Hello,

We can find on "SAP Community" site many nice tutorials explaining how to configure "Windows AD" authentication + SSO.

Some of them are quite old or are recent copies from parts of old ones.

In Kerberos configuration "krb5.ini" file, they all give RC4 algorithm for encryption type to be used. That was true with "Windows Server 2003"...

/!\ But be careful, in 2015 and soon 2016, RC4 is no more considered as a secured encryption algorithm /!\

Assuming nobody uses" Windows Server 2003" anymore, I would strongly suggest you to modify "krb5.ini" sample files like this :

Replace:

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

with:

default_tgs_enctypes = aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes128-cts-hmac-sha1-96

or even better (requires Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 7 or 8)

default_tgs_enctypes = aes256-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96

In fact, it's Microsoft's recommandation for "Windows Server 2008 R2" and above.

I've tested SAP/BO BI4.1 SP7 + AES-128 and AES-256 for Kerberos on Windows 2008 R2 and 2012 R2: it works great !

In fact, it would be nice if the authors of tutorials could modify them and add this security update.

Don't joke with security ! ;o)

Regards,

Stephane.

I am setting up Windows AD authentication and SSO where there are multiple domains in a parent – child domain structure:

    PARENT_DOMAIN

          CHILD_DOMAIN1

          CHILD_DOMAIN2

           …

I have made the appropriate settings according to the documentation, and now users in the Parent domain can login through manual AD.

I can successfully run a test with a user in a Child domain using Kinit, but that user cannot login to BO using manual AD.

The BO server is in CHILD_DOMAIN1. The service account running BO is in PARENT_DOMAIN1. There are users in all parent and child domains.

In the CMS I have set:

          AD Administration Name:            PARENT_DOMAIN.COM\Service_Account

          Default AD Group:                           PARENT_DOMAIN.COM

          Service Principle Name:                BO_SERVERNAME/Service_Account.PARENT_DOMAIN.COM

          I have added AD Group:               PARENT_DOMAIN\Group1

          (This group does include the user in the child domain.)

For SPNs:

          SETSPN -a BO_SERVER/Service_Account.PARENT_DOMAIN.COM Service_Account

          SETSPN -a HTTP/BO_SERVER.PARENT_DOMAIN.COM Service_Account

In krb5.ini I have:

[libdefaults]

default_realm = PARENT_DOMAIN.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

PARENT_DOMAIN.COM = {

kdc = Parent_KDC.PARENT_DOMAIN.COM

default_domain = PARENT_DOMAIN.COM

}

CHILD_DOMAIN1.PARENT_DOMAIN.COM

kdc = KDC1.CHILD_DOMAIN1.PARENT_DOMAIN.COM

default_domain = CHILD_DOMAIN1.PARENT_DOMAIN.COM

}

CHILD_DOMAIN1.PARENT_DOMAIN.COM

kdc = KDC2.CHILD_DOMAIN2.PARENT_DOMAIN.COM

default_domain = CHILD_DOMAIN2.PARENT_DOMAIN.COM

}

The Tomcat error log says (among other things):

jcsi.kerberos: Ticket service name is: HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM

jcsi.kerberos: Using keytab entry for: Service_Account@PARENT_DOMAIN.COM

jcsi.kerberos: ** decrypting ticket .. ** with key Principal: Service_Account@PARENT_DOMAIN.COM

jcsi.kerberos: Could not decrypt service ticket with Key type 23, KVNO 2, Principal "HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM"

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure

This seems to me like I have not setup the SPN's correctly?
Is that right? What would the correct SPN's, based upon the location of the BO
server?

Any other indications of what is going wrong?

Thanks

Al.

Hello,

We have recently had an issue with windows AD authentication after several DC's were decommissioned at our company. We have two domains for this thread we will call domain 1 Alpha an domain 2 Beta. absolutely nothing was changed in the BO config. Everyone was working fine yesterday. Users from DC Alpha have no issues with AD authentication. however users from domain Beta get

• Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)

We are sure there is a reference to a decommissioned DC somewhere in the config but was cannot find it. Does anyone have a clue as to where these references are located? or are we barking up the wrong tree since LDAP is not used? thank you in advance for your input.

Hi,

I'm implementing AD Authentication in our BO XI3.1 environment. I have done the below steps to test the kerberos.

1. Created krb5.ini file and located it in C:\Windows folder.

krb5.ini

[libdefaults]

default_realm = DOMAIN.NET

dns_lookup_kdc = true

dns_lookup_realm = true

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

udp_preference_limit = 1

[domain_realm]

.domain.net = DOMAIN.NET

domain.net = DOMAIN.NET

[realms]

DOMAIN.NET {

kdc = Host1.domain.net

kdc = Host2.domain.net

default_domain = DOMAIN.NET

}

2. I have changed the tomcat option in Start -> Tomcat -> Tomcat Configuration -> Java tab

Djava.security.krbr5.conf=C:\Windows\krb5.ini.

When i tried to execute kinit command ,I was getting a error 'Could not load configuration file c:\winnit\krb5.ini'. I wondered why Java is searching krb5.ini file in c:\winit folder, when winnt folder is not at all exist and also i have clearly specified path at Tomcat Java option.

Then i created a folder 'winnt' at C:\ drive and placed the krb5.ini folder in it. Then tried to execute the kinit command and getting error 'cannot get kdc for realm DOMAIN.NET'

Please help to resolve this issue.

My Queries:

1. Should i do anything at Domain Controller(AD Server) to resolve the issue.

2. From which path the kinit should be run as i have kinit executable in more than folder in the Javasdk folder. One in Javasdk\bin\kinit and also in javasdk\jre\bin\kinit and another one in javasdk\jre6\bin\kinit.

3. Is that fine to use any slash '\' or '/' in tomcat java option to specify the path of krb5.ini and bscLogin.conf files?

Kindly help to get out of this issue, as i was getting it for longer time.

Also i have checked for the spaqcing in the krb5.ini file and firewall issues. Everything is correct. still getting the error

Hi,

We are having multiple domains. NA is default domain. NA, SA, EU, AP. NA is parent domain.

SSO is working but Non-SSO is not working.e.g. When I use username@AP.NET.TEST.COM  in Launchpad, it does not work. (Same thing for any Non-NA domain). As per note, there is issue with krb5.ini file. (Note: 1406795)

Below is current krb5.ini file

---------------------------------------------

[libdefaults]

    default_realm = NA.NET.TEST.COM

    dns_lookup_kdc = true

    dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

    udp_preference_limit = 1

[realms]

NA.NET.TEST.COM = {

    kdc = NAUSLBDC01.NA.NET.TEST.COM

    default_domain = NA.NET.TEST.COM

}

SA.NET.TEST.COM = {

    kdc = NAUSLBDC01.NA.NET.TEST.COM

    default_domain = SA.NET.TEST.COM

}

[capaths]

SA.NET.TEST.COM = {

NA.NET.TEST.COM = . }

---------------------------------------------

I am using only one domain for test. I will add rest.

But I am not sure how capaths need to defined. Below is example given in note but I am not sure how exactly these capaths are defnied.

If someone can help me to define krb5.ini then it will helpful.

Below is example

[realms]

PARENT1.COM = {

kdc = DC01.PARENT1.COM

default_domain = PARENT1.COM

}

DEFCH.PARENT1.COM = {

kdc = DC01.DEFCH.PARENT1.COM

default_domain = DEFCH.PARENT1.COM

}

[capaths]

REMCH.PARENT2.NET = {

PARENT1.COM = PARENT2.NET

PARENT2.NET = .

}

PARENT1.COM = {

REMCH.PARENT2.NET = PARENT2.NET

PARENT2.NET = .

}

PARENT2.NET = {

PARENT1.COM = .

REMCH.PARENT2.NET = .

}

DEFCH.PARENT1.COM = {

PARENT1.COM = .

PARENT2.NET = PARENT1.COM

REMCH.PARENT2.NET = PARENT2.NET

}

Hi Everyone,

I have a Crystal Report scheduled to run everyday in production and lately it is taking a lot of time for this report to run, This report never took more than a couple hours earlier, now takes 10 hours or so to finish. To ensure it's not the data that is causing the delay I tried pointing a copy of this report in QA to same database as used in PROD (with no parameters selection), the report runs as normal and finishes just in time (2hrs). Knowing that it's not the data that is to be blamed in production env. I need your inputs as to what else can cause the report to almost endlessly .

I'll really appreciate your thoughts on this. Please feel free to ask should you have any questions.

Thanks

GB

Does BI 4.1 SP 4 support SAML 2.0 ?

Hi,

I'm facing difficulties to use SSO on SAP BI4

The server has this particularities:

- jvm.dll delivered by default in SAP installation binaries

- OS Win Server 2008 R2 standard SP1

- 4CPU Xenon  5550@2.67

- RAM: 6Go

I've red almost all SAP Kbase docs and I'm stuck when I want to access CMC with AD user

I can access WebI RC and Enterprise Views Manager on BI4 plateform in SBOPTEST.COM domain

I can't access Java Webi,

<--- krb5.ini (in use)

[domain_realm]

; trust relationship: childtest4<->sboptest3<->sboptest<->sboptest2

[libdefaults]

default_realm = SBOPTEST.COM

[realms]

SBOPTEST.COM = {

kdc = VANPGVMBOBJ01.sboptest.com

}

SBOPTEST2.COM = {

kdc = VANPGVMBOBJ05.sboptest2.com

}

SBOPTEST3.COM = {

kdc = VANPGVMBOBJ07.sboptest3.com

}

CHILDTEST4.SBOPTEST3.COM = {

kdc = vanpgvmbobj08.childtest4.sboptest3.com

}

[capaths]

; for clients in sboptest3 to login sboptest2

SBOPTEST3.COM = {

SBOPTEST2.COM = SBOPTEST.COM

};

for clients in childtest4 to login sboptest2

CHILDTEST4.SBOPTEST3.COM = {

SBOPTEST2.COM = SBOPTEST.COM

SBOPTEST2.COM = SBOPTEST3.COM

}

---->

<--- Tomcat stdout.log

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

        [Krb5LoginModule] user entered username: myadminuser@domain.com

Acquire TGT using AS Exchange

principal is myadminuser@domain.com

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B

Commit Succeeded

---->

<--- krb5.ini used

Any ideas ?

Wanted to customize error message on Log On Page at BI Launch Pad, error message as below, possible?

Account information not recognized: All of your system's xxx Concurrent Access Licenses are in use at this time or your system's license key has expired. Try again later or contact your administrator to obtain additional licenses. (FWB 00014)

Hi,

I installed BO 4.1 SP7 on windows server.  During installation I have done a mistake and installed auditing and cms database in cms database only instead of separately installing in audit and cms databases. 

How to separate tables of audit database from cms database?  Please provide me list of audit database tables?

OR

Again Do I need to re-install BO 4.1 SP 7 on windows server

Thank You,

Regards

Ms. Jyothi

Hello Experts,

I'll explain my problem and what's the solution we're trying to implement.

We have BIP 4.1 SP3 and are using both universes and BW. BW has been upgraded from 7.0.1 to 7.4 and all of the old WAD needed to be replaced. We choosed to use Design Studio and the Generic analysis template.

We have encountered several problem during it, but the last and thougher one is the date format.

Before with the WAD on BW, the SU01 paramters were taken in account and the date was displayed with YYYY/MM/DD. Now with Design Studio on BIP, the CMC preference language and its associated ISO date format is taken in account.

Users are all using English US, which give us the format: m/D/YYYY which is a no go as it is a massive change for the massive population of BW. Unfortunately, none of the installed languages gives us buth the correct language and date format.

We do not have any problem with WEBI or other BO software as, most of the time, formulas can be used to adjust the format.

Do you know if it is possible to alter the BI Plateform date format associated to the different installed language pack ? We want to change it plateform wide and make sur all of the users will have exactly the same.

I looked into the different configuration files on BIP without finding something useful ... Any other Idea ?

PS : we're using crosstabs on DS and nothing can be done to alter format ...

Thank you in advance.

Hi ALL

Can l use UMT to promote from dev -qa-prd in the same platform.

Please help with the coding if possible.

Having issue with promotional management

Thanks

Coupon

Hi Everyone,

We have a requirement to compare the .UNV universe across envrionments, is there anyway we can do it, may using SDK or something?

Current BI version is BI4.1, Sp3 Patch4.

Thanks,

Amit

Hi guys,

Actually we facing a issue with the SAP BI installation proccess, right now this is our env:

1. SO = Windows Server 2012 SP1

2. CMS DB= SQL Server 2012 SP1

3. SAP BI 4.1 Sp6

The installation finish with errors durint it and when check the CCM, the SIA node its missing just tomcat and BW publish service are avalible.

I Attached the install log, we already made some test like this;

1. Apply the steps of Snote=  1767633 - SIA node is not getting created during BI4 install

2. the database user is the db_owner and have default cms database with it.

3. the SO user its the domain and machine admin.

4. the SQL server ODBC works fine.

5. the user for CMS db not have complex password, just lower and upper case. the same for the BI admin.

6. i already check the port 6400 and 6410 but any app. are use the ports.

7. Re-install the product 2 times and the same issue appear.

Pls. any suggest or work around.  without reinstall  ? I dont know whats happend, btw when i check the DB tables, the installation proccess create tables.

Hi,

I have a customer with a test system which doesn't have Windows AD authentication set up (unlike their production system, which is authenticating correctly), but they would like it set up. Somehow they have managed to migrate some users across with Windows AD aliases, which I have deleted in order to try and get it working, but to no avail.

When I go into the Authentication section of the CMC, the Authentication Mode was disabled. If I enable it, and then enter the AD Administration credentials (in the form DOMAIN\serviceaccount) and Default AD Domain (fully qualified), it pauses for a while then tells me:

"Invalid group name, cannot find group (S-1-5-21-1891586110-854747954-926709054-9022)."

If I click cancel, the Authentication screen does now show the AD administration credentials, but if I click the Update button at the top of the page, it says

"The Active Directory plugin does require valid global administration credentials in order to access Active Directory. Please specify administration credentials and try again".

If I enter the name of the Windows AD group into "Mapped AD Member Groups" (in the form DOMAIN\business objects) then the group is added correctly in its expanded form in the list, and also added to the list of groups in that section of the CMC; however none of the users is created. This the group that some existing users were members of.

Furthermore, the SID of the "business objects" group above is different from the one it is complaining about.

I ran the following query in Query Builder; this simply shows 65 Enterprise groups and one AD group, the business objects one above, and had a different ID (the last four digits are different).

SELECT SI_ALIASES FROM CI_SYSTEMOBJECTS WHERE SI_KIND = UserGroup

I have confirmation from the system administrator that there is no group or user with the ID ending 9022. I can't see it in the system database, and I can't delete it from the Authentication page as it's not there.

Can anyone advise how I can get this phantom group removed from the system?

Thanks

Darren

I am facing issue that not able to view dashboard, after opening, it show up as blank white page with little cross rectangle only.

Dashboard Object Type: Flash

Flash Player Version: 19

Browser: IE10 (Compatibility Mode)

Note that other user able to view the dashboard.

Hello SSO experts ! ;o)

Is it possible to get SSO for WebI Rich Client 4.1 in 3-tier mode ?

Env. : Windows Server 2012 R2, BO BI 4.1 SP7, Tomcat7, JRE 8, Windows AD, SQL Server 2014

I get SSO+WinAD for WebI RC in "2-tier" mode but not in "3-tier" mode.

SSO+WinAD is OK for BILP.

I start WebI RC from BILP but it seems that "...\Documents\My SAP BusinessObjects Documents\LocData\VM-BOBI41_cloud_xyz@6400_j2ee.extranet" file is not updated correctly (in bold) on client:

-----

connection.common.cluster_name=@VM-BOBI41:6400

connection.common.config_name=VM-BOBI41.cloud.xyz:6400

connection.common.last_authmode=secEnterprise

connection.common.last_user=

connection.common.mode=HTTP_MODE

connection.http.locale=fr_FR

connection.http.provider=WSTK_HTTP_Tunneling

connection.http.sso_provider=

connection.http.url=http://vm-bobi41:8080/BOE/portal/1512210115/AnalyticalReporting/jsp/shared/WSTKBridge.jsp

connection.http.urlbase=http://vm-bobi41:8080/BOE/portal/1512210115

connection.http.web_authmode=

-----

I've tried this:

----

connection.common.cluster_name=@VM-BOBI41:6400

connection.common.config_name=VM-BOBI41.cloud.xyz:6400

connection.common.last_authmode=secWinAD

connection.common.last_user=

connection.common.mode=HTTP_MODE

connection.http.locale=fr_FR

connection.http.provider=WSTK_HTTP_Tunneling

connection.http.sso_provider=vintella

connection.http.url=http://vm-bobi41:8080/BOE/portal/1512210115/AnalyticalReporting/jsp/shared/WSTKBridge.jsp

connection.http.urlbase=http://vm-bobi41:8080/BOE/portal/1512210115

connection.http.web_authmode=secWinAD

----

but without success.

Any idea/solution to make SSO work for WebI Rich Client 4.1 in 3-tier mode ?

Thanks in advance.

Regards,

Stephane

Hi,

I have migrated BO content from 3.1 to 4.1.  Now I have to promote the content from BO 4.1 development to BO 4.1 development.  Now I am using promotion management live to live. So my approach to  promote (1) users and groups (2) custom access levels, connections and universes (3) public folders, publications, favourite folders etc.

During promotion of users and groups, Do I have to promote administrators group and everyone group?

Do I have to promote administrator user?

Do  I have to use override settings for connection changing from BO 4.1 development to BO 4.1 test?

Thank You,

Regards

Ms. Jyothi

hello,

I want to install SAP BO Dashboard 4.1 Linux version with Oracle database. The hosting servers are different for Oracle and SAP BO Dashboard. I am facing certain issues like:

Database access error. Reason Loading shared object failed. First tried to load library clntsh and failed because of error: [clntsh: cannot open shared object file: No such file or directory]. Second tried to load library libclntsh.so and failed because of error: [libclntsh.so: cannot open shared object file: No such file or directory]. (FWB 00090)

Can any body help to identify which package is missing we have Oracle DB 11g installed on separate server.

Any work around or recommendations if hosting servers are different or do they need to be necessarily hosted on same server?

Best regards,

Harsh

Hi Experts,

At present we have our BO environment  in BI 4.1 SP6 in 3 servers which needs to be replicated in new servers/systems.

This replication requires us to install the BI components in the NEW SERVERS and map all the reports from the old servers.

The Network team will import all the databases from the old database to the new database

1. OLD SERVER	NEW SERVER
   APP	APP1
   WEB	WEB1
   BODB	BODB1

I have the following questions

1. When we install BO in the new server, do we require a new License ? Can we use the existing License for our System Replication as the old one will be shut down once the new system becomes functional
2. What is the best practice followed for BO Replication from an old server to a new server that requires BO installation from scratch?
3. When we install the BO components in the new systems , how do we retrieve our existing reports\universes in the new BO environment ? Do the reports become automatically available  once we map the BO CMS & Audit DBs in the new servers ?
4. The old servers has BI 4.1 SP2 and had patch updates over time until SP6 , can I directly install the latest BI 4.1 Sp6 software and map the CMS & Audit databases ?

Thanks & Regards,

Rakesh Sudhakar