1869952 - Setting up kerberos SSO to the database requirements & troubleshooting | SAP Knowledge Base Article

SAP Knowledge Base Articles - preview

1869952 - Setting up kerberos SSO to the database requirements & troubleshooting


***Warning This configuration involves mostly 3rd party products outside the control of SAP. Troubleshooting and configuration of these products is not the responsibility of SAP support but should be directed toward your own internal resources or consulting*** Unless you have a specific problem with SAP product not loading the config files, support incidents will not qualify for very high support, and will be worked as best effort only.***

  • This is known as end to end SSO or SSO2DB, or kerberos SSO to the database
  • As of BI 4.0 this is supported for SQL, SSAS, Oracle, and HANA (if the database is properly integrated with AD and the kerberos information is configured correctly)
  • This KBA will serve as a master KBA with the links to all the kerberos supported documentation and troubleshooting information that we currently have available, and get updated regularly as more information is added to our knowledge base.

Important things to note before engaging in this complex process

  • Kerberos SSO is NOT possible for any scheduled reports at any time. If you will be scheduling reports to the same DB then those reports will require a separate universe and/or connection. See the see also section for other ideas
  • Kerberos SSO to the DB is not possible if you logged into BI with enterprise, LDAP, SAP, siteminder, trusted authentication, or anything other than AD/kerberos
  • Java configurations settings (4.x MSAS) are using the java SDK and java requires a krb5.ini/bsclogin.conf files to locate AD controllers not DNS, this may cause failover issues if the krb5.ini is not maintained properly see this for more krb5.ini information
  • SSO to the DB consists of BI configuration options (CMC, IDT, APS, other reporting servers), java configuration files (bsclogin.conf, krb5.ini, and encrypted keytab file), as well as extensive configuration in Microsoft Active Directory (service accounts, delegation, SPN's DNS, integrating IIS, SQL, Oracle, HANA with AD) and in many cases will require a large project and consultants to complete successfully.
  • SAP BI authentication engineers can verify if our CMC/CMS, reporting servers, and client tools have been configured properly but cannot verifythat all the external configurations have been completed successfully. This must be considered especially for go live dates and very high escalations that the SAP BI product components are a very small piece of this overall configuration



  • SAP BusinessObjects Business Intelligence Platform 4.x 4.0 4.1 4.2 etc
  • HANA database server
  • Microsoft SQL server
  • Microsoft SQL Server Analysis Server
  • Oracle database Server
  • Microsoft Active Directory kerberos


SAP BusinessObjects Business Intelligence platform 4.0 ; SAP BusinessObjects Business Intelligence platform 4.1


zie single sign on sign-on silent sign on end to end e2e 2 on-demand mkba htkba biauth bpkba , KBA , master kba , mkb , tskb , tskba , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , BI-BIP-SL , Semantic Layer , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.