end to end sso ssas
TRANSCRIPT
7/23/2019 END TO END SSO SSAS
http://slidepdf.com/reader/full/end-to-end-sso-ssas 1/3
SAP Knowledge Base Article
Symptom
l Please reade KBA 1869952 - Requirements and troubleshooting steps when setting up kerberos SSO to the database prior to attempting toset up this configuration
l How to configure Bi 4.0 Analysis Edition for OLAP with End-to-End SSO to MS SQL Server Analysis Services (MSAS)?l This configuration may also be used to support multi source unx universes via data federatorl
This steps support jdbc connections to an AD integrated DB (currently SQL, Oracle, and hana)l At this time SSO to SQL analysis will only work with unconstrained delegation (delegation to any service (kerberos only)) We are currently
testing with constrained (delegation to specified services).l IMPORTANT NOTE regarding VERY HIGH support for MSAS SSO. The SAP product is responsible to run under a service
account, and load the java config files (bsclogin.conf and krb5.ini), that is where SAP product support ends. If our product fails
to do either then this WOULD qualify for very high support.l If it does both above and doesn't work, then either your java config files (bsclogin.conf, krb5.ini, or keytab) are not configured
properly, or your Microsoft components (IIS, MSAS, AD service account, or delegation) are not configured properly. None of
these issues pertains to SAP products and therefore cannot qualify for very high troubleshooting. Please note this before usingthis solution that you must be able to troubleshoot your own java config files and Microsoft products. Please see SAP notes83020 and 1054121 for what is consulting and what is support. Engineer may elect to give you best effort support but usually
setting incident priority as HIGH
Environment
l SAP Business Objects Business Intelligence Platform 4.0 all SP's and 4.1
Cause
l Adaptive Processing Server running the MDAS service requires an extended java configuration for Single-Sign-On to MSAS SSASl APS running data federator for multi-source universes with 2 or more connections requires the same extended java configurationl Other reporting servers connecting via jdbc will require extended java configuration
This "extended java configuration contains 3 files
l bsclogin.conf With reference CMC SPN, and keytab filel keytab file with matching kvno to CMS service accountl
krb5.ini containing all the proper KDC information for the environment. To NOTE: at this time multi forests have not been tested using thisconfiguration
Resolution
Prerequisites
l Active Directory Manual and Single-Sign-On is configured on BI4 according to the KB 1631734 (if not already configured please note thektpass setting for SSO2DB and the keytab section below should be done except for testing the keytab kvno)
l HTTP access has been configured for the MSAS¡ IIS 6: Configuring HTTP Access to SQL Server 2005 Analysis Services on Microsoft Windows Server 2003 ¡ IIS 7: Configure HTTP Access to SQL Server Analysis Services on IIS 7
l SSO to MSAS works from MS Excel, KB 1689237
Generating the keytab
There are few differences to the steps described in the KB 1631734 for generating the keytab:
l The -mapuser parameter must be usedl The -kvno parameter cannot be used or must be set to the value of the service account whihc can be found here KBA 1853668
The keytab needs to be generated with the following command:
ktpass -out bosso.keytab -princ [email protected] -mapuser [email protected] –passservice-account-password -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Sample:
ktpass -out bosso.keytab -princ BICMS/[email protected] -mapuser [email protected] –passpassword -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT
Testing
l Verify the keytab princ value = the princ (principal) entered in ktpass above, as well as the bsclogin.conf below by running ktab inKBA 1713720
l The keytab kvno can also be verified with the following KBA 1853668 and it must match the keyversionnumber of the servide account in AD.NOTE: SSO2DB will not work if KVNO does not match service account
l Finally after verifying kvno and princ test the keytab in KBA 1726417
1688079 - Configuring BI4 Analysis Edition for OLAP for End-to-End SSO to MS SQL Server Analysis Services
Version 25 Validity: 29.08.2014 - active Language English
7/23/2019 END TO END SSO SSAS
http://slidepdf.com/reader/full/end-to-end-sso-ssas 2/3
NOTE:
l Do not change/ reset the password after creating the keytab else it becomes obsolete and needs to be re-generatedl Do not change the service-account-spn name (e.g.: BICMS/bossosvcacct.vtiauth08.com) in Active Directory after creating the keytab else
you get the "Client not found in Kerberos database (6)" errorl You can use the same keytab for the BI Launch Pad SSO as described in KB 1631734, but the following changes are required:
¡ Change the idm.princ= in the global.properties to include the service-account-spn (e.g:idm.princ=BICMS/bossosvcacct.vtiauth08.com)
¡ You can also define different keytabs by specifying a different filename or path in the global.properties than in the bsclogin.conf ifthere are any issues trying to use the same one
Updating bscLogin.conf
The bscLogin.conf must contain both, client (com.businessobjects.security.jgss.initiate) and server (com.businessobjects.security.jgss.accept)configurations:
1. The bscLogin.conf should already have the client configuration after following the steps in the KB 1631734 2. Add the server configuration at the end:
com.businessobjects.security.jgss.accept {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=truekeyTab="<path_to_keytab>" NOTE path should have forward slashes i.e. c:/windows/mykeytab.keytab realm="REALM.COM"principal="<service_account_spn also found in CMC>"debug=true;};
In the example from the KB 1631734 the bscLogin.conf should look as:
com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true;};
com.businessobjects.security.jgss.accept {com.sun.security.auth.module.Krb5LoginModule requiredstoreKey=trueuseKeyTab=true
keyTab="<path_to_keytab>"realm="REALM.COM"principal="<service_account_spn also found in CMC>"debug=true;};
NOTE:
l More information abut the class Krb5LoginModule could be found here or in KBA 1245178l If the client configuration (com.businessobjects.security.jgss.initiate) is missing, the manual java AD authentication will faill If the server configuration (com.businessobjects.security.jgss.accept) is missing, the SSO to the back end server will fail
Adaptive Processing Server command line arguments (java options)
The Adaptive ProcessingServer running the Multi Dimensional Analysis Service (MDAS) needs to be aware of the configuration filesbscLogin.conf and krb5.ini. The path to bscLoginConf needs to be always specified and the krb5.ini is being searched for in C:\Windows folder bydefault. It is however always recommended to explicitly specify the locations, in case the default search location will be changed by the thirdparty. Add the following argument to the command line of Adaptive Processing Server(s) running the MDAS service:
-Djava.security.auth.login.config=C:/Windows/bscLogin.conf -Djava.security.krb5.conf=C:/Windows/krb5.ini
NOTE:
l After modifying the command line, the server will parse and reorganize the arguments KB 1987799
ALSO NOTE:
l If any other servers are using java to send requests to the AD integrated DB then they will require these java options as well (cs.cfg for webireporting, Crystal processing for CR4E, distribtued APS's, explorer servers for BI Explorer, etc) These options will also be used for IDT(informationdesigntool.ini), and WRC (environment variables). Currently the hana SSO documentation contains all the known javaconfigurations KBA 1811398
IMPORTANT INFO for BI 4.1 customers. It appears that IDT (Information Design Tool) can no longer be used to test the analysisconnection for SQL 2012 after BI 4.1 SP2 patch 1 or later. Work around is to test the connection in the CMC no bug raised yet.
7/23/2019 END TO END SSO SSAS
http://slidepdf.com/reader/full/end-to-end-sso-ssas 3/3
For additional testing try creating a connection in universe design tool (doesn't require delegation or java) then create a universe and test a report(tests direct connect to MSAS without the java files) This will help isolate the problem
See Also
l Also See KBA 1869952 which references most of the information regarding SSO to the DB using kerberosl If you need to configure Information Design Tool for Active Directory in order to test connections see KBA 1621106 l If the service account was running a SIA(s) prior to running ktpass with the map user option and SSO is still not working after verifying the
keytab see KBA 1871302 l If you want to allow Explorer to perform SSO via kerberos KBA 1877286 l Here is an SCN wiki page on setting this up with many screenshotsl Please see this thread #D11172 on idea place to comment on adding an enhancement to simplify configuration, and no longer have the all
current restrictions.l See KBA 1965317 Troubleshooting APS MDAS logs for kerberos SSO attempts to see a successful APS log and key words to search forl Currently constrained delegation is not supported in this scenario. See KBA 2110370 for more info
Keywords
zie end-to-end, EtE, SSO, MSAS, SSAS, OLAP, AAO, AAOW, APS, MDAS
Header Data
Product
References
This document refers to:
SAP Knowledge Base Articles
SAP Community Network
Released On 17.12.2014 16:09:20Release Status Released to Customer
Component BI-BIP-AUT Authentication, ActiveDirectory, LDAP, SSO, Vintela
Priority Normal
Category How To
Product Product Version
SAP BusinessObjects Business Intelligence platform SAP BusinessObjects Business Intelligence platform 4.0
SAP BusinessObjects Business Intelligence platform 4.0, feature
SAP BusinessObjects Business Intelligence platform 4.1
1965317 Troubleshooting APS MDAS logs for kerberos SSO attempts
1871302 No TGS requests were sent from any server attempting to perform SSO to hana via kerberos
1869952 Requirements and troubleshooting steps when setting up kerberos SSO to the database
1853668 How to find the KVNO version for your keytab file
1811398 How to setup BI components to login to hana via AD kerberos SSO
1726417 How to test keytab file in BI 4.0
1713720 How to get the kvno and princ values from the keytab file.
1689744 Error "Login failed. Invalid user or password." when createing an Analysis workspace from a MSAS SSO connection
1689237 Unable to connect to MS Analysis Services (MSAS) server from MS Excel via XMLA
1631734 Configuring Active Directory Manual Authentication and SSO for BI4
1621106 How to configure Information Design Tool (IDT) for manual AD Login to BI 4.0
1245178 krb5.ini rules of configuration with Business Objects java AD
Setting up OLAP Microsoft Analysis Service through an XMLA connection with SSO