BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On using IIS

Overview
This document provides information and instructions for setting up Kerberos end-to-end Single Sign-On (SSO) using IIS to the database level for BusinessObjects Enterprise XI and XI Release 2. This feature allows you to log on to InfoView without being prompted for a username and password. Furthermore, the users credentials are passed on to the database for authentication, allowing the database administrator to set restrictions based on the users credentials.

Contents
INTRODUCTION ............................................................................................ 1 CONFIGURING ACTIVE DIRECTORY ............................................................... 1 Determining the AD domain functional level ......................................1 Creating the Service Account .................................................................1 Windows 2000 domain functional level ................................................1 Windows 2003 domain functional level ................................................2 Registering the Service Principle Name (SPN) ...................................3 CONFIGURING THE BUSINESSOBJECTS ENTERPRISE SERVER........................ 5 Configuring local security policies .........................................................5 Configuring BusinessObjects Enterprise services ...............................5 CONFIGURING INTERNET INFORMATION SERVICE (IIS)................................... 7 Enabling Windows Authentication .......................................................7 Configuring the IIS application pool......................................................7 Modifying the web.config file ..................................................................8 CONFIGURING THE ACTIVE DIRECTOR PLUG-IN IN THE CMC ......................... 9 CONFIGURING THE INTERNET EXPLORER BROWSER ON THE CLIENT ............. 10 TROUBLESHOOTING .................................................................................. 11 Looping logon ............................................................................................11 Service unavailable error message .........................................................11 Reports with LOV prompts fail .................................................................12 RAS service does not start .........................................................................12 FINDING MORE INFORMATION ..................................................................... 12

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Introduction
End-to-end SSO refers to a configuration where users have both SSO access using IIS in this case to BusinessObjects Enterprise and the backend databases. Thus, users need to provide their logon credentials only once when they log on to the operating system, to access BusinessObjects Enterprise and the databases. In BusinessObjects Enterprise, end-to-end SSO is supported through Windows Active Directory (AD) and Kerberos using IIS. There are some prerequisites that you need before you begin: Administrative rights to the AD domain controller. Administrative rights to the BusinessObjects Enterprise system. SQL Server Trusted Connection ODBC System DSN using Windows NT authentication using the Network Login ID option. See your database administrator regarding that.

Configuring Active Directory

A separate service account is required to run BusinessObjects Enterprise services. This service account will need to have the rights to delegate on the domain. Depending on your AD controllers domain functional level this can be accomplished in several different ways.

Determining the AD domain functional level

Click Start > Programs > Administrative Tools > Active Directory users and computers. Right-click your domain name at the top of the hierarchy, click Properties, and this will indicate what domain mode or functional level your domain is operating.
NOTE
You cannot determine the Domain Functional Level by the Operating system running on the domain controller. It is possible for a domain controller with Windows 2003 installed to be running a Windows 2000 domain functional level.

Creating the Service Account

By default, the BusinessObjects Enterprise services run under the local system account. To configure BusinessObjects Enterprise for SSO, certain services must run under a domain account with the right to delegate. The following sections will discuss how to create this account on the different domain functional levels.

Windows 2000 domain functional level

To configure the domain account with the right to delegate, do the following: 1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers.

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 1

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

2. Navigate to the Users container and click the Create a new user in the current container button on the toolbar. 3. Click Properties > Account > Account is trusted for delegation > Password never expires. See figure 1. Figure 1:

4. Clear the option User must change password at next logon and click OK.

Windows 2003 domain functional level

To configure the domain account with the right to delegate, do the following: 1. Click Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. Navigate to the Users container and click the Create a new user in the current container button on the toolbar.
6/26/2007 9:13 AM
Copyright 2007 Business Objects. All rights reserved.

Page 2

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

3. For the newly created user click Properties > Delegation > Trust this user for delegation to any service (Kerberos only) > OK. See Figure 2. Figure 2:

Registering the Service Principle Name (SPN)

To register the SPN do the following: 1. Download and install the SETSPN utility from Microsoft to a Domain Controller. a. For Windows 2000 download it from the link below or search for setspn download at http://www.microsoft.com:

http://www.microsoft.com/downloads/details.aspx?familyid=5fd8 31fd-ab77-46a3-9cfe-ff01d29e5c46 b. For Windows 2003 download it from the link below or search for setspn download at http://www.microsoft.com:

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 3

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

http://www.microsoft.com/downloads/details.aspx?FamilyId=6E C50B78-8BE1-4E81-B3BE-4E7AC4F0912D. 2. Click Start > Programs > Accessories > Command Prompt and run SETSPN using the following syntax: SETSPN.exe A BOBJCentralMS/HOSTNAME.DOMAIN.COM ServiceCMS
NOTE
Replace ServiceCMS with the actual account name that is trusted for delegation and replace HOSTNAME with the name of your machine running the CMS service. The output of the file is as follows: Registering ServicePrincipalNames for CN=ServiceCMS,CN=Users,DC=DOMAIN,DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

1. Run SETSPN to register the hostname of the Business Objects server without using the fully qualified name as follows: SETSPN.exe A BOBJCentralMS/HOSTNAME ServiceCMS 2. Run SETSPN to register HTTP using the following command: SETSPN.exe A HTTP/HOSTNAME.DOMAIN.COM ServiceCMS

NOTES

For information on why you must register HTTP as an SPN, search for Microsoft knowledge base article 871179 at the link below: http://www.microsoft.com/

Type SETSPN.exe L ServiceCMS to get a listing of what is currently registered for the ServiceCMS account. Remember to replace ServiceCMS with the actual account name that is trusted for delegation.

Your SPN listing should look similar to Figure 3: Figure 3:

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 4

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Configuring the BusinessObjects Enterprise server

To use Kerberos authentication the BusinessObject Enterprise services must run under the account that is trusted for delegation. This requires configuration of the following: Local security policies BusinessObjects Enterprise services

Configuring local security policies

In order to support end-to-end SSO, you must grant certain rights to the service account on each machine running the following servers: Central Management Server (CMS) Crystal Reports Page Server Report Application Server (RAS) Web Intelligence Report Server Connection Server (Enterprise XI Release 2 only) Desktop Intelligence Report Server (Enterprise XI Release 2 only)

To configure local security policies do the following: 1. Click Start > Administrative Tools > Local Security Policy > Local Policies > User Rights Assignment. 2. Double-click Act as part of the operating system. 3. Click Add, add the user account thats been trusted for delegation, and click OK. 4. Repeat the steps 1-3 for the Logon as service right.

Configuring BusinessObjects Enterprise services

For SSO configuration the following BusinessObject Enterprise services must run under the domain account that is trusted for delegation: CMS Crystal Reports Page Server Web Intelligence Report Server RAS Connection Server (Enterprise XI Release 2 only) Desktop Intelligence Report Server (Enterprise XI Release 2 only)

To configure any of these services to run under the domain account, follow these steps:

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 5

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

1. On the BusinessObjects Enterprise server click Start > Programs > Business Objects XI > BusinessObjects Enterprise > Central Configuration Manager. 2. In the Central Configuration Manager, stop the CMS, right-click the service, click Properties, and under Log On As clear the System Account check box. See Figure 4. 3. Type the username and password for the account that is trusted for delegation. For example, DOMAIN\ServiceCMS. See Figure 4. Figure 4:

4. Click OK and start the service. 5. Repeat the process for the Crystal Reports Page Server, Web Intelligence Report Server, RAS, Connection Server (Enterprise XI Release 2 only) and Desktop Intelligence Report Server (Enterprise XI Release 2 only) services.
NOTE
The RAS server may fail to start under this new service account. If you experience this issue, follow the steps outlined in the following kbase: http://support.businessobjects.com/library/kbase/articles/c2018785.asp

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 6

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Configuring Internet Information Service (IIS)

To configure the IIS web server for end-to-end SSO you need to perform the following steps: 1. Enable Integrated Windows Authentication. 2. Configure the IIS application pool. 3. Modify the web.config file.

Enabling Windows Authentication

To configure the clients for Windows authentication do the following: 1. Go to Start > Programs > Administrative tools > Internet Services Manager, and expand the tree on the left. 2. Under the Default Web Site right-click businessobjects and under Anonymous access and authentication control click Properties > Directory Security > Edit. 3. Clear the Anonymous access and Basic authentication check boxes. 4. Click Integrated Windows Authentication > OK > OK. 5. Repeat steps 1-4 for the crystalreportviewers115 virtual directory.

Configuring the IIS application pool

In order for IIS to properly delegate a users credentials, the identity of the application pool must be changed to run under the account that is trusted for delegation by doing the following: 1. In the Internet Service Manager, expand the machine name. 2. Expand Application Pools, right-click the application pool under which the InfoView application is running. 3. Click Properties > Identity > Configurable and specify the account that is trusted for delegation. See figure 5 on the next page.

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 7

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Figure 5:

NOTE

You may receive the error message Service unavailable when launching InfoView after changing the identity of the application pool to the new service account. If this is the case, you will have to add this service account to the IIS_WPG group on the IIS server.

Modifying the web.config file

To configure InfoView for SSO, configure the web.config file in the InfoView directory: 1. Add the following line to the <system.web> section in the C:\Program Files\Business Objects\BusinessObjects\Enterprise 11.5\Web Content\ Enterprise115\InfoView\Web.config file: <identity impersonate="true" /> 2. Modify the following line in the <system.web> section the same as below: <Authentication mode="Windows" /> 3. Modify the following lines in the <WebDesktopSettings> section the same as below: <add key="cmsDefault" value="CMSMachineName" /> <add key="ssoEnabled" value="true" /> <add key="authenticationDefault" value="secWinAD" />

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 8

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

NOTE

Replace CMSMachineName with the name of your CMS. You may have to change the value of the authenticationDefault to match the authentication type you are using.

4. Restart IIS.

Configuring the Active Director Plug-in in the CMC

You have to configure the Windows AD security plug-in in the Central Management Console (CMC) to use Kerberos authentication. To configure the Windows AD security plug-in do the following: 1. In the CMC, click Authentication, and click Windows AD. 2. Verify that the Windows Active Directory Authentication is enabled is selected. See figure 6 on the next page. 3. Select the Enable Single Sign On for selected authentication mode check box. See figure 6. 4. Click the username next to the AD Administrator Name text box, enter the name, password, and default AD Domain for the account, and click Update. See figure 6. 5. In the Mapped AD Member Group area, map the AD group for the AD users who require access to BusinessObjects Enterprise using AD authentication and SSO. See figure 6. 6. Under Authentication Options select Use Kerberos authentication and click Cache Security context (required for SSO to database). 7. In the Service Principal Name box, type the SPN of the service account. See figure 6. 8. Ensure Enable Single Sign On for selected authentication mode is selected, click Update, and log out of the CMC.
NOTE
The format for the AD Administrator Name field is Domain\User. The AD Administrator account requires read access to AD only; it does not require any other rights.

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 9

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Figure 6:

Configuring the Internet Explorer browser on the client

To configure Internet Explorer on the BusinessObjects Enterprise client do the following: 1. On the client machine, open Internet Explorer, click Tools > Internet Options > Advanced tab > Enable integrated windows authentication > Apply. 2. Modify the trusted sites. Click Tools > Internet Options > Security > Sites > Advanced. 3. Add the web server site to your Local Intranet sites. You can enter the full domain name of the site. Click OK > OK > OK.

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 10

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

4. Close and reopen Internet Explorer for the changes to take effect. 5. Repeat steps 1-3 on each BusinessObjects Enterprise client machine.
NOTE
After following these steps, the next time you access the InfoView URL, you should see Local Internet displayed in the bottom right hand corner of the browser.

Configuring report properties in the CMC

In order to make use of end-to-end SSO, the published reports properties must be changed by performing the following steps: 1. Launch the CMC and log on using an administrator account. 2. Click on Objects and locate the report that you would like to setup SSO to the database. 3. Click the report > Process > Database, confirm Use SSO context for database logon is selected, and click Update.
NOTE
The above option only applies to a Crystal Report. For Web Intelligence and Desktop Intelligence reports, the universe connection must use the option Use Business Object user name and password. Refer to the universe design documentation for further information on configuring universe connections.

Troubleshooting
Looping logon
After setting up Kerberos SSO, you are prompted to enter AD credentials. No matter what you specify in the dialog box, you are repeatedly prompted to logon. This could happening for two reasons: The InfoView URL has not been added as a trusted site on the client machines browser. Refer to the Configuring the Internet Explorer browser on the client section on the previous page for further information. Service principle Name (SPN) has not been registered for HTTP. Refer to Register Service Principle Name (SPN) for information on how to do this.

Service unavailable error message

You receive a Service unavailable error message when accessing InfoView. This error may appear after changing the identity of the application pool to run under an account thats been trusted for delegation. Add this domain account to IIS_WPG group on the server running IIS.

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 11

boe_xi_r2_end_to_end_sso.pdf

BusinessObjects Enterprise XI Release 2

Configuring Kerberos End-to-End Single Sign-On (SSO) using IIS

Reports with LOV prompts fail

After setting up Kerberos, you are successfully able to run Crystal Reports without List of Values (LOV) prompts. The reports with LOV prompts fail. LOVs are handled by RAS. Ensure that the RAS server is running under the domain account that has been trusted for delegation.

RAS service does not start

RAS does not start under the service account that is trusted for delegation. Follow the steps outlined in the following knowledge base to resolve this issue:
http://support.businessobjects.com/library/kbase/articles/c2018785.asp

Finding more information

For more information and resources, refer to the product documentation and visit the support area of the web site at: http://www.businessobjects.com/

6/26/2007 9:13 AM

Copyright 2007 Business Objects. All rights reserved.

Page 12

boe_xi_r2_end_to_end_sso.pdf