SSO to database

We have Business Objects 3.1 SP2 FP2.3 running on Windows 2003 R2 SP2 64bits.
CMS database on SQL 2005 x64
Environment runs on Apache Tomcat
Single Sign-On with kerberos on Active Directory is working fine.
We have developers who want to use their Crystal Reports with SSO also and not use SQL authentication like they used to do in previous BO versions.
In Windows AD Authenticaton of the CMC, I checked the option Cache security context (required for SSO database)
In the Database Configuration of the Crystal Report we're testing, in the section "When viewing report", we selected Use SSO context for database logon
Is there any other necessary configuration to be done in any config file?
Not sure whether this should be added but in the krb5.ini file, I added the following value under libdefaults (just before the realms section): forwardable = true
When I try to view the report, I get the following error message in InfoVIew:
Error in File "testreport": Unable to connect: incorrect log on parameters: Details: [Database Vendor Code: 18456]
For the same kind of report but with the option: "Use same database logon as when report is run", with SQL authentication parameters, everything is OK.
DEV Environment: one InfoVIew FrontEnd server and one BO CMS server
PROD Environment: one InfoView FrontEnd server and 2 BO clustered servers
Regards
Jay

I think [this thread should get you going|SSO2DB / Use Database Credentials; about half way down I worte a response with links to setup the DB for kerberos.
Regards,
Tim

Similar Messages

LDAP SSO to database in XI3.1

Hi All,
We are using XI3.1 and trying to find a solution for configuring LDAP single sign on to database and have not been able to find any material on that matter.
Is it possible to configure LDAP SSO to database (Oracle 11) natively? Or is there a third party tool like siteminder that can make that configuration work? Please let me know.
Thanks,
V

It should work natively.
In the CMC > Authentication > LDAP there is an option for propogate credentials at logon time. This option will cause LDAP users to have their username/pw cached in their user account (in fields called DBuser/DBpass). Then you must configure your reports to use these fields. If using reports based of universes you need to set the universe connection to use DB credentials, if crystal then it's a bit more complicated and you may need to log a case to get the instructions.
If using SSO on the front end with siteminder or trusted auth then the LDAP propogate option will not work (it requires users to key in their user/pw).
Regards,
Tim

Apex Configuration with SSO on Database 11g

Hi All,
I am trying to configure Application Express with SSO on 11g and I have followed all the steps mentioned in http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
My partner app configuration is
Site ID: 0F32F8E1
Site Token: JC54XU4Q0F32F8E1
Encryption Key: 61443A93398DC472
Single Sign-On URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login
Single Sign-Off URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
Application Name: Insight Knowledge Manager on New Server
Application Home URL: http://orclinsight.oraclecorp.com
Application Success URL: http://orclinsight.oraclecorp.com/pls/apex/wwv_flow_custom_auth_sso.process_success
Application Logout URL: http://orclinsight.oraclecorp.com
After running the @custom_auth_sso.sql and @custom_auth_sso.plb and doing grant execute on wwv_flow_custom_auth_sso to public; I have also created an authentication scheme in APEX based on the pre-configured scheme on Apex as partner app
this is the URL of the app.... http://orclinsight.oraclecorp.com/pls/apex/f?p=100:1
if I type this URL, I get redirected to the SSO authentication page...however once I have filled the credentials.. it shows me the following error message
*"The requested URL /pls/apex/wwv_flow_custom_auth_sso.process_success was not found on this server."*
The result of this query select lsnr_token||':'||site_token||':'||site_id||':'||urlcookie_version||':'||encryption_key||':'||url_cookie_ip_check||':'||ls_login_url from wwsec_enabler_config_info$
is
'HTML_DB:orclinsight.oraclecorp.com:80:JC54XU4Q0F32F8E1:0F32F8E1:v1.2:61443A93398DC472:Y:https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login'
and the result of begin owa_util.print_cgi_env; end; query in APEX - SQL Workshop is
PLSQL_GATEWAY = WebDb
GATEWAY_IVERSION = 2
SERVER_SOFTWARE = Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server
GATEWAY_INTERFACE = CGI/1.1
SERVER_PORT = 80
SERVER_NAME = orclinsight.oraclecorp.com
REQUEST_METHOD = POST
PATH_INFO = /wwv_flow.show
SCRIPT_NAME = /pls/apex
REMOTE_ADDR = 141.144.152.146
SERVER_PROTOCOL = HTTP/1.1
REQUEST_PROTOCOL = HTTP
REMOTE_USER = APEX_PUBLIC_USER
HTTP_CONTENT_LENGTH = 291
HTTP_CONTENT_TYPE = application/x-www-form-urlencoded; charset=UTF-8
HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
HTTP_HOST = orclinsight.oraclecorp.com
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING = gzip,deflate
HTTP_ACCEPT_LANGUAGE = en-us,en;q=0.5
HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_REFERER = http://orclinsight.oraclecorp.com/pls/apex/f?p=4500:1003:1510257042232818::NO:::
HTTP_ORACLE_ECID = 1258784987:64.181.227.33:7900:4328:22,0
WEB_AUTHENT_PREFIX =
DAD_NAME = apex
DOC_ACCESS_PATH = docs
DOCUMENT_TABLE = wwv_flow_file_objects$
PATH_ALIAS =
REQUEST_CHARSET = AL32UTF8
REQUEST_IANA_CHARSET = UTF-8
SCRIPT_PREFIX = /pls
HTTP_COOKIE = [email protected]:insight_workspace; ORA_WWV_USER=BE50DD5881201806; IdcLocale=English-US; IntradocAuth=Internet; oracle.uix=0^^GMT+5:30^p; IntradocLoginState=1; IdcTimeZone=America/Chicago
Please advise what should I do next or where I may be going wrong?
Warm Regards,
Anand

Hi All,
I am trying to configure Application Express with SSO on 11g and I have followed all the steps mentioned in http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
My partner app configuration is
Site ID: 0F32F8E1
Site Token: JC54XU4Q0F32F8E1
Encryption Key: 61443A93398DC472
Single Sign-On URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login
Single Sign-Off URL: https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_logout
Application Name: Insight Knowledge Manager on New Server
Application Home URL: http://orclinsight.oraclecorp.com
Application Success URL: http://orclinsight.oraclecorp.com/pls/apex/wwv_flow_custom_auth_sso.process_success
Application Logout URL: http://orclinsight.oraclecorp.com
After running the @custom_auth_sso.sql and @custom_auth_sso.plb and doing grant execute on wwv_flow_custom_auth_sso to public; I have also created an authentication scheme in APEX based on the pre-configured scheme on Apex as partner app
this is the URL of the app.... http://orclinsight.oraclecorp.com/pls/apex/f?p=100:1
if I type this URL, I get redirected to the SSO authentication page...however once I have filled the credentials.. it shows me the following error message
*"The requested URL /pls/apex/wwv_flow_custom_auth_sso.process_success was not found on this server."*
The result of this query select lsnr_token||':'||site_token||':'||site_id||':'||urlcookie_version||':'||encryption_key||':'||url_cookie_ip_check||':'||ls_login_url from wwsec_enabler_config_info$
is
'HTML_DB:orclinsight.oraclecorp.com:80:JC54XU4Q0F32F8E1:0F32F8E1:v1.2:61443A93398DC472:Y:https://login-stage.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_login'
and the result of begin owa_util.print_cgi_env; end; query in APEX - SQL Workshop is
PLSQL_GATEWAY = WebDb
GATEWAY_IVERSION = 2
SERVER_SOFTWARE = Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server
GATEWAY_INTERFACE = CGI/1.1
SERVER_PORT = 80
SERVER_NAME = orclinsight.oraclecorp.com
REQUEST_METHOD = POST
PATH_INFO = /wwv_flow.show
SCRIPT_NAME = /pls/apex
REMOTE_ADDR = 141.144.152.146
SERVER_PROTOCOL = HTTP/1.1
REQUEST_PROTOCOL = HTTP
REMOTE_USER = APEX_PUBLIC_USER
HTTP_CONTENT_LENGTH = 291
HTTP_CONTENT_TYPE = application/x-www-form-urlencoded; charset=UTF-8
HTTP_USER_AGENT = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
HTTP_HOST = orclinsight.oraclecorp.com
HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_ENCODING = gzip,deflate
HTTP_ACCEPT_LANGUAGE = en-us,en;q=0.5
HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_REFERER = http://orclinsight.oraclecorp.com/pls/apex/f?p=4500:1003:1510257042232818::NO:::
HTTP_ORACLE_ECID = 1258784987:64.181.227.33:7900:4328:22,0
WEB_AUTHENT_PREFIX =
DAD_NAME = apex
DOC_ACCESS_PATH = docs
DOCUMENT_TABLE = wwv_flow_file_objects$
PATH_ALIAS =
REQUEST_CHARSET = AL32UTF8
REQUEST_IANA_CHARSET = UTF-8
SCRIPT_PREFIX = /pls
HTTP_COOKIE = [email protected]:insight_workspace; ORA_WWV_USER=BE50DD5881201806; IdcLocale=English-US; IntradocAuth=Internet; oracle.uix=0^^GMT+5:30^p; IntradocLoginState=1; IdcTimeZone=America/Chicago
Please advise what should I do next or where I may be going wrong?
Warm Regards,
Anand

End to End SSO to Database

Hi All,
We are using Business Objects XI R2 SP2 and were using Vintella End to End SSO SSO with SQL Server 2005 Database.
Yesterday we created a new service account for SQL Server and ran the SetSpn with this account.
We are able to SSO to Infoview but when we are running crystal report on demand we are getting error "The database logon information for this report is either incomplete or incorrect"
If we schedule the report and give database logon credentials it works fine.
Are there any other changes that need to be done.
Please assist.
Thanks in advance for your help.
V.

Since you didn't change your bo config the problem is probably with Microsoft. Open a case with them if you have to. You can try opening a case with us as well to make sure there are no options on the BO side.
Try putting this http://support.microsoft.com/?id=262177 BO server and SQL server
Regards,
Tim

How to Identify database sessions used by forms sso user sessions?

Hi:
When using forms with SSO, all database sessions are opened by the same OSUSER (usually oracle), from the same machine (usually the forms server) and by the same program (usually [email protected] [TNS V1-V3]).
I need a way to identify the database session (v$session) that is beeing used by a specific SSO user. By using SSO, we say implicitly that all users using that SSO resource will be connect to the database by a specific database user.
So, what can I do to identify the database session that a specific forms user is using ?
Thanks
Joao Oliveira

You could try something like the following in a when new form instance trigger:
declare
authenticated_username varchar2(30);
begin
authenticated_username := get_application_property(`sso_userid');
DBMS_APPLICATION_INFO.SET_CLIENT_INFO (
client_info IN VARCHAR2);
end;
This will store the sso userid in the client_info field of v$session.
I hope this works for you.
Randy McGregor

Using SSO to connect to database from J2EE

I have an SSO enabled J2EE application and an SSO enabled database and I can connect to both of these applicatins using the single sign-on account.
What I want to know is
How do you get a J2EE application to connect to the database with the already connected SSO credentials?
I am using Oracle 10g for both the app server and database
Any help will be gratefully received.

Hello,
Also we have a simple how-to about database proxy authentication in the OC4J 10.1.3 How-tos page (see How-To Configure and Use Proxy-authentication with Data Sources ).
Regards
Tugdual Grall

HTMLDB -SSO- Partner application

Hi,
I have installed a database 10g/HTMLDB 1.5 and iAS 10g on two different boxes.
Refered & successfully completed the steps from
http://www.oracle.com/technology/products/database/htmldb/howtos/sso_partner_app.html
to Configure an HTML DB Application as a Partner Application in Oracle AS Single Sign-On
(TWICE From the Scratch)
But, Getting error like
"Error Error in portal_sso_redirect: missing application registration information:
p_partner_app_name:g_listener_token:HTML_DB:indl097ba.idc.oracle.com:7777
Please register this application as described in the installation guide."
Please let me know what would be wrong in doing this.
Feel free to ask for any further specific details or parameter values.
As its @ customer's site, need to know the resolution very urgently.
Thanks in advance.
Regards,
Nagadeep.

Hi Scott,
I am doing it from scratch now.
Details are like this:
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>path
PATH=D:\oracle\product\10.1.0\Db_1\BIN;D:\OraHomeOWB\bin;D:\OraHomeOWB\jre\1.4.2
\bin\client;D:\OraHomeOWB\jre\1.4.2\bin;D:\oracle\product\10.1.0\Htmldb\bin;D:\o
racle\product\10.1.0\Htmldb\jre\1.1.8\bin;D:\oracle\product\10.1.0\Htmldb\jre\1.
4.2\bin\client;D:\oracle\product\10.1.0\Htmldb\jre\1.4.2\bin;D:\oracle\product\1
0.1.0\Db_1\bin;D:\oracle\product\10.1.0\Db_1\jre\1.4.2\bin\client;D:\oracle\prod
uct\10.1.0\Db_1\jre\1.4.2\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;
C:\Program Files\Symantec\pcAnywhere\
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>loadjava -user FLOWS_01
0500/welcome1@orcl SSOHash.class
C:\SSO_SDK\ssosdk307_032101\packages\oracle\security\sso>
@ the Database Schema:
SQL*Plus: Release 10.1.0.2.0 - Production on Wed May 18 20:49:33 2005
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> conn flows_010500/welcome1
Connected.
SQL> @C:\SSO_SDK\ssosdk307_032101\packages\loadsdk.sql
Package created.
No errors.
Package body created.
No errors.
Type created.
Table created.
Sequence created.
Sequence created.
Table created.
No errors.
Procedure created.
No errors.
Package created.
No errors.
Package body created.
No errors.
Package created.
No errors.
Package created.
No errors.
Package body created.
No errors.
Package body created.
No errors.
Package created.
No errors.
Package body created.
No errors.
SQL>
Now, at the iAS10g registering HTMLDB application as a partner application.
Let me know whether I have to create any DAD to specify in HOME URL?
Regards,
Nagadeep.

Voyager SSAS 2005 SSO connection

Hi,
We are using BO Xi 3.1 and we have sso is configured for Infoview, now we are trying to configure SSO till database for Voyager (SSAS 2005), and we receieved the error message, We made change in the krb5.ini file with an entry of "forwardable = true", as well as on SSAS server, made changes for service account like spn entry and delegation for the service account but still no luck.
Here are couple of things we observed:
1) When i gave windows username and password in CMC for cube and create voyager reprot it works fine.
2) When i use SSO then it failed with error saying " An Error has occured while attempting to connect to the OLAP Server. Failed to Intialize (The component for microsoft OLE DB Provider for analysis service 2008. returned the server error (an error has encounter in transport layer; The peer prematuarly closed the connection)
3) I login to sql profiler to see the credentails it passes but when i try to create voyager with SSO it doesn't passes the windows credentails instead it passes "anonymous" login.
I opened the tech support ticket but i didn't getting much help from them.
Thanks for the help in advance.

Hello,
Sorry for my English.
Can you send the SETSPN commands you ran?
The Voyager connections, the server name you have put in capital letters and the domain name in full format?
Sorry.

BO 4.0 - Database error: Unable to connect to SAP BW Incomplete logon data

Hello Experts,
I have enabled a 'SSO to database' between SAP BW and Business objects by referencing to the documents related to below link.
[http://wiki.sdn.sap.com/wiki/display/BOBJ/HowtosetupSSOagainstSAPBWinSBOBI4.0forLDAPusers]
I have created a universe connection with option 'use single sign on when refreshing reports at view time' and have created a universe on top of my BEx query by log-in to the universe designer tools using my LDAP account.
Now when I run the report with either SAP account or LDAP - I am able to run a adhoc webi report on this universe and get data either through the webi rich client or via BO 4.0 Info-view/Launch Pad.
But the issue is that when other users are trying to run webi queries on this universe either through Info-view/launch pad or rich client by log-in via LDAP Authentication - they get the below error: I have given SAP_ALL to this user for time being and also have done the necessary configuration for 'simple user format' in CMC so these user has 1 account with 3 alias definitions: Enterprise, SAP, R/3.
Database error: Unable to connect to SAP BW server Incomplete logon data -
If the user logs on into the BO 4.0 Info-view/launch pad or webi rich client using his SAP authentication than he is able to run and retrieve data.
I also get a dump in the SAP BW system - I analyzed the dump in SAP BW using st22 tcode and it gives the error short text as - Incomplete logon data and run-time error - CALL_FUNCTION_SIGNON_INCOMPL
Desired outcome:
I want the users to log-in to webi rich client or BO 4.0 Launch pad/Info-view using their 'LDAP' authentication and run reports against the universe on SAP BW/BEx query without any errors or additional username/password requirements.
Can someone please tell me if I am missing any steps/configuration and guide me to achieve the above mentioned desired result ?
Any help in this matter would be greatly appreciated.
Thanks & regards,
CD.

Hi Simone,
Thank you for the reply.
Here are the things done by me.
1. Generated the keystore file and imported it in BI 4.0 CMC on SAP Authentication Option tab
    ([http://wiki.sdn.sap.com/wiki/display/BOBJ/GeneratekeystoreandcertificateforSAPBO+BI4.0])
    ([http://wiki.sdn.sap.com/wiki/display/BOBJ/SetupofSAPSSOServiceinSAPBOBI4.0+CMC])
2. Generate the certificate file cert.der and this cert is imported in SAP BW with STRUSTSSO2 transaction.
    ([http://wiki.sdn.sap.com/wiki/display/BOBJ/ImportSAPBOBI4.0certificateintoSAP+BW])
3. BW Roles/Users have been imported into CMC.
4. SAP Users and LDAP users are mapped/aliased with each other using the registry key method
    ([http://wiki.sdn.sap.com/wiki/display/BOBJ/HowtomapSAPusersandLDAPusersinSBOBI4.0+CMC])
I haven't explicitly configured STS (Security token service) as STS is a part of Adaptive processing server (APS) and I have verified that by going to servers in CMC and then to analysis services.
I have searched for SAP OSS notes related to my issue but couldn't find any note related to SAP BW SSO with Business objects 4.0. Most of the notes are relevant for BO XI 3.1 environments.
Thanks & regards,
CD.

BO 4.0: Database error:Unable to connect to SAP BW server Incomplete logon

Hello Experts,
I have enabled a 'SSO to database' between SAP BW and Business objects by referencing to the documents related to below link.
http://wiki.sdn.sap.com/wiki/display/BOBJ/HowtosetupSSOagainstSAPBWinSBOBI4.0forLDAPusers
I have created a universe connection with option 'use single sign on when refreshing reports at view time' and have created a universe on top of my BEx query by log-in to the universe designer tools using my LDAP account.
Now when I run the report with either SAP account or LDAP - I am able to run a adhoc webi report on this universe and get data either through the webi rich client or via BO 4.0 Info-view/Launch Pad.
But the issue is that when other users are trying to run webi queries on this universe either through Info-view/launch pad or rich client by log-in via LDAP Authentication - they get the below error: I have given SAP_ALL to this user for time being and also have done the necessary configuration for 'simple user format' in CMC so these user has 1 account with 3 alias definitions: Enterprise, SAP, R/3.
Database error: Unable to connect to SAP BW server Incomplete logon data -
If the user logs on into the BO 4.0 Info-view/launch pad or webi rich client using his SAP authentication than he is able to run and retrieve data.
I also get a dump in the SAP BW system - I analyzed the dump in SAP BW using st22 tcode and it gives the error short text as - Incomplete logon data and run-time error - CALL_FUNCTION_SIGNON_INCOMPL
Desired outcome:
I want the users to log-in to webi rich client or BO 4.0 Launch pad/Info-view using their 'LDAP' authentication and run reports against the universe on SAP BW/BEx query without any errors or additional username/password requirements.
Can someone please tell me if I am missing any steps/configuration and guide me to achieve the above mentioned desired result ?
Any help in this matter would be greatly appreciated.
Thanks & regards,
CD.

Whether your problem is solved?
We have the same problem in BO Mobile.
Two users from one BW-role, BO-groups; one user report is executed, another user - error incomplete logon data. In Web Intelligence both users reports succeeds.

SSO with AD to DB

Hi Tim,
I have question regarding SSO to database (MSSQL).
I read most of posts here but no solution found. I configure SSO to infoview from your white paper and this works with no problem.
To enable SSO to database:
- in CMC => "Cache security context (required for SSO to database)" in enabled
- in krb5.ini => "forwardable = true" in entered
- we created SPN => MSSQLSvc/MSCompName.domain.com:1434 BOXISSO (boxisso is "kerberos user")
- in desiger => "use SSO when refreshing reports at view time"
In infoview I gen an error "Login failed to for user NT AUTHORITY/ANONYMOUS LOGON..."
On database are users authenticated with user boxisso or with their ad names? (what are privileges on mssql side needed?)
Thank you for reply!
Regards,
Gregor

Is the SIA running under a delegated service account (delegation to any service enabled)? Is the SQL DB integrated with AD? and enabled for kerberos? You should verify the latter with Microsoft.
Also try enabling this on the servers (reporting and SQL) http://support.microsoft.com/kb/262177
Regards,
Tim

Changing Portal Role after the status change of user status at the CRM end.

Hi,
I have Portal with Java database as the default and CRM is connected to it using SSO.The database in both the case in separate.The users that are created in Portal will have a BP status in CRM sytsem.
Now my requirement is that if the status of the BP gets changed at the backend simultaneoulsy its Portal role should also gets changed.How shall i facilitate this procedure of changing the Portal Role?
Is there any RFC ,BAPi or Webservices required for this?
Regards,
Amarys
Edited by: amarys on Sep 13, 2011 11:20 AM

Hello,
Since the status has no number it will appear under statuses W/O number bottom right in status overview window.
These status will appear as additional text beside current user status. For example if user staus is BUG and status without number is DFL and sets when deletion flag is set and gets deleted when it is revoked than user status will appear as
BUG DFL -
Deletion flag set.
BUG -
When deletion flag revoked.
You have to live with it. I don't think there is a way out for that.
Thanks
Saikishore Ganga.

BO XI Release 2 - NLTM versus Kerberos Authentication

Hello,
I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
Authentication Options
Use NTLM authentication
Use Kerberos authentication
Cache security context (required for SSO to database)
Service principal name:
Thank you very much for your answer,
unhappy:( Marika

You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
Regards,
Tim

Questions on SETSPN syntax and what is required for MANUAL AD auth

I'll preface this by stating that I don't need to do all the extra stuff for Vintela SSO, SSO to database, etc. I just need to know precisely what is necessary to do to get AD authentication working. I managed to get it working in XIr2 previously but it's been so long and I'm not 100% sure that everything I wound up doing was absolutely necessary that I wanted to sort it out for good as we look at going to XI 3.1 SP3.
In the XI 3.1 SP3 admin guide, page 503, the SETSPN command which is
used as part of the setup process to establish a service account to
enable AD authentication is outlined as follows:
SETSPN.exe -A <ServiceClass>/<DomainName> <Serviceaccount>
The guide suggests that the <ServiceClass> can be anything you want to
arbitrarily assign. If I choose something other than the
suggested "BOBJCentralMS" value, is there anywhere else I have to
specify this value to allow the service account to function properly?
The guide suggests that the <DomainName> should be the domain name on
which the service account exists however I've seen many posts online which seem to
indicate this <DomainName> should actually be the FQDN of the server
running the CMS service instead of the general domain name.
Clarification there would be very helpful if anyone has some insight.

The CMS account can have an SPN of spaghetti/meatballs, there are no requirements (cept 2 characters on each side of the / I believe). The SPN created should be the value entered in the CMC > Authentication > Windows AD
The account must run the SIA and it therefore must have AD permissions. Now if you are using IIs or client tools you don't even need an SPN. The SPN is for kerberos only which is required for java app servers.
The vintela SSO white paper in the this forums sticky post explains the roles of a service account.
Regards,
Tim

Authorization object for BW access from BOBJ

Hi gurus,
I have the following error
I log in to BOBJ using BW ID (Single Sign On enabled) and execute a WebI report. This return error WIS 10901. This error eliminated once i add SAP_ALL to the user
Can anyone advice what are object that the user should be granted in the BW side in order to execute the report
Thank you
BR

Hi
I have created a variable (user exit) for object 0COMP_CODE which will return the list of company code that the user have authorization to using the following codes for the variable
CALL FUNCTION 'RSEC_GET_AUTH_FOR_USER'
    EXPORTING
      I_IOBJNM     = '0COMP_CODE'
     I_UNAME   = 'BOBJ1'
    IMPORTING
      E_T_RANGESID = lt_RANGE.
LOOP AT lt_RANGE into ls_RANGE.
    MOVE ls_RANGE-low to wa_range-low.
    MOVE ls_RANGE-high to wa_range-high.
    wa_range-sign = ls_RANGE-sign.
    wa_range-opt = ls_RANGE-opt.
    APPEND wa_range TO e_t_range.
When I execute the query using analyzer , I have the query result returns without any errors but in BOBJ WebI report Iu2019m getting the following error
Query 1 - GLConsol - SSO
u201CA database error occured. The database error text is: Error in MDDataSetBW.GetCellData. You do not have sufficient authorization. (WIS 10901)u201D
When I change the list of company code that this user have access to * (all company code using the tcode rsecadmin) this error disappear and Iu2019m able to run the WebI report perfectly with all company code listed
Please advice what am I missing
Thanking you in advance

SSO to database

Similar Messages

Maybe you are looking for