2210624 - How do I configure SAP Lumira for Kerberos Authentication?

SAP Knowledge Base Article - Public

2210624 - How do I configure SAP Lumira for Kerberos Authentication?

Symptom

How do I configure SAP Lumira for Kerberos Authentication?

NOTE: This KBA has been written for Lumira Desktop 1.X - elements of the configuration might differ between 1.X and 2.X clients.

To configure and troubleshoot Lumira Discovery 2.0, refer to KBA 2538325 - How to configure and troubleshoot Windows AD authentication in Lumira Discovery 2.0

Environment

  • SAP Lumira Desktop 1.x

Resolution

Overview

SAP Lumira, desktop edition supports Kerberos authentication and requires specific steps to configure it.

Steps are applicable when authenticating against any server using Kerberos including SAP BusinessObjects Business Intelligence Platform and SAP HANA.

Trace Logs are extremely helpful in troubleshooting with instructions in the additional knowledge base articles.

Steps

  1. Kerberos jgss configuration file
  2. Kerberos services configuration file
  3. SAP Lumira configuration file
  4. Allow Ticket Granting Ticket Session
  5. Run As Administrator 

 

1. Kerberos jgss configuration file

Create C:\Windows\bscLogin.conf with following content:

com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.businessobjects.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true client=true;
};
com.businessobjects.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
sap.bo.dsws.client {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;
};

2. Kerberos services configuration file

Create C:\Windows\krb5.ini with following content (example taken from BI Platform Administrator Guide):

[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.domain2.com = DOMAIN2.COM
domain2.com = DOMAIN2.COM

[realms]
DOMAIN.COM = {
default_domain = DOMAIN.COM
kdc = HOSTNAME.DOMAIN.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}

[capaths]
DOMAIN2.COM = {
DOMAIN.COM =
}

DOMAIN.COM The DNS name of your domain which must be entered in uppercase in FQDN format
kdc The Host name of the Domain Controller
[capath] Defines the trust between domains that are in another AD forest. In the example above DOMAIN2.COM is a domain in an external forest and has direct two way transitive trust to DOMAIN.COM.
default_realm In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the source domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts. If no UPN suffix is supplied at log on, it defaults to the value of default_realm. This value should be consistent with the default domain setting in the CMC. All domains must be specified in uppercase as shown in the example above.

 

3. SAP Lumira configuration file

Add following lines to C:\Program Files\SAP Lumira\Desktop\SAPLumira.ini

-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini

 4. Allow Ticket Granting Ticket Session

A new registry key is required to instruct Windows to allow a ticket granting ticket session.

Option Description
Registry path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name allowtgtsessionkey
Value Type REG_DWORD
Value 0x01

Details on editing the registry can be found in Knowledge Base Article 1323322 - Editing the Windows Registry - Warning

 

5. Run As Administrator

If the Windows user is an Administrator then must run SAP Lumira As Administrator in order for Kerberos to work

 

Additional Knowledge Base Articles

  • 1995864 - Cannot connect to Universe using Windows AD from Lumira desktop
  • 2065396 - Does SAP Lumira support connecting to a Universe using Single Sign On?
  • 2172746 - SAP Lumira - Connecting to a universe data source
  • 2181269 - Issue with Windows AD Connectivity from Lumira Desktop to SQL Server
  • 2206553 - High Level SAP Lumira Desktop Trace Log Files Using enabletracing.bat File
  • 2251461 - Getting HDB 05401 When Saving Lumira Documents to BI Platform
  • 2300144 - FAQ: Lumira Desktop and BI Platform Single sign-on

See Also

For information on SAP BusinessObjects Lumira 2.x, see KBA 2538325 - How to configure and troubleshoot Windows AD authentication in Lumira Discovery 2.0

Keywords

kerberos single sign on krb5 krb active directory authentication ad auth sso windows howto how-to how to , KBA , BI-LUM-DIS , Lumira Desktop/Discovery , BI-LUM-SRV-BIP , SAP Lumira Server for BI Platform , How To

Product

SAP Lumira, desktop edition 1.0