walk you through the process.

1. Click Start > Control Panel > Administrative Tools > Local Security Policy.
2. Expand Local Policies, then click User Rights Assignment.
3. Double-click Act as part of the operating system.
4. Click Add.
5. Enter the name of the service account you created, then click OK.
6. Ensure that the Local Policy Setting check box is selected, and click OK.
7. Repeat the above steps on each machine running a BusinessObjects Enterprise.

[UPDATE: 10/1/2010]

Step 4b – Missing STEP

1. Set your java options to look in your C:winnt folder.
2. Go to start->Tomcat->Tomcat configuration
3. Go to the java options tab and set the following java options:

   -Djava.security.auth.login.config=C:/winnt/bscLogin.conf
    -Djava.security.krb5.conf=C:/winnt/krb5.ini

4. Hit OK and restart Tomcat

Thanks everyone for your feedback and pointing out this missing step.

[END UPDATE]

Step 5 – Testing Kerberos

We can now test Kerberos with the kinit.exe utility.   An example of this command for a service account called servact would be:

C:Program FilesBusiness Objectsjavasdkbinkinit.exe servact@TESTM03.COM Password

Syntax Example:

<InstallDirectory>Business Objectsjavasdkbinkinit.exe serviceaccountname@MYDOMAIN.LOCAL password

IMPORTANT NOTE: If you still have a problem, ensure that the case you entered for your domain and service principal name match exactly with what is set in Active Directory.  The easiest way to find the proper casing for the account is to look at the C:ldifdeoutput.txt file we created in Step 2 – Confirm the SPN.

Step 6 – Configuring Active Directory

We  can configure the Active Directory Plug-in within SAP BusinessObjects.

1. Launch the CMC (http://yourserver:8080/CmcApp) and go to the Authentication section of the CMC (Central Management Console).
2. Double-click on Windows AD
3. Select “Enable” Windows AD
4. Click the AD Administration Name.
   • For the user enter the NTLM name…for example: MYDOMAINserviceaccountname
   • For the password enter the password
   • For the Default AD Domain Enter the full domain name in all caps: MYDOMAIN.LOCAL
   • Click update.
5. Add a Mapped AD Member Group by typing the group name in the box and clicking add…for example: MYDOMAINBOEUsers
6. Under Authentication Options:
   1. Click Use Kerberos authentication and make sure the Cache Security Context is checked.
   2. For the Service Principal name enter the service account name with the casing exactly as it appears in the C:ldifdeoutput.txt created in step 2 followed by an @ sign followed by the domain in all caps.  EXAMPLE: serviceaccountname@MYDOMAIN.LOCAL
   3. Check the box that says Enable Single Sign on for selected authentication mode.
7. Under AD Alias Options, configure the options here however are appropriate for your environment.
8. Under Attribute Binding Options, we need to check both boxes
9. Under AD Group Graph, configure as desired
10. Under On-demand AD Update, configure as desired
11. Click Update

Step 7 – Configuring Tomcat

Configure tomcat to use WinAD as the default Authentication mechanism for infoview:

1. Open <Install Directory>Tomcat55webappsInfoViewAppWEB-INFweb.xml in your favorite text editor.
2. Search for authentication.default and change the value to: secWinAD
3. Use Central Configuration Manager (CCM) to restart Tomcat.

Conclusion

Please let me know if this guide was useful.  Setting up Kerberos with SAP BusinessObjects can be tricky and it’s only when I hear from you that I know whether or not these posts are hitting the mark.

«Good BI»