7/23/2019 END TO END SSO SSAS

http://slidepdf.com/reader/full/end-to-end-sso-ssas 1/3

SAP Knowledge Base Article 

Symptom 

l Please reade KBA 1869952 - Requirements and troubleshooting steps when setting up kerberos SSO to the database prior to attempting toset up this configuration

l How to configure Bi 4.0 Analysis Edition for OLAP with End-to-End SSO to MS SQL Server Analysis Services (MSAS)?l   This configuration may also be used to support multi source unx universes via data federatorl

  This steps support jdbc connections to an AD integrated DB (currently SQL, Oracle, and hana)l  At this time SSO to SQL analysis will only work with unconstrained delegation (delegation to any service (kerberos only)) We are currently

testing with constrained (delegation to specified services).l IMPORTANT NOTE regarding VERY HIGH support for MSAS SSO. The SAP product is responsible to run under a service

account, and load the java config files (bsclogin.conf and krb5.ini), that is where SAP product support ends. If our product fails

to do either then this WOULD qualify for very high support.l If it does both above and doesn't work, then either your java config files (bsclogin.conf, krb5.ini, or keytab) are not configured

properly, or your Microsoft components (IIS, MSAS, AD service account, or delegation) are not configured properly. None of

these issues pertains to SAP products and therefore cannot qualify for very high troubleshooting. Please note this before usingthis solution that you must be able to troubleshoot your own java config files and Microsoft products. Please see SAP notes83020 and 1054121 for what is consulting and what is support. Engineer may elect to give you best effort support but usually

setting incident priority as HIGH 

Environment 

l SAP Business Objects Business Intelligence Platform 4.0 all SP's and 4.1

Cause 

l   Adaptive Processing Server running the MDAS service requires an extended java configuration for Single-Sign-On to MSAS SSASl  APS running data federator for multi-source universes with 2 or more connections requires the same extended java configurationl Other reporting servers connecting via jdbc will require extended java configuration

This "extended java configuration contains 3 files

l  bsclogin.conf With reference CMC SPN, and keytab filel keytab file with matching kvno to CMS service accountl

krb5.ini containing all the proper KDC information for the environment. To NOTE: at this time multi forests have not been tested using thisconfiguration

Resolution 

Prerequisites

l  Active Directory Manual and Single-Sign-On is configured on BI4 according to the KB 1631734 (if not already configured please note thektpass setting for SSO2DB and the keytab section below should be done except for testing the keytab kvno)

l   HTTP access has been configured for the MSAS¡ IIS 6: Configuring HTTP Access to SQL Server 2005 Analysis Services on Microsoft Windows Server 2003 ¡   IIS 7: Configure HTTP Access to SQL Server Analysis Services on IIS 7 

l SSO to MSAS works from MS Excel, KB 1689237 

Generating the keytab

There are few differences to the steps described in the KB 1631734  for generating the keytab: 

l The -mapuser  parameter must be usedl   The -kvno parameter cannot be used or must be set to the value of the service account whihc can be found here KBA 1853668 

The keytab needs to be generated with the following command:

ktpass -out bosso.keytab -princ service-account-spn@REALM.COM -mapuser service-account-name@REALM.COM   –passservice-account-password -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT 

Sample:

ktpass -out bosso.keytab -princ BICMS/bossosvcacct.vtiauth08.com@VTIAUTH08.COM -mapuser bossosvcacct@VTIAUTH08.COM –passpassword -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Testing

l   Verify the keytab princ value = the princ (principal) entered in ktpass above, as well as the bsclogin.conf below by running ktab inKBA 1713720 

l The keytab kvno can also be verified with the following KBA 1853668 and it must match the keyversionnumber of the servide account in AD.NOTE: SSO2DB will not work if KVNO does not match service account 

l   Finally after verifying kvno and princ test the keytab in KBA 1726417 

1688079 - Configuring BI4 Analysis Edition for OLAP for End-to-End SSO to MS SQL Server Analysis Services 

Version  25 Validity: 29.08.2014 - active Language  English

7/23/2019 END TO END SSO SSAS

http://slidepdf.com/reader/full/end-to-end-sso-ssas 2/3

NOTE:

l Do not change/ reset the password after creating the keytab else it becomes obsolete and needs to be re-generatedl Do not change the service-account-spn name (e.g.: BICMS/bossosvcacct.vtiauth08.com) in Active Directory after creating the keytab else

you get the "Client not found in Kerberos database (6)" errorl You can use the same keytab for the BI Launch Pad SSO as described in KB 1631734, but the following changes are required:

¡ Change the idm.princ= in the global.properties to include the service-account-spn (e.g:idm.princ=BICMS/bossosvcacct.vtiauth08.com)

¡ You can also define different keytabs by specifying a different filename or path in the global.properties than in the bsclogin.conf ifthere are any issues trying to use the same one

Updating bscLogin.conf

The bscLogin.conf must contain both, client (com.businessobjects.security.jgss.initiate) and server (com.businessobjects.security.jgss.accept)configurations:

1. The bscLogin.conf should already have the client configuration after following the steps in the KB 1631734 2.   Add the server configuration at the end:

com.businessobjects.security.jgss.accept {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=truekeyTab="<path_to_keytab>" NOTE path should have forward slashes i.e. c:/windows/mykeytab.keytab realm="REALM.COM"principal="<service_account_spn also found in CMC>"debug=true;};

In the example from the KB 1631734 the bscLogin.conf should look as:

com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true;};

com.businessobjects.security.jgss.accept {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=true

keyTab="<path_to_keytab>"realm="REALM.COM"principal="<service_account_spn also found in CMC>"debug=true;};

NOTE:

l More information abut the class Krb5LoginModule could be found here or in KBA 1245178l If the client configuration (com.businessobjects.security.jgss.initiate) is missing, the manual java AD authentication will faill If the server configuration (com.businessobjects.security.jgss.accept) is missing, the SSO to the back end server will fail

Adaptive Processing Server command line arguments (java options)

The Adaptive ProcessingServer running the Multi Dimensional Analysis Service (MDAS) needs to be aware of the configuration filesbscLogin.conf and krb5.ini. The path to bscLoginConf needs to be always specified and the krb5.ini is being searched for in C:\Windows folder bydefault. It is however always recommended to explicitly specify the locations, in case the default search location will be changed by the thirdparty. Add the following argument to the command line of Adaptive Processing Server(s) running the MDAS service: 

-Djava.security.auth.login.config=C:/Windows/bscLogin.conf -Djava.security.krb5.conf=C:/Windows/krb5.ini

NOTE:

l  After modifying the command line, the server will parse and reorganize the arguments KB 1987799 

 ALSO NOTE:

l   If any other servers are using java to send requests to the AD integrated DB then they will require these java options as well (cs.cfg for webireporting, Crystal processing for CR4E, distribtued APS's, explorer servers for BI Explorer, etc) These options will also be used for IDT(informationdesigntool.ini), and WRC (environment variables). Currently the hana SSO documentation contains all the known javaconfigurations KBA 1811398 

IMPORTANT INFO for BI 4.1 customers. It appears that IDT (Information Design Tool) can no longer be used to test the analysisconnection for SQL 2012 after BI 4.1 SP2 patch 1 or later. Work around is to test the connection in the CMC no bug raised yet.  

7/23/2019 END TO END SSO SSAS

http://slidepdf.com/reader/full/end-to-end-sso-ssas 3/3

 

For additional testing try creating a connection in universe design tool (doesn't require delegation or java) then create a universe and test a report(tests direct connect to MSAS without the java files) This will help isolate the problem 

See Also 

l  Also See KBA 1869952 which references most of the information regarding SSO to the DB using kerberosl If you need to configure Information Design Tool for Active Directory in order to test connections see KBA 1621106 l If the service account was running a SIA(s) prior to running ktpass with the map user option and SSO is still not working after verifying the

keytab see KBA 1871302 l   If you want to allow Explorer to perform SSO via kerberos KBA 1877286 l  Here is an SCN wiki page on setting this up with many screenshotsl   Please see this thread #D11172 on idea place to comment on adding an enhancement to simplify configuration, and no longer have the all

current restrictions.l See KBA 1965317 Troubleshooting APS MDAS logs for kerberos SSO attempts to see a successful APS log and key words to search forl Currently constrained delegation is not supported in this scenario. See KBA 2110370 for more info

Keywords 

zie end-to-end, EtE, SSO, MSAS, SSAS, OLAP, AAO, AAOW, APS, MDAS 

Header Data

Product

References

This document refers to:

SAP Knowledge Base Articles 

SAP Community Network 

Released On  17.12.2014 16:09:20Release Status Released to Customer

Component  BI-BIP-AUT Authentication, ActiveDirectory, LDAP, SSO, Vintela

Priority  Normal

Category  How To

Product Product Version

SAP BusinessObjects Business Intelligence platform  SAP BusinessObjects Business Intelligence platform 4.0

 SAP BusinessObjects Business Intelligence platform 4.0, feature

 SAP BusinessObjects Business Intelligence platform 4.1

1965317 Troubleshooting APS MDAS logs for kerberos SSO attempts 

1871302 No TGS requests were sent from any server attempting to perform SSO to hana via kerberos 

1869952 Requirements and troubleshooting steps when setting up kerberos SSO to the database 

1853668 How to find the KVNO version for your keytab file 

1811398 How to setup BI components to login to hana via AD kerberos SSO 

1726417 How to test keytab file in BI 4.0 

1713720 How to get the kvno and princ values from the keytab file.  

1689744 Error "Login failed. Invalid user or password." when createing an Analysis workspace from a MSAS SSO connection 

1689237 Unable to connect to MS Analysis Services (MSAS) server from MS Excel via XMLA 

1631734 Configuring Active Directory Manual Authentication and SSO for BI4 

1621106 How to configure Information Design Tool (IDT) for manual AD Login to BI 4.0 

1245178 krb5.ini rules of configuration with Business Objects java AD 

Setting up OLAP Microsoft Analysis Service through an XMLA connection with SSO