2629070 - How to Securely Integrate BI 4.x with Windows Active Directory and SSO in Distributed Environments - Master KBA and Best Practice | SAP Knowledge Base Article

SAP Knowledge Base Article - Preview

2629070 - How to Securely Integrate BI 4.x with Windows Active Directory and SSO in Distributed Environments - Master KBA and Best Practice

Symptom

  • How to configure BI 4x for integration with Microsoft Active Directory, to allow manual kerberos logon, and kerberos delegation (Aka SSO, spnego, or negotiate)
  • This KBA is a prerequisite for setting up SSO to the DB via kerberos see KBA 1869952 or web services client tools SSO in KBA 1646920 and many other scenarios
  • In most cases this KBA will replace KBA 1631734 for all BI systems on 4.1 and above, although 1631734 can still be used (but does not contain as much updated info) 
  • This new KBA will allow for a more secure configuration between BI and AD by integrating constrained delegation, the ability to use only RC4, AES 126 or 256 encryption as well as SSL/TLS on the web/app and contains all of the latest BI features that were added as of 4.2 SP5
  • SSO browser issues found in IE 11 (on Win 10) see KBA 2485300 and Google Chrome KB 1887193 should work out of the box without modifying credential guard or adding URL's to the registry
  • NOTE: All information and pictures were taking from sample test system and do not represent actual data (any resemblance as such is purely coincidental)

Read more...

Environment

  • SAP BusinessObjects Business Intelligence 4.2 SP5 was used as the sample system in creating this KBA
  • Any SP of 4.2 will work, this document should also be backward compatible to any version of 4.1 as well
  • Microsoft Active Directory 2008 and above

Product

SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2

Keywords

directions documentation documents steps to follow vintela ventila vintella ventela set up setup vintela config configuration configuring AD Active Directory single sign on sign-on slient automatic opendocument intermittent error fail trouble troubleshoot shoot test java tomcat websphere weblogic oracle application server netweaver JDK java SDK development kit XI4 XI 4.0  XI 4.1 XI41 XIR4 XI 4.x BI4.0 BI zie MNHWW mkba htkba biauth Common error messages and symoptoms that could occur if any of the above steps are not configured properly Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) HTTP 500 error or page cannot be displayed HTTP 404 error HTTP 400 bad request or bad tag (typical error of attempting SSO on the BI server) jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024) - delegation error , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.