1.1. Single Sign ON (SSO) Using AD and Kerberos with Java Application Servers

The ABC configuration includes the Apache Tomcat application server and Active Directory. ABC desires Single Sign ON (SSO) for users accessing the Business Objects InfoView portal. This section outlines the steps required to enable SSO in the ABC environment.

Relevant Documentation

The following documents were used to implement SSO. The versions of these documents that were used were downloaded into the BO Downloads folder on the BO server (ABC-T).

xi3_bip_admin_en.pdf Chapter 4 (Using AD and Kerberos with Java Application Servers)

Setup and Verify Active Directory Authentication using Java Application Servers

1. Create a new user (Service Account). For ABC the name of this user is “svc-cb-bo-sso-t”. User name and the service principal name created below are case sensitive.

2. From a command prompt on the domain controller, execute the following to create a service provider name for use by Business Objects:

SETSPN.exe –A BOBJCentralMS/ABC1-T.corp.ABC.com svc-cb-bo-sso-t

Output of this command has to look like this

3. Active Directory Users and Computers, select the svc-cb-bo-sso-t user.

The Service Account requires the following rights:

Account is trusted for Delegation User cannot change the password Password never expires

Note: You will not see the Delegation tab until after you have entered the SETSPN command.

Click Properties->Delegation-> Trust this user for delegation to any service (Kerberos only) and Click OK.

If you are using a Windows 2000 Domain then

Click Properties->Account ->Use DES Encryption types for this account and click OK

With a Windows 2003 Domain, RC4 is the default encryption type (it will be explained later)

1.2. Setting the Local Policies for the BO Service Account

The svc-cb-bo-sso-t account is to be granted the right to “Act as part of the operating system” within the Group Policy Object Editor on the BO XI primary server. This is required for the account to access local processes such as Tomcat. To grant this right follow these steps:

Open the Start menu on the BO XI server and select Run. Type the command “gpedit.msc” in the Run dialog. The Group Policy Object Editor window is launched.

Navigate to the following directory within the tree structure: Computer Configuration -> Windows Settings ->Security Settings ->Local Policies -> User Rights Assignment.

Right click “Act as part of the operating system” and select Properties. Add the user CORP\svc-cb-bo-sso-t to this right.

The right is added to the user.

Similarly the following Policies should also be given to the BO Service Account Log on as a Batch Job Log on as a Service Replace a Process Level Token

1.3. Add svc-cb-bo-sso-t Account to Administrators Group

The svc-cb-bo-sso-t account must also be added to the Administrators Group. To accomplish this complete the following:

Right Click on the “My Computer” icon.

Choose the option to “Manage.”

This opens the Computer Management window.

Once open navigate the tree structure to the following directory: System Tools -> Local Users and Groups -> Groups.

Select Groups and a list of all available groups populates in the right pane of the window.

Right click on Administrators and select Properties.

Choose to “Add…” and add the CORP\svc-cb-bo-sso-t user.

Note: It is helpful to use the “Check Names” feature when adding your user to ensure that the name is spelled correctly.

1.4. Configuring BO XI to use the svc-cb-bo-sso-t Account

In order for the CMS to be able to pass Kerberos tickets to the domain controller, and as a means of best practice, all BO services should be configured to use the svc-cb-bo-sso-t account. By default, the CMS is running as Local System. To allow Enterprise XI R3.1 to use AD authentication through a Java application server, the CMS will have to be run under a domain account with the right to delegate. To set the server properties to “Log On As” complete the following steps:

1. Open the Central Configuration Manager and stop all servers. Do this by highlighting Server Intelligence Agent (SIA) and pressing the Stop button or right clicking and choosing to stop the servers.

Note: Ensure that nobody is actively using the BO XI Environment as the system will become unavailable when the servers are stopped and work may be lost or compromised.

2. Right click on Server Intelligence Agent (SIA) after it is stopped and add the svc-cb-bo-sso-t credentials in the “Log On As” fields.

Note: For login credentials contact your Business Objects Administrator.3. Start the Server Intelligence Agent (SIA) when completed.

1.5. Configuring Business Objects Enterprise XI R3.1

1. Launch CMC and log in as Enterprise Administrator

2. Click on Authentication.

3. Click on the Windows AD.

4. Select in Authentication Options dialog box the options “Use Kerberos authentication” as shown in the figure below.

5. Enter BOBJCentralMS/ABC-T.corp.ABC.com in the Service Principal Name box using the same upper/lower case as defined by SETSPN command (SETSPN.exe–A BOBJCentralMS/abc.corp.ABC.com svc-cb-bo-sso-t). At this time SSO is not enabled; leave the check box cleared for now. This will be enabled later. Select Update on the bottom of the page to save the changes.

6. Verify that AD Authentication is working. Logon to the InfoView as an AD user account.

7. The krb5.ini file must be created and placed in D:\WINNT on the BO server. This folder was created on ABCBRPT01-T For ABC, the krb5.ini file is shown below. Examples of more complex files are included in the BO documentation.

Note: krb5.ini gives the Java executable information about your domain and location of the Kerberos Key Distribution Center.

Copy below in the notepad and name as krb5.ini

[libdefaults]

            default_realm = CORP.ABC.COM

            dns_lookup_kdc = true

            dns_lookup_realm = true

[realms]

CORP.ABC.COM = {

            default_domain = CORP.ABC.COM

            kdc = ABCBADC01.CORP.ABCCOM

}

Note: The last line of the krb5.ini file is the machine name of the domain controller. Not the name of the CMS Server box.

8. The bscLogin.conf file must be created and placed in D:\WINNT on the BO server. For ABC the bscLogin file is shown below.

Note: bscLogin.conf is the JAAS logon configuration file. It consists of an entry specifying the underlying authentication technology to be used.

Copy below in the notepad and name as bscLogin.conf

com.businessobjects.security.jgss.initiate{com.sun.security.auth.module.Krb5LoginModule required;};

9. Configure Tomcat. Select Start ->Programs -> Tomcat -> Tomcat Configuration. Go to the Java tab, and add the Java Options

-Djava.security.auth.login.config=D:\WINNT\bscLogin.conf-Djava.security.krb5.conf=D:\WINNT\krb5.ini

as shown in the screen below.

10. Restart Tomcat

1.6. Executing ktpass commands and modifying xml files for SSO

Chapter 4 in the xi3_bip_admin_en.pdf document has the procedure for enabling SSO with Kerberos and Java InfoView. This is the configuration used at ABC. Follow the steps in the procedure. The next 2 commands must be run by Active Directory administrator

1. Create the SPN using the following

ktpass -princ HTTP/ABCBRPT01-Q.corp.ABC.com@CORP.ABC.COM -mapuser svc-cb-bo-sso-q@CORP.ABC.COM

2. Create svccbbossovision.keytab file by running the following command.

ktpass -out devvintelakey.keytab -princ HTTP/ABCBRPT01-T.corp.ABC.com@CORP.ABC.COM -mapuser svc-cb-bo-sso-t -pass xxxx -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

3. Copy the file devvintelakey.keytab to D:\WINNT on the BO server.

4. In order for Infoview to recognize Vintela Single Sign On one must configure the web.xml file located in D:\Program Files (x86)\Business Objects\Tomcat55\webapps\InfoViewApp\WEB-INF\ as described in xi3_bip_admin_en.pdf Chapter 4 (Using AD and Kerberos with Java Application Servers) on the page 160.

Modify the following parameters

authentication.default changed from secEnterprise to secWinAD siteminder.enabled set to false vintela.enabled set to true

<context-param> <param-name>authentication.default</param-name> <param-value>secWinAD</param-value> </context-param>

<!-- Set to false to disable Siteminder single sign on. --> <context-param> <param-name>siteminder.enabled</param-name> <param-value>false</param-value> </context-param>

<!-- Set to true to enable Vintela single sign on. --> <context-param> <param-name>vintela.enabled</param-name> <param-value>true</param-value> </context-param>

Locate the following section in the web.xml file and uncomment the code for the tags below

<!-- For Vintela SSO the following filter needs to be uncommented. There is also a filter mapping which needs to be uncommented. Set idm.realm to the Active Directory realm where the server is in and idm.princ to the service principal name. -->

<filter> <filter-name>authFilter</filter-name> <filter-class>com.businessobjects.sdk.credential.WrappedResponseAuthFilter</filter-class>

Modify the following parameters

idm.realm is set to CORP.ABC.COM idm.princ set to HTTP/ABCBRPT01-T.corp.ABC.com

<init-param> <param-name>idm.realm</param-name> <param-value>CORP.ABC.COM</param-value> </init-param>

<init-param> <param-name>idm.princ</param-name> <param-value> HTTP/ABCBRPT01-T.corp.ABC.com </param-value> </init-param>

Add the following after idm.princ parameter

<init-param><param-name>idm.keytab</param-name><param-value> D:\WINNT\devvintelakey.keytab </param-value></init-param>

and before idm.allowUnsecured parameter

<init-param> <param-name>idm.allowUnsecured</param-name> <param-value>true</param-value> </init-param>

<init-param> <param-name>idm.allowNTLM</param-name> <param-value>false</param-value> </init-param>

<init-param> <param-name>idm.logger.name</param-name> <param-value>simple</param-value> <description> The unique name for this logger. </description> </init-param>

<init-param> <param-name>idm.logger.props</param-name> <param-value>error-log.properties</param-value> <description> Configures logging from the specified file. </description> </init-param>

<init-param> <param-name>error.page</param-name> <param-value>/jsp/logon/vintelaError.jsp</param-value> <description> The URL of the page to show if an error occurs during authentication. </description> </init-param> </filter>

Locate the following section in the web.xml file and uncomment the code for the tags below

<!-- For Vintela SSO the following filter mapping needs to be uncommented. There is also a filter which needs to be uncommented. -->

<filter-mapping> <filter-name>authFilter</filter-name> <url-pattern>/logon/logonService.do</url-pattern> </filter-mapping>

5. Configure the server.xml file located in D:\Program D:\Program Files (x86)\Business Objects\Tomcat55 \conf\ by increasing the size of maxHttpHeaderSize to 16384 (maxHttpHeaderSize="16384").

Note: search for the <Connector…> tag that corresponds to the 8080 port number “Connector on port 8080” to find maxHttpHeaderSize parameter.

6. Restart Tomcat

7. Do not change the Internet Explorer settings described in the “Configure Internet Explorer browser” for ABC’s setup.

1.7. Configuring AD authentication to enable SSO

1. Launch CMC and log in as Enterprise Administrator2. Click on Authentication.

3. Click on the Windows AD.4. Scroll down to Authentication Options and check the Enable Single Sign On for selected

authentication mode check box

5. Click on Update