Windows AD authentication for Business Objects using Kerberos – Part II

This is our continuation of our SSO configuration from starting from SIA configuration.

4.     Configuring the Server Intelligence Agent to use the service account

In order to support Kerberos, Server Intelligence Agent must be configured in CCM to log on as the service account:

To configure a Server Intelligence Agent

1)  Start the CCM.

2)  Stop the Server Intelligence Agent.

3)  Double-click the Server Intelligence Agent and the Properties dialog box is displayed.

4)  On the Properties tab:

• In the Log On As area, deselect the System Account check box.
• Enter the user name and password for the service account.
• Click Apply, and click OK.

5)       Start the server again.

5.     Configure the AD plug-in

In order to support Kerberos, we have to configure the Windows AD security plug-in the CMC to use Kerberos authentication.

To configure the Windows AD security plug-in for Kerberos

• Go to the Authentication management area of the CMC and Click the Windows AD tab.

• Ensure that the Windows Active Directory Authentication is enabled check box is selected.
• In the Windows AD Configuration Summary area of the page, click the link beside AD Administration Name.
• Enter the credentials that have read access to Active Directory in the Name and Password fields.

Note:

Use the format Domain\Account in the Name field LIKE NA\ BOLab-Admin.

• Enter the default domain in the Default AD Domain field.

Note:

Use FQDN format and enter the domain in uppercase, here it is NA.HEXAWARE.COM

• In the Mapped AD Member Group area, enter the name of an AD group whose users require access to Business Objects Enterprise, and then click Add.

• In the Authentication Options area, select Use Kerberos authentication.
• In the Service Principal Name field, enter the account and domain of the service account or the SPN mapping to the service account which was created

In this case, BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM.

• Click Update

6.     Configure Tomcat web.xml file

Modify the web.config file to ensure Windows authentication is enabled.

To configure InfoView for AD authentication mode, configure the web.config file in the

\Tomcat55\webapps\InfoViewApp\WEB-INF directory.

Edit the web.xml. Then, change the authentication default value to secWinAD.

7.     Configure the Krb5AuthLoginModule and krb5.ini

Create a folder in C:\WINNT to store the following two files:

1. krb5.ini
2. bscLogin.conf

The contents of the krb5.ini and the bscLogin.conf were the following:

Note: 1. This should be done on all computers that run application servers.

2.  KDC is the Domain Controller(s) of the particular domain.

8.     Configure the Tomcat Java option

Launch the Tomcat Configuration program & add the following Java command in the Java Optionsof the Java tab.

-Djava.security.auth.login.config=C:\WINNT\bscLogin.conf

-Djava.security.krb5.conf= C:\WINNT \krb5.ini

Hope this will be useful for Kerberos based windows AD authentication. Feel free to get back to me in case of any issues. I am privileged to helping you all. Happy Blogging!