SAP Knowledge Base Article - Public

2777306 - How to configure the Import Connection to Business Intelligence Platform Universe using Windows Active Directory authentication in SAP Analytics Cloud (SAC)

Symptom

  • How to configure the Import / Acquired Connection to BIP Universe (UNX) using the manual AD Kerberos authentication in in SAP Analytics Cloud (SAC)?
  • Get the error when configuring the  Import Connection to BIP using AD authentication: Error occurred logging onto BOE

Environment

  • SAP Analytics Cloud 2019
  • SAP Business Objects Business Intellgience 4.1 SP5 or higher, or 4.2 SP4 or higher

Reproducing the Issue

  1. Log on SAP Analytics Cloud tenant
  2. Choose menu Connection > click + plus sign at the top right corner
  3. Expand Acquired Data > choose SAP Universe
  4. Fill in all required fields, and select Windows AD in the Authentication Type dropdown list.
  5. Click Create button

Resolution

 

For SAP Analytics Cloud to use Import Connection to on-premise backend BI system via Windows AD Kerberos authentication, there are steps required to configure Java program, which is SAP Analytics Cloud Agent (C4A_AGENT Java Web Application) , for manual AD Kerberos logon.

  1. Modify the Java options for Kerberos on Tomcat hosting SAP Analytics Cloud Agent
    1. Start menu, select Programs > Tomcat > Tomcat Configuration
    2. Click Java tab
    3. Add the following options:

-Djava.security.auth.login.config=C:\XXXX\bscLogin.conf
-Djava.security.krb5.conf=C:\XXXX\krb5.ini


Replace XXXX with the location where you stored the krb5.ini file and bscLogin.conf file.

  1. Tomcat needs to be restarted after any of options is added, changed or removed to take effect
  2.  bsclogin.conf file tells Java to use the AD logon module. In most case the file can be created with the exact info below

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

  1. krb5.ini file contains information to assist Java with finding domain controllers.  The file below is just an example only and must be changed with information from your own environment. For more detailed krb5.ini refer to KBA 1245178

[libdefaults]
default_realm = EXAMPLE.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
udp_preference_limit = 1

[realms]
EXAMPLE.COM = {
kdc = EXAMPLE-DC.EXAMPLE.COM
default_domain = EXAMPLE.COM
}

  1. Domain name and KDC need to be in upper case.  For example, the domain name is PSAUTH08.COM, and KDC is VANPSATVMWIN001.PSAUTH08.COM, the krb5.ini looks like following:

[libdefaults]
default_realm =  PSAUTH08.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
udp_preference_limit = 1

[realms]
PSAUTH08.COM = {
kdc = VANPSATVMWIN001.PSAUTH08.COM
default_domain = PSAUTH08.COM
}

  1. Alternatively, you can copy bscLogin.conf and krb5.ini from your BIP server. They are usually located in C:\Windows or C:\WINNT folder.

 

NOTE:

* When the SAP Analytics Cloud Agent is located in the DMZ or a separate nework segment, ensure there is no communication issue to connect to KDC server from Tomcat server.

* Ensure bscLogin.conf and krb5.ini files are saved without adding a default extenstion, ie. krb5.ini.txt

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,  Kerberos , unx ,acquired connection, , KBA , LOD-ANA , SAP Analytics Cloud , LOD-ANA-BI , SAP Analytics Cloud - Business Intelligence (BOC) , LOD-ANA-BR , SAP Analytics Cloud - Digital Boardroom , LOD-ANA-PL , SAP Analytics Cloud – Planning (BOC) , LOD-ANA-PR , SAP Analytics Cloud – Predictive (BOC) , Problem

Product

SAP Analytics Cloud 1.0