Blogs
|
BusinessObjects Enterprise and client side SNC Part 2 of 2
 |
|
This is the second part of the configuration steps to leverage SNC for client side authentication in combination with your BusinessObjects Enterprise system.
BusinessObjects Enterprise - SNC Options in the Central Management Console
Before
you can configure the SNC option in the Central Management Console you
need to configure the user that you will use to setup the SAP
entitlement system for SNC.
1. Start transaction SU01 on your SAP system.
2. Enter the username of the SAP account that you are going to use to setup the SAP Entitlement system .
3. Select the menu USERS • CHANGE.
4. Select the tab SNC.
5. Enter the SNC account that you used to start the BusinessObjects services with the prefix “p:” into the field SNC NAME. Keep in mind that this account needs to be a domain account.
6. Save your changes.
With
this configuration you configured the SAP account to be able to
leverage the configured SNC account and in that way to authenticate
against the SAP system. Now you need to navigate to the SNC options of
your SAP Entitlement system in the Central Management console to finish
the SNC configuration.
1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area AUTHENTICATION and select the SAP Authentication.
3. Navigate to the SNC OPTIONS tab and ensure your SAP system is the one that is selected as LOGICAL SYSTEM NAME.
4. Set the option ENABLE SECURE NETWORK COMMUNICATION (SNC).
5. Select AUTHENTICATION as QUALITY OF PROTECTION.
6. Enter the full path including the filename to the SNC library in the field SNC LIBRARY PATH.
7.
Enter the Distinguished Name of your SAP system in the field MUTUAL
AUTHENTICATION SETTINGS. In this case you need to add the prefix “p:”.
8. Navigate to the tab ENTITLEMENT SYSTEMS.
9.
Enter the SNC account name in the field SNC NAME without any password.
All other values should already be filled with the values you entered
during the initial configuration.
Mapping Windows AD users to SAP users
Now
that you configured the SNC options for your SAP Entitlement system you
need to map the SAP credentials to your Windows AD credentials. The
Windows AD user will become the primary account and the SAP account
will act as secondary account.
1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area USERS AND GROUPS.
3. Click on USER LIST.
4. Click on the Windows AD user that will be configured with an SAP alias account.
5. Select the menu MANAGE • PROPERTIES
6. Click on the button ASSIGN ALIAS.
7. Select the SAP user from your entitlement system and add the user as alias to the Windows AD credentials.
8. Click OK.
9. Click SAVE & CLOSE.
With
the XI 3.1 release in the registry you can find a setting which allows
you to use a simplified user name (without a prefix from the SAP
system) and in that way in case your Windows AD user and SAP users are
identical the mapping will happen automatically.
The registry value can be found in the branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Business
Objects\Suite 12.0\SAP\Authentication and is called
SimpleUsernameFormat. It is a Yes / No value setting.
You can
add multiple SAP users as an Alias to the Windows AD account and in
that way achieve Single Sign-on to multiple SAP systems with a single
account.
Now you should be able to logon with these Windows AD
credentials to your BusinessObjects Enterprise system and still achieve
Single Sign-On for content objects in your system.
Please remember that these steps are for the client side authentication part - not to confuse with the Server Side Trust configuration that is being used to create a publication with SAP security on your BusinessObjects Enterprise system.
Ingo Hilgefort is a Group Product Manager with SAP BusinessObjects focusing on the topic of Embedded Analytics for the BusinessSuite. He also is the author of the SAP Press book Integrating BusinessObjects XI 3.0 BI Tools with SAP NetWeaver and is also reachable on his personal blog
Add to: del.icio.us | Digg | Reddit
| Showing messages 1 through 6 of 6. | ||
|
|
||
| Titles Only | Main Topics | Newest First |
- Server side SNC
2009-08-03 17:10:07 Raghavendra Barekere Business Card [Reply]
For Webi report SSO also it requires server side SNC and it is not just for publication?- Server side SNC
2009-08-03 20:22:03 Ingo Hilgefort
Business Card
[Reply]
Hi,
it is required for scheduling with SSO - yes.
for just viewing a WebI report with SSO it is not required
ingo- Server side SNC
2009-08-07 09:42:50 Raghavendra Barekere Business Card [Reply]
What if you have configured server side SNC and in the SAP connection for universe you are making use of connectivity through SSO. Then view & refresh will also use SSO.
I am not talking about View, it should be View & refresh (View on Demand).- Server side SNC
2009-08-07 09:55:59 Ingo Hilgefort
Business Card
[Reply]
Hi,
you need the SAP authentication to be configured on your BusinessObjects server and you need the Universe connection configured to leverage SSO.
Ingo- Server side SNC
2009-08-14 02:17:35 Witold Drozdzynski Business Card [Reply]
Ingo,
I have followed your blogs, but I still unable to get a connection to SAP when I login to BO with AD credentials.
When I resfresh my BO report I get an error message: "Unable to connect SAP BW. Incomplete logon data. (WIS 10901)"
There's also an error on the SAP side:
Name or runtime error: CALL_FUNCTION_SIGNON_INCOMPL
Short text: "Incomplete logon data."
User and Transaction:
Client.............. 000
User................ "SAPSYS"
Language Key........ "E"
Transaction......... " "
Transactions ID..... "75A188DE799DF15FA3690007E9066E44"
Program............. "SAPMSSY1"
Screen.............. "SAPMSSY1 3004"
Screen Line......... 2
Information on caller of Remote Function Call (RFC):
System.............. "########"
Database Release.... 640
Kernel Release...... 640
Connection Type..... "E" (2=R/2, 3=ABAP System, E=Ext., R=Reg. Ext.)
Call Type........... "synchron and non-transactional (emode 0, imode 0)"
Inbound TID.........." "
Inbound Queue Name..." "
Outbound TID........." "
Outbound Queue Name.." "
Client.............. "###"
User................ "############"
Transaction......... " "
Call Program........."wireportserver"
Function Module..... "RFCPING"
Call Destination.... "<unknown>"
Source Server....... "hacom"
Source IP Address... "15.98.88.55"
Additional information on RFC logon:
Trusted Relationship " "
Logon Return Code... 0
Trusted Return Code. 0
Note: For releases < 4.0, information on the RFC caller are often
only partially available.
Client and user seem to be empty.
In the BO SNC setting, the "SNC library settings" points to sapcrypto.dll.
In the R3 in a profile (RZ10) properties sec/libsapsecu, ssf/ssfapi_lib and snc/gssapi_lib point to gi64krb5.dll.
May it be the cause of the problems ?
I'd be very grateful for any hints.
Best regards,
Witold- Server side SNC
2009-08-14 07:12:30 Ingo Hilgefort
Business Card
[Reply]
Hi,
I would suggest you create an entry in the forum to follow up on this. This here is not the right place to solve issues.
ingo
| Showing messages 1 through 6 of 6. |