Install BI Platform and setup Windows AD authentication

This week I want to test the integration of a BI Platform to my .Net program. So I want to install a test version of the BIP, but my virtual machine hadn't enough space. The first step was to extend the space of the disk. It is very easy in VirtualBox to extend the disk.

  1. Open the Windows Console
  2. Go to the path where you installed Virtual Box. (Default: C:Program FilesOracleVirtualBox)
  3. Type VBoxManage.exe modifyhd "Path to the disk" --resize 100000 (=100 GB)
  4. Press Enter and your VirtualBox will be extended

After my VirtualBox was ready I could install the BIP. But the next issue was found very soon. I need a license key.

You can find on the support page of SAP the Emergency License Keys. With this emergency license keys you can install a trail version of the BI platform. After the installation was done, we have to set up the Windows Active Directory, so that we can use Single sign-on (SSO).


In this article I will walk through step by step on setting up single sign-on with SAP BusinessObjects 4.2 SP3 and in my case a Windows Server 2012 R2. The Windows Server part is similar in other Windows Server versions. The technical specifications used to accomplish single sign-on in this guide.

  • Domain Controller (DC): win2012.corp.reyemsaibot.com (Windows Server 2012 R2)
  • SAP BusinessObjects BI Platform: srv2016.corp.reyemsaibot.com (BusinessObjects 4.2 SP3 on the same server as the DC)
  • Domain: corp.reyemsaibot.com
  • SAP BusinessObjects Web Application Server: Tomcat
  • Service Account Name: bi_sso_service
  • Service Account Password: Reyemsaibot.com
  • Windows Active Directory Group: BI Platform Users
  • Test Account Name: reyemsaibot (is member of BI Platform User)
  • Test Account Password: HelloWorld!2016

Setup Windows Active Directory sign on

Step 1

First we need a Active Directory service account. You have to create it in the Server Manager on the Domain Controller server.

Windows Server 2012 Open Server Manager
Windows Server 2012 Open Server Manager

Open the Active directory Users and Computers management tool.

Windows Server Manager Active Directory Users and Computers
Windows Server Manager Active Directory Users and Computers

Create the service account that will handle the sign-on requests. Click right on the users folder, select new and then user. Use this informationen to create the user:

  • First Name: BI SSO
  • Last Name: Service
  • User Name: bi_sso_service
  • Password: Reyemsaibot.com
Active Directory add new user
Active Directory add new user

When the user bi_sso_service has been created, the delegation properties must be edited. Click right on the user bi_sso_service and select Properties. Select the Delegation tab and select the option Trust this user for delegation to any service (Kerberos only). The Delegation tab is only available when you set the SPN first.

User Properties Define Delegation
User Properties Define Delegation

Step 2

Now we need three Service Principal Names (SPN) for the service account bi_sso_service. This can either be done on the Domain Controller or on the BI platform server. Open the command prompt. Type the following setspn commands so that it allows Tomcat to communicate with the Active Directory. The option -a means add a new SPN. The first SPN will be called BICMS.

setspn -a BICMS/bi_sso_service.corp.reyemsaibot.com bi_sso_service

If it was successful, it wil display a message that is has registered the SPN and it has updated the object. Now we create the second SPN for Tomcat and link it to the new user account.

setspn -a HTTP/srv2008 bi_sso_service

And finally, we need to qualify the server address.

setspn -a HTTP/srv2008.corp.reyemsaibot.com bi_sso_service

With the command "I" we can verfiy that all SPN are created.

setspn -l bi_sso_service

Command Prompt setspn
Command Prompt setspn

Step 3

As next step we create a user and a user group that we will use for the Windows Active Directory authentication. Create on the Domain Controller a new user.

  • First Name: Tobias
  • Last Name: Meyer
  • User Name: reyemsaibot
  • Password: HelloWorld!2016
Active Directory create user
Active Directory create user

Create a new user group called BI Platform Users. Click right on the user folder, select New and then Group.

Active Directory create group
Active Directory create group

Add the user, which we created before to the user group by right clicking on the group, selecting Properties and then adding it from the Members tab.

Active Directory add user to group
Active Directory add user to group

Step 4

Now we will setup the Windows Active Directory authentication on the BusinessObjects server. You have to log into the CMC with a user that as administrator privileges. Then go to the Authentication area.

Central Management Console
Central Management Console

Click on Windows AD to open the authentication options for Windows Active Directory.

Central Management Console Authentication
Central Management Console Authentication

Select the checkbox Enable Windows Active Directory (AD) to enable this option.

Central Management Console Authentication Windows Active Directory
Central Management Console Authentication Windows Active Directory

Click on the double quotes besides the AD Administration Name.

Enter the service account as well as the domain name. Note: The service account is bi_sso_service and the domain is corp.reyemsaibot.com.

Now define the group you want to map. In this case it is corp\BI Platform Users.

Under Authentication Options select Use Kerberos authentication and type as Service prinicpal name BICMS/bi_sso_service.corp.reyemsaibot.com (It is the SPN from Step 2). Select also the option Enable Single-Sign-On (SSO) for the selected authentication mode.

Central Management Console Authentication Options
Central Management Console Authentication Options

Under Alias Update Options select Create New Alias when the Alias Update occurs and under New Users Options, select New users are created as named users. Now this is finished, click the Update button at the bottom of the window.

Central Management Console Authentication New User Options
Central Management Console Authentication New User Options

Step 5

Now we are verifing that the group BI Platform Users and the test user reyemsaibot has been added to the BI platform. In the Central Management Console (CMC) go to Users and Groups and you wll see that the user reyemsaibot has been added under User List and the group BI Platform Users has been added unter the Group List.

Step 6

Before we can log in with the Windows Active Directory user, we have to configure the BusinessObjects server appropriately. On the BusinessObjects server, we have to add the user to the Local Administrator Group. Select the Computer Management in the Server Manager.

Server Manager open Computer Management
Server Manager open Computer Management

Select Local Users and Groups and then Groups. Double click on the Administrator Group and then click Add.

Computer Management Administrator Group
Computer Management Administrator Group

Enter the service account name bi_sso_service.

Computer Management add service user
Computer Management add service user

Now you will see the service account in the local administrator group. Click Apply and then OK.

Computer Management Administrator Group
Computer Management Administrator Group

Step 7

We need to edit the local policy for the service account on the BusinessObjects server. So open the Local Security Policy. Expand the Local Policies folder, click on the User Rights Assignment folder and open the policy Act as part of the operating system.

Local Security Policy Act as part of the operating system
Local Security Policy Act as part of the operating system

On the properties window, click on Add User or Group and enter the service account bi_sso_service.

Local Security Policy add service user
Local Security Policy add service user

The service account is now part of the local policy. Close the window with Apply and OK.

Local Security Policy
Local Security Policy

Step 8

Our next step is to modify the Central Configuration Manager (CCM) so that the service account bi_sso_service is used. Open the Central Configuration Manger (CCM) on the BusinessObjects server.

Server Intelligence Agent Stop Server
Server Intelligence Agent Stop Server

We need to stop the Server Intelligence Agent (SRV2016). Click on the Server Intelligence Agent (SRV2016) and click the stop button.

The server has to be running with the service account bi_sso_service. Under the Log On As section uncheck the box beside System Account and type the service aaccount and password. Click Apply and Ok to save the changes.

Server Intelligence Agent Log On As
Server Intelligence Agent Log On As

Start the Server Intelligence Agent (SRV2016) server again by pressing the start button.

If the Windows Active Directory user reyemsaibot is working, click on Manage Servers. Login with this user account and make sure Windows AD is selected for the Authentication type.

Central Configuration Manager Log On Test
Central Configuration Manager Log On Test

If you see an empty window, as long as you don't get an error message it means taht the Windows Active Directory login is working.

Central Configuration Manager Manage Servers
Central Configuration Manager Manage Servers

Step 9

The penultimate step is to create two files (krb5.ini and bsclogin.conf) and configure Tomcat to read them during start up so that the BI Launchpad and Central Management Console recognize Windows Active Directory logins. On the BusinessObjects sever, create a new file under C:\Windows called bsclogin.conf. Edit it and insert the following code into it:

com.businessobjects.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required debug=true;

};

Create another file in C:\Windows with the name krb5.ini. Edit it and insert the following code into the file:

[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

MYDOMAIN.COM = {

kdc = DC.MYDOMAIN.COM

default_domain = MYDOMAIN.COM

}

In my case the file looks like the following lines:

[libdefaults]

default_realm = CORP.REYEMSAIBOT.COM

dns_lookup_kdc = true

dns_lookup_realm =true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit=1

[realms]

CORP.REYEMSAIBOT.COM = {

kdc = WIN2012.CORP.REYEMSAIBOT.COM

default_domain = CORP.REYEMSAIBOT.COM

}

After we configured these two files, we must configure Tomcat. First you need to stop Tomcat.

Central Configuration Manager stop Tomcat server
Central Configuration Manager stop Tomcat server

Open the Tomcat Configuration.

Tomcat add Java options
Tomcat add Java options

Select the tab Java. Under the Java Options section, we have to add some additional lines:

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf

-Djava.security.krb5.conf=C:\Windows\krb5.ini

Restart Tomcat server.

Central Configuration Manager start Tomcat server
Central Configuration Manager start Tomcat server

Step 10

You can access the BI platform manually with a Windows Active Directory account.
BI Platform Logon with Windows Active Directory Account
BI Platform Logon with Windows Active Directory Account

Enter the correct login credentials for the user and make sure that you have selected Windows AD as authentication. If you can login successfully, your Windows Active Directory authentication has been set up correctly. In Part 2 we setup the single sign-on so that users don't have to log on manually every time.

Analysis Office - The Comprehensive Guide
Analysis Office - The Comprehensive Guide is a pdf book about SAP BusinessObjects Analysis Office. It is based on Analysis Office 2.3 and contains 227 Pages.
29,99 €
Analysis Office - The Comprehensive Guide 2nd edit
Analysis Office - The Comprehensive Guide is a pdf book about SAP BusinessObjects Analysis Office. It is based on Analysis Office 2.4 and contains 243 pages.
39,99 €

Write a comment

Comments: 2
  • #1

    Praveen (Thursday, 24 August 2017 17:31)

    Hi Rey,
    Thank you for writing up the blog. It is very clear to understand. Just wondering if you have started the part 2 for SSO? If yes, can you please share me the url? Thanks in advance.

  • #2

    Tobias (Friday, 25 August 2017 10:23)

    Hi,

    yes I want to write a second part, but at the moment I am to busy at my new project to build the enviroment and write the article. I hope I could write some more articles in the future.

    Tobias