This is the second part of the configuration steps to leverage SNC for client side authentication in combination with your BusinessObjects Enterprise system.

Here you can find Part 1

BusinessObjects Enterprise - SNC Options in the Central Management Console

Before you can configure the SNC option in the Central Management Console you need to configure the user that you will use to setup the SAP entitlement system for SNC.

1. Start transaction SU01 on your SAP system.
2. Enter the username of the SAP account that you are going to use to setup the SAP Entitlement system .
3. Select the menu USERS • CHANGE.
4. Select the tab SNC.
5. Enter the SNC account that you used to start the BusinessObjects services with the prefix “p:” into the field SNC NAME. Keep in mind that this account needs to be a domain account.
6. Save your changes.

With this configuration you configured the SAP account to be able to leverage the configured SNC account and in that way to authenticate against the SAP system. Now you need to navigate to the SNC options of your SAP Entitlement system in the Central Management console to finish the SNC configuration.

1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area AUTHENTICATION and select the SAP Authentication.
3. Navigate to the SNC OPTIONS tab and ensure your SAP system is the one that is selected as LOGICAL SYSTEM NAME.







4. Set the option ENABLE SECURE NETWORK COMMUNICATION (SNC).
5. Select AUTHENTICATION as QUALITY OF PROTECTION.
6. Enter the full path including the filename to the SNC library in the field SNC LIBRARY PATH.
7. Enter the Distinguished Name of your SAP system in the field MUTUAL AUTHENTICATION SETTINGS. In this case you need to add the prefix “p:”.
8. Navigate to the tab ENTITLEMENT SYSTEMS.
9. Enter the SNC account name in the field SNC NAME without any password. All other values should already be filled with the values you entered during the initial configuration.


Mapping Windows AD users to SAP users


Now that you configured the SNC options for your SAP Entitlement system you need to map the SAP credentials to your Windows AD credentials. The Windows AD user will become the primary account and the SAP account will act as secondary account.

1. Logon to the Central Management Console of your BusinessObjects Enterprise system.
2. Navigate to the area USERS AND GROUPS.
3. Click on USER LIST.
4. Click on the Windows AD user that will be configured with an SAP alias account.
5. Select the menu MANAGE • PROPERTIES







6. Click on the button ASSIGN ALIAS.
7. Select the SAP user from your entitlement system and add the user as alias to the Windows AD credentials.
8. Click OK.
9. Click SAVE & CLOSE.

With the XI 3.1 release in the registry you can find a setting which allows you to use a simplified user name (without a prefix from the SAP system) and in that way in case your Windows AD user and SAP users are identical the mapping will happen automatically.
The registry value can be found in the branch:
HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Suite 12.0\SAP\Authentication and is called SimpleUsernameFormat. It is a Yes / No value setting.

You can add multiple SAP users as an Alias to the Windows AD account and in that way achieve Single Sign-on to multiple SAP systems with a single account.

Now you should be able to logon with these Windows AD credentials to your BusinessObjects Enterprise system and still achieve Single Sign-On for content objects in your system.

Please remember that these steps are for the client side authentication part - not to confuse with the Server Side Trust configuration that is being used to create a publication with SAP security on your BusinessObjects Enterprise system.