Business Objects XI

Implementing Active Directory Single Sign-On with Business

Objects XI

Overview
The purpose of this document is to demonstrate the steps to follow to
configure Business Objects XI for use with Active Directory SSO.

Authored by Ashish Gupta, Business Objects Customer Support

Contents
INTRODUCTION ............................................................................................ 2
CONFIGURE ACTIVE DIRECTORY ON WINDOWS 2003 SERVER AS PRIMARY
DOMAIN CONTROLLER................................................................................. 2
INSTALL AND CONFIGURE BUSINESS OBJECTS XI TO AUTHENTICATE AGAINST
ACTIVE DIRECTORY ..................................................................................... 5
FINDING MORE INFORMATION ..................................................................... 12

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 1
Introduction
Configuration of Business Objects XI with Active Directory is a two-step
process:

1) Configure Active Directory on a Windows 2003 Server and make it a

Primary Domain Controller.

2) Install and Configure Business Objects XI to authenticate against

Active Directory created in Step 1.

Configure Active Directory on Windows 2003 Server as

Primary Domain Controller
Launch the “Manage Your Server” option from the Start Menu.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 2

AD-SSO_BOXI.pdf
 Click on “Add or remove a role.” The following screen appears:

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 3

AD-SSO_BOXI.pdf
 Click Next. This will bring up a list of roles available for this server:

The screen shot above is taken from a server where AD is already

installed. This would be set to “No” in an environment where AD is not
installed.

Highlight “Domain Controller (Active Directory)” and click Next.

This will initiate a wizard to install Active Directory on the server and
walk you through installing AD and making this server a Domain
Controller.

Since there is no DNS Server installed on this machine, the wizard will
prompt for installing a DNS Server. Select “Yes” to install and configure
the DNS Server.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 4

AD-SSO_BOXI.pdf
 Once Active Directory is installed and configured, users and groups can
be added to Active Directory by going into Start >All Programs >
Administrative Tools > Active Directory Users and Computers.

The following dialog box allows you to add and modify users in Active
Directory.

Exercise: Add a group “Finance” to Active Directory and create a user

“Test” under this group. We will use this group later in the Central
Management Console of XI to connect to Active Directory.

Install and Configure Business Objects XI to Authenticate

Against Active Directory
This section of the exercise involves the following steps:

a) Configure IIS

b) Configure web.config file to point to Active Directory

c) Configure the Central Management Console (CMC)

d) Log into InfoView

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 5

AD-SSO_BOXI.pdf
 a) Configure IIS

IIS is not installed by Default in Windows 2003. In order to install IIS,

follow the following steps.

i) From the Start->Control Panel, goto Add/Remove

Programs.
ii) On the left hand side of the Dialog box is an option to
Add/Remove Windows Components. Click on the link
to open a Dialog box for Modifying the Windows
Components installed on the Server.

iii) Check the option to install Application Server and click

Next. The wizard guides you through the rest of the
install process.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 6

AD-SSO_BOXI.pdf
 The next step is to Configure IIS for NTLM Authentication

i) Open the IIS Management Console from Start >

Administrative Tools > Internet Information Services
(IIS) Manager.
ii) Open the Folder Web Sites > Default Website and right-
click on the folder “businessobjects.” This step assumes
that you have a default install of the .NET InfoView
instance already configured on this server.
iii) Click Properties to bring up the property sheet of
“businessobjects” and switch to the Directory Security
tab.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 7

AD-SSO_BOXI.pdf
 iv) Click Edit for the “Authentication and Access Control”
box.

v) Uncheck the box for “Enable Anonymous Access” and

check “Integrated Windows Authentication” only.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 8

AD-SSO_BOXI.pdf
 b) Configure web.config file to point to Active Directory

i) Modify the web.config file that is located in the

following directory

\Program Files\Business Objects\BusinessObjects Enterprise 11\Web

Content\Enterprise11\InfoView

ii) Within the web.config file, users must add commands to

the WebDesktopSettings section

<WebDesktopSettings>
<add key="cmsDefault" value="CMSMachineName" />
<add key="ssoEnabled" value="true" />
<add key="authenticationDefault" value="secXXXXXXX" />
<!-- Default Authentication progID (secEnterprise, secLDAP, SecWindowsNT,
secWinAD) -->
</WebDesktopSettings>

iii) And add commands to the system.web section

<system.web>
<identity impersonate="true" />
<authentication mode="Windows" />
</system.web>

NOTE
Known Limitation:
The Central Management Console (CMC) is not supported by SSO. In
place of SSO, use a third-party tool, such as SiteMinder.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 9

AD-SSO_BOXI.pdf
 c) Configure the Central Management Console (CMC).

i) Launch the Central Management Console of Business

Objects XI.
ii) Log in as the Administrator.
iii) Click on the link to get to the Authentication page.
iv) Go to the Windows Active Directory tab page.
v) Check the box “Windows Active Directory
Authentication.”
vi) Add credentials in the Authentication box to connect to
Active Directory.
vii) To enable Single Sign On, check the “Single Sign On”
box.
viii) In the “Mapped AD Member Groups,” add the groups
you want to map to Active Directory.

The final screen of Windows Active Directory Authentication page

should look similar to this:

Add the group ‘FINANCE’ created in the last step of configuring Active
Directory earlier in this document to the Mapped AD Member group.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 10

AD-SSO_BOXI.pdf
 d) Log into InfoView

Launch InfoView. When prompted for a user ID and password, enter

“Test” as the user ID and the corresponding password. Once authorized
by Windows you should be taken to the InfoView home page.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 11

AD-SSO_BOXI.pdf
Finding more information
For more information and resources, refer to the product documentation
and visit the support area of the web site at:
http://www.businessobjects.com/

www.businessobjects.com

No part of the computer software or this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system,
without permission in writing from Business Objects.

The information in this document is subject to change without notice. Business Objects does not warrant that this
document is error free.

This software and documentation is commercial computer software under Federal Acquisition regulations, and is
provided only under the Restricted Rights of the Federal Acquisition Regulations applicable to commercial computer
software provided at private expense. The use, duplication, or disclosure by the U.S. Government is subject to
restrictions set forth in subdivision (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at
252.227-7013.

The Business Objects product and technology are protected by US patent numbers 5,555,403; 6,247,008;
6,578,027; 6,490,593; and 6,289,352. The Business Objects logo, the Business Objects tagline,
BusinessObjects, BusinessObjects Broadcast Agent, BusinessQuery, Crystal Analysis, Crystal Analysis
Holos, Crystal Applications, Crystal Enterprise, Crystal Info, Crystal Reports, Rapid Mart, and
WebIntelligence are trademarks or registered trademarks of Business Objects SA in the United States
and/or other countries. Various product and service names referenced herein may be trademarks of
Business Objects SA. All other company, product, or brand names mentioned herein, may be the
trademarks of their respective owners. Specifications subject to change without notice. Not responsible for
errors or omissions.

Copyright © 2006 Business Objects SA. All rights reserved.

23-Feb-2006 1:59:00 PM Copyright © 2006 Business Objects. All rights reserved. Page 12

AD-SSO_BOXI.pdf