Install BI Platform and setup Windows AD authentication

This week I want to test the integration of a BI Platform to my .Net program. So I want to install a test version of the BIP, but my virtual machine hadn't enough space. The first step was to extend the space of the disk. It is very easy in VirtualBox to extend the disk.

1. Open the Windows Console
2. Go to the path where you installed Virtual Box. (Default: C:Program FilesOracleVirtualBox)
3. Type VBoxManage.exe modifyhd "Path to the disk" --resize 100000 (=100 GB)
4. Press Enter and your VirtualBox will be extended

After my VirtualBox was ready I could install the BIP. But the next issue was found very soon. I need a license key.

You can find on the support page of SAP the Emergency License Keys. With this emergency license keys you can install a trail version of the BI platform. After the installation was done, we have to set up the Windows Active Directory, so that we can use Single sign-on (SSO).

In this article I will walk through step by step on setting up single sign-on with SAP BusinessObjects 4.2 SP3 and in my case a Windows Server 2012 R2. The Windows Server part is similar in other Windows Server versions. The technical specifications used to accomplish single sign-on in this guide.

• Domain Controller (DC): win2012.corp.reyemsaibot.com (Windows Server 2012 R2)
• SAP BusinessObjects BI Platform: srv2016.corp.reyemsaibot.com (BusinessObjects 4.2 SP3 on the same server as the DC)
• Domain: corp.reyemsaibot.com
• SAP BusinessObjects Web Application Server: Tomcat
• Service Account Name: bi_sso_service
• Service Account Password: Reyemsaibot.com
• Windows Active Directory Group: BI Platform Users
• Test Account Name: reyemsaibot (is member of BI Platform User)
• Test Account Password: HelloWorld!2016

First we need a Active Directory service account. You have to create it in the Server Manager on the Domain Controller server.

Open the Active directory Users and Computers management tool.

Create the service account that will handle the sign-on requests. Click right on the users folder, select new and then user. Use this informationen to create the user:

• First Name: BI SSO
• Last Name: Service
• User Name: bi_sso_service
• Password: Reyemsaibot.com

When the user bi_sso_service has been created, the delegation properties must be edited. Click right on the user bi_sso_service and select Properties. Select the Delegation tab and select the option Trust this user for delegation to any service (Kerberos only). The Delegation tab is only available when you set the SPN first.

Now we need three Service Principal Names (SPN) for the service account bi_sso_service. This can either be done on the Domain Controller or on the BI platform server. Open the command prompt. Type the following setspn commands so that it allows Tomcat to communicate with the Active Directory. The option -a means add a new SPN. The first SPN will be called BICMS.

setspn -a BICMS/bi_sso_service.corp.reyemsaibot.com bi_sso_service

If it was successful, it wil display a message that is has registered the SPN and it has updated the object. Now we create the second SPN for Tomcat and link it to the new user account.

setspn -a HTTP/srv2008 bi_sso_service

And finally, we need to qualify the server address.

setspn -a HTTP/srv2008.corp.reyemsaibot.com bi_sso_service

With the command "I" we can verfiy that all SPN are created.

setspn -l bi_sso_service

As next step we create a user and a user group that we will use for the Windows Active Directory authentication. Create on the Domain Controller a new user.

• First Name: Tobias
• Last Name: Meyer
• User Name: reyemsaibot
• Password: HelloWorld!2016

Create a new user group called BI Platform Users. Click right on the user folder, select New and then Group.

Add the user, which we created before to the user group by right clicking on the group, selecting Properties and then adding it from the Members tab.

Now we will setup the Windows Active Directory authentication on the BusinessObjects server. You have to log into the CMC with a user that as administrator privileges. Then go to the Authentication area.

Click on Windows AD to open the authentication options for Windows Active Directory.

Select the checkbox Enable Windows Active Directory (AD) to enable this option.

Click on the double quotes besides the AD Administration Name.

Enter the service account as well as the domain name. Note: The service account is bi_sso_service and the domain is corp.reyemsaibot.com.

Now define the group you want to map. In this case it is corp\BI Platform Users.

Under Authentication Options select Use Kerberos authentication and type as Service prinicpal name BICMS/bi_sso_service.corp.reyemsaibot.com (It is the SPN from Step 2). Select also the option Enable Single-Sign-On (SSO) for the selected authentication mode.

Under Alias Update Options select Create New Alias when the Alias Update occurs and under New Users Options, select New users are created as named users. Now this is finished, click the Update button at the bottom of the window.

Now we are verifing that the group BI Platform Users and the test user reyemsaibot has been added to the BI platform. In the Central Management Console (CMC) go to Users and Groups and you wll see that the user reyemsaibot has been added under User List and the group BI Platform Users has been added unter the Group List.

Before we can log in with the Windows Active Directory user, we have to configure the BusinessObjects server appropriately. On the BusinessObjects server, we have to add the user to the Local Administrator Group. Select the Computer Management in the Server Manager.

Select Local Users and Groups and then Groups. Double click on the Administrator Group and then click Add.

Enter the service account name bi_sso_service.

Now you will see the service account in the local administrator group. Click Apply and then OK.

We need to edit the local policy for the service account on the BusinessObjects server. So open the Local Security Policy. Expand the Local Policies folder, click on the User Rights Assignment folder and open the policy Act as part of the operating system.

On the properties window, click on Add User or Group and enter the service account bi_sso_service.

The service account is now part of the local policy. Close the window with Apply and OK.

Our next step is to modify the Central Configuration Manager (CCM) so that the service account bi_sso_service is used. Open the Central Configuration Manger (CCM) on the BusinessObjects server.

We need to stop the Server Intelligence Agent (SRV2016). Click on the Server Intelligence Agent (SRV2016) and click the stop button.

The server has to be running with the service account bi_sso_service. Under the Log On As section uncheck the box beside System Account and type the service aaccount and password. Click Apply and Ok to save the changes.

Start the Server Intelligence Agent (SRV2016) server again by pressing the start button.

If the Windows Active Directory user reyemsaibot is working, click on Manage Servers. Login with this user account and make sure Windows AD is selected for the Authentication type.

If you see an empty window, as long as you don't get an error message it means taht the Windows Active Directory login is working.

The penultimate step is to create two files (krb5.ini and bsclogin.conf) and configure Tomcat to read them during start up so that the BI Launchpad and Central Management Console recognize Windows Active Directory logins. On the BusinessObjects sever, create a new file under C:\Windows called bsclogin.conf. Edit it and insert the following code into it:

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Create another file in C:\Windows with the name krb5.ini. Edit it and insert the following code into the file:

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

MYDOMAIN.COM = {

kdc = DC.MYDOMAIN.COM

default_domain = MYDOMAIN.COM

}

In my case the file looks like the following lines:

[libdefaults]

default_realm = CORP.REYEMSAIBOT.COM

dns_lookup_kdc = true

dns_lookup_realm =true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit=1

[realms]

CORP.REYEMSAIBOT.COM = {

kdc = WIN2012.CORP.REYEMSAIBOT.COM

default_domain = CORP.REYEMSAIBOT.COM

}

After we configured these two files, we must configure Tomcat. First you need to stop Tomcat.

Open the Tomcat Configuration.

Select the tab Java. Under the Java Options section, we have to add some additional lines:

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf

-Djava.security.krb5.conf=C:\Windows\krb5.ini

Restart Tomcat server.

Enter the correct login credentials for the user and make sure that you have selected Windows AD as authentication. If you can login successfully, your Windows Active Directory authentication has been set up correctly. In Part 2 we setup the single sign-on so that users don't have to log on manually every time.

These posts might also be interesting:

• How to build a RFC Server with NCo 3.0 Part 1
• How to build a RFC Server with NCo 3.0 Part 2
• Access BI platform with a .Net Application
• SAP BW Performance optimization for mass data without SAP HANA

I am Tobias, I write this blog since 2014, you can find me on twitter and youtube. If you want you can leave me a paypal coffee donation. You can also contact me directly if you want.