Trusted Authentication - Preferences

Similar Messages

• Open document SSO using trusted authentication.

  Hi ,
  I have a issue,
  We configured trusted authentication with SSO and it is working fine.
  Now we want to configure open document SSO for trusted authentication.
  We are using Remote _ user method for trusted authentication.
  Any one please help me on this.
  Thanks for your help advance.
  Thanks & Regards,
  Collin.

  The same settings in the infoviewapp web.xml must be applied on the opendocument web.xml. Also you must be on XI 3.1 FP1 or higher. There is currently an Edge issue being investigated.
  Regards,
  Tim

• XI 3.1 SP2 QaaWS Trusted Authentication with WSDL

  Hi, there,
  QaaWS comes with a client tool to build query as a web service and provide corresponding WSDL to consume these services. We are not using Xcelsius, but using Apache Axis to access the query web service via WSDL.
  There's a [note from SMP KB|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F64653D3030312669765F7361706E6F7465735F6E756D6265723D3134313434303726] that denoted the support for XI 3.1 SP2 and XI R2 SP5, but without further details:
  "XI 3.1 SP2 and XI R2 SP5 has the enhancement supporting Trusted Authentication but it's for Web Services (dswsbobje), isn't for LiveOffice."
  Our Java code generated from QaaWS WSDL works fine with correct user name and password.  I then setup the system so that trusted authentication works fine with InfoView, but the generate Java code failed to authenticate without providing a correct password.
  There're a few parameters in the dsws.properties file:
  trustedAuthentication.enabled = false
  #qaaws.principal.username=QaaWSServletPrincipal
  #qaaws.principal.password=
  Can someone explain how these parameters (and perhaps settings in the web.xml file for dswsbobje) need to be configured to get Trusted Authentication to work with Web Serivice Java SDK?
  Thanks in advance!
  Dafang Zhang

  I've used LoadRunner for this purpose before.  There is a tutorial that comes with the product.  My suggestion is to go through that and from there you should be able to get it working with enterprise.  I feel that's the best way to get up and running quickly.

• Cluster and trusted authentication

  I am using trusted authentication to log into BO server. Everything is set up correctly and working fine even with BO cluster.
  Recently, we created another cluster with separate set of servers. When try to connect to this cluster (using the cluster name) very weird thing is happening.
  When I try to log in using token - first attempt succeeds, second attempt fails, third succeeds, fourth fails..and so on.
  My doubt is that somehow two servers on the cluster are not communicating properly. So, if a token was generated for one server, it doesn't connect to another server. Has anyone seen anything like this before?  Where should I start looking in the cluster setup?

  Tokens aren't cluster member specific.
  You've mentioned Trusted Authentication and tokens, but token generation is separate from authentication, so what's the exact workflow going from Trusted Auth to token generation to token use?
  Sincerely,
  Ted Ueda

• Trusted Authentication using QUERY_STRING

  Hi All,
  We are trying to configure the Trusted Authentication using Query_String in XIR3.1
  We have customer portal ,where in login to custom web page and click on the link which routes to Infoview.We are configuring sso to bypass the credentials from webportal to Infoview home page.
  We have created a paramerter to pass the user information.We have made all the required changes for configuring trusted authentication,like:
  1) Enable Trusted Authentication in cmc.Enter shared secret in cmc
  2) Make changes to the web.xml file
  3) Create TrustedPrincipal.conf file
  In web.xml file we gave "trusted.auth.user.retrieval" as "QUERY_STRING" & "trusted.auth.user.param" as the parameter value we are using to pass the user information.
  If the parameter we are using is "MyUser" to pass the user information ,After configuring, we noticed that ,when we launch the url, "http://host:8080/InfoViewApp/logon/logon.do?MyUser=<username>"  we can directly login to Infoview without giving any credentials.We are not sure if we are moving in right direction? Is this how the QUERY_STRING work?
  We also noticed that,instead of giving any username if we give any other value the infoview home page opens up with Guest account?
  Thank you,
  Bill

  You should disable guest when using any method of SSO. Then anything placed in the URL other than a proper user would fail. And yes this is exactly how query string works (the username must be supplied in the URL). If looking for a more dynamic/secure method you will need to combine with a front end authenticator such as IIS, siteminder, etc and use one of our other methods such as remote_user, http_header, etc
  Regards,
  Tim

• XI 3.0 Trusted Authentication

  When setting up for Trusted Authentication, the TrustedPrincipal.conf file needs to be added to the BO install.  The documentation (Admin Guide) says that it needs to go to <drive>:\Program Files\Files\Business Objects\
  BusinessObjects Enterprise
  12.0\win32_x86\plugins\auth\secEnterprise. However, this folder no longer exists.  I've tried creating the folder and putting the file there.  I've also tried putting the file in just win32_x86.
  Where is this file supposed to go with the new version?
  Thanks!
  -Dell

  It should go in the <install>\BusinessObjects Enterprise 12.0\win32_x86 if on Windows.
  You can set the Java System property 'bobj.trustedauth.home' to specify a different folder.
  A good tool to determine where the Java Web App process is looking for the file is [Filemon|http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx].
  Sincerely,
  Ted Ueda

• Trusted Authentication possible with Wed Sevices SDK? BOE - 3.1

  Hi,
  We are planning to upgrade to BOE 3.x. We have integrated our application with BOE using Wed Services SDK. I'd like to know if we can implement the trusted authentication using the web services APIs in BOE 3.x.
  Apparently the question was posted here before but no answers -
  Re: trusted authentication.
  Thanks
  Manas

  XI 3.1 Service Pack 2.
  Configure Trusted Authentication on the CMC.   Ensure TrustedPrincipal.conf file with the shared secret is in the <INSTALL>/BusinessObjects Enterprise 12.0/win32_x86 folder.
  If you look in dswsbobje/WEB-INF/classes/dsws.properties, you'll see a property trustedAuthentication.enabled set to false.
  Set it to true, then restart the dswsbobje Java Web Application Server.
  Then you only need to pass in domain (CMS name) and username to the Session Web Services for logon.
  Note that if you do the above, it'll use Trusted Authentication for all requests coming into dswsbobje - i.e., no longer need to pass in passwords.
  So you really need to put something in front of dswsbobje, to authenticate any requests going in.
  Sincerely,
  Ted Ueda

• Trusted Authentication

  Is it possible to open session with BO server using Trusted Authentication?
  Regards,
  Aleksejs

  Yes, you can.  (I only have the java code summary - but it should give you an idea for what to do in .NET)
  SYNOPSIS:
  How to use Trusted Authentication with SSO to InfoView using Enterprise Session?
  There may be a situation where only the enterprise username is known in the custom application. Trusted Authentication can come pretty handy.
  SOLUTION:
  Setup the Trusted Authentication first:
  I. Enable Trusted Authentication in BOE.
  1. Logon to Central Management Console with Administrator
  2. Click on "Authentication"
  3. Check the "Trusted Authentication is enabled"
  4. Enter the "Shared secret"
  5. Click Update
  II. Create/edit TrustedPrincipal.conf
  1. Create or open C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterpise\TrustedPrincipal.conf
  2. Type in u201CSharedSecret=<shared secret value>u201D (without double quotes)
  3. Save the file.
  III. Deploy custom JSP
  1. Create a JSP in <webapps>/businessobjects/enterprise115/desktoplaunch/InfoView/logon.
  2. Cody and paste in the following code:
  <%@ page import = "com.crystaldecisions.sdk.framework.CrystalEnterprise"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ISessionMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.IEnterpriseSession"%>
  <%@ page import = "com.crystaldecisions.sdk.occa.security.ILogonTokenMgr"%>
  <%@ page import = "com.crystaldecisions.sdk.framework.ITrustedPrincipal" %>
  <%
  // Logon to CMS using without password
  ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");
  IEnterpriseSession enterpriseSession = sessionMgr.logon(trustedPrincipal);
  // Store Enterprise session in HttpSession     
  session.setAttribute("MyEnterpriseSession", enterpriseSession);
  // Construct URL and redirect to InfoView start page.
  // ivsEntSessionVar is the reference to the HttpSession variable.
  String url = "http://<server name>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/start.do?ivsEntSessionVar=MyEnterpriseSession";
  response.sendRedirect(url);
  %>
  3. Go to the URL http://<servername>:<port>/businessobjects/enterprise115/desktoplaunch/InfoView/logon/<JSP file>.jsp
  Note: JSP does not have to be in /desktoplaunch/InfoView/logon folder but JSP should be in >/businessobjects context.
  Extra Note -
  A new API method has been introduced with BEXI R2 MHF1 for Trusted Authentication that removes the need for the TrustedPrincipal.conf file.  You can now specify the shared secret using the following method:
  ISessionMgr.createTrustedPrincipal(java.lang.String userName, java.lang.String cmsName, java.lang.String sharedSecret)
  So, you can eliminate Part II from the steps above and use this method call:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>", u201Csharedsecretu201D);
  instead of the old method:
  ITrustedPrincipal trustedPrincipal = sessionMgr.createTrustedPrincipal("<username>", "<CMS>");

• Trusted authentication from two systems to BOXI

  Hi,
  We have a system that currently uses trusted authentication to direct users to infoView.  Is it an option for us to use trusted authentication from SharePoint to BOXI at the same time? BOXI 3.1 SP5.
  Thanks,
  Sam

  Hi Sam,
  Looks like this is possible. Please refer
  http://help.sap.com/businessobject/product_guides/boexir31SP4/en/xi31_sp4_ivforsp_admin_en.pdf
  I can see tags related to trusted authentication in the guide.
  Hope it helps.
  Regards
  Chinmaya

• How do we use SSO for both Windows AD and Trusted authentication?

  We want to have the majority of our users access the BO 4 BI Launchpad using SSO with Windows AD authentication.  We have set this up and it's working ok.  We also have a subset of external users and need to configure SSO with Trusted authentication for their Enterprise accounts.  Support says we can only have SSO for one authentication type.  I'm assuming we can work around this by installing a 2nd Tomcat instance on our Linux server.  Has anyone done this type of config successfully?  Any other ideas would be greatly appreciated.  Thanks!

  Hi Collins,
  BOE's CMS can be accessed from multiple application servers.
  Please have a look on this new article [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00240702-8343-2f10-ed9a-85ece14c93db] .
  You may use this method for other application servers(not only NW) but just dont add the file "web-j2ee-engine.xml" as its not  needed.
  regarding sections 4.2.4 on the document, On one application server just set "authentication.default" property under the file BIlaunchpad.properties, to "secWinAD"(for win AD). and on the other set it to "secEnterprise".
  please report any problems you may encounter,
  thanks,
  Idan

• Windows AD and Trusted Authentication

  Do you have to use IIS as the webserver when installing on a Windows platform and trying to implement SSO?  Unfortunately, using standard AD and Kerberos is NOT an option.  Without having to implement extra coding out of the box, can you implement SSO with trusted authentication using Windows AD accounts to be passed to the CMS and using Apache/Tomcat as the Web and app server?

  OK.  IF I can use Tomcat as web and app server in the WIndows Server environment, What retrieval method would you recommend (ie. Remote_user, Query_String, etc).  I have successfully tested query string, however, that would require a way to capture the AD account of every user.  This is where I have not found documentation or examples without IIS being utilized.

• Trusted Authentication with Web Services SDK

  Hi,
  I have just configured my BO server to use Trusted Authentication (REMOTE_USER) and It works with Infoview so I don't need the logon page to enter user and password.
  I also have an .NET application that uses Web Services SDK and I would like to use Trusted Authentication on it.
  Is there any code to access to BO using Web Services SDK?
  Before the configuration, I was using this code:
  string m_strURL="http://server:8080/dswsbobje/services/Session";
  BusinessObjects.DSWS.Connection oConnection = new BusinessObjects.DSWS.Connection(m_strURL);
  BusinessObjects.DSWS.Session m_wiSession = new Session(oConnection);
  BusinessObjects.DSWS.Session.EnterpriseCredential oEC = new EnterpriseCredential();
  oEC.Login = strLogin;
  oEC.Password = strPassword;
  oEC.AuthType = "secLDAP";
  SessionInfo oSI = m_wiSession.Login(oEC);
  Now, I want to use Trusted Authentication in my .NET application so I wouldn't have to enter user and password.
  I have looking for some code, but I haven't found it yet. I hope you could help me.
  Thanks,
  Sandra

  Hi, Ted,
  I'm trying to use Trusted Authentication to access QaaWS (via WSDL/Axis, NOT Xcelsius).  I enabled it from CMC, put the shared secret in a correct location (win32_x86 directory) and made the change to dsws.properties file, then I restarted tomcat.  However, the system failed to login.  Below is the trace log.  Is Trusted Authentication supported for QaaWS?  Thanks!
  <br/>
  =======
  <br/>
  2010-02-18 14:09:20,781 [http-8080-Processor25] ERROR com.businessobjects.qaaws.internal.transport.QaaWSServlet () 297906 - invoke()
  java.lang.Exception: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
       ...Invalid password
       at com.businessobjects.qaaws.internal.webi.WISessionMgr.makeSession(Unknown Source)
       at com.businessobjects.qaaws.internal.transport.QaaWSServlet.invoke(Unknown Source)
       at com.businessobjects.qaaws.internal.transport.QaaWSServlet.doPost(Unknown Source)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
       at java.lang.Thread.run(Thread.java:595)
  Caused by: com.crystaldecisions.sdk.exception.SDKServerException: Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  cause:com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
  detail:Enterprise authentication could not log you on. Please make sure your logon information is correct. (FWB 00008)
  The server supplied the following details: OCA_Abuse exception 10498 at [.\secpluginent.cpp : 832]  42040 {}
       ...Invalid password
       at com.crystaldecisions.sdk.exception.SDKServerException.map(SDKServerException.java:107)
       at com.crystaldecisions.sdk.exception.SDKException.map(SDKException.java:196)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:710)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.userLogon(LogonService.java:295)
       at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.userLogon(SecurityMgr.java:162)
       at com.crystaldecisions.sdk.framework.internal.SessionMgr.logon(SessionMgr.java:425)
       ... 19 more
  Caused by: com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuse: IDL:img.seagatesoftware.com/OCA/oca_abuse:3.2
       at com.crystaldecisions.enterprise.ocaframework.idl.OCA.oca_abuseHelper.read(oca_abuseHelper.java:106)
       at com.crystaldecisions.enterprise.ocaframework.idl.OCA.OCAs._LogonEx4Stub.UserLogonEx4(_LogonEx4Stub.java:80)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.crystaldecisions.enterprise.ocaframework.ManagedService.invoke(ManagedService.java:424)
       at com.crystaldecisions.sdk.occa.security.internal._LogonEx4Proxy.UserLogonEx4(_LogonEx4Proxy.java:222)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doLogon(LogonService.java:347)
       at com.crystaldecisions.sdk.occa.security.internal.LogonService.doUserLogon(LogonService.java:684)
       ... 22 more
  org.apache.axis2.AxisFault: org.apache.axis2.databinding.ADBException: Unexpected subelement table
       at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
       at service.wsdl.heartFailure.HFReliabilityScoreStub.fromOM(HFReliabilityScoreStub.java:4131)
       at service.wsdl.heartFailure.HFReliabilityScoreStub.runQueryAsAService(HFReliabilityScoreStub.java:201)
       at org.apache.jsp.AuthTest_jsp._jspService(AuthTest_jsp.java:78)
       at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
       at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
       at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
       at java.lang.Thread.run(Thread.java:595)

• SSO in Clustered Environment using Trusted Authentication

  Hi All,
  We have setup a clustered BOE 3.1. Our setup is clustered CMS's and remaining servers clustered on 2 separate machines. A cluster of 2 Weblogic managed servers as the web tier. We are using Novel Access Manger to load the balance between to Weblogic managed servers.
  Now how to setup Single Sign-on in this environment. Can we simply do the trusted authentication. For this do we just have to enable the trusted authentication and give the shared secret in CMS1. And change the web.xml at <DeployedLocation>\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\InfoViewApp\WEB-INF at CMS1.
  Please advice.
  Thanks,
  Rakesh

  Trusted auth will not work without a shared secret. You specify it once in the CMC > authentication, Enterprise and on each web/app in a TrustedPrincipal.conf file. This is only half the battle as you have to select the method you are supplying the username and then provide the username via 3rd party (these steps are not documented except for remote_user and query_string)
  Regards,
  Tim

• Invalid Login Using Trusted Authentication

  My productive database server always report "Invalid Login Using Trusted Authentication" in udump. Could you tell me what is mean? would it influent oracle running?

  Can we test a single connection using SQL authentication and If still persist, you have to double check that credential
  if it is still trying to connect SQ Server and identify if it is hitting the
  same DB on the same server or other DBs  since I do think this errors is related to other DBs
  Kindly work out  it and please let know me your feedback                                               
  Shehap (DB Consultant/DB Architect) Think More deeply of DB Stress Stabilities

• MOBI SSO with trusted authentication and form based authentication

  Dear All,
  I am trying to configure Trusted authentication based SSO FOR MOBI, here are the details:
  - SAP BI 4.1 SP04
  - Trusted authentication with HTTP header configurred for BI Launchpad and working fine.
  Now to have SSO from Mobile, I plan to leverage the existing configuration of BI Launchpad and at Mobile level, I want to use authentication type as TRUSTED_AUTH_FORM, instead of TRUSTED_AUTH_BASIC, with the approach: Trusted authentication with HTTP header.
  And
  Provide our app users their X502 certs.
  1. Will the above approach work ??
  2. As per SAP NOTE: 2038165 - SSO using form based trusted auth gives with the SAP BI app for iOS gives error MOB00920 this does not work and is still under investigation from July last year ? So for any community member, has this been found working ??
  I would appreciate your valuable inputs.
  Regards,
  Sarvjot Singh

  Hi,
  According to your post, my understanding is that you want to know the difference of the SharePoint three type user authentications.
  Windows claims-based authentication uses your existing Windows authentication provider (Active Directory Domain Services [AD DS]) to validate the credentials of connecting clients. Use this authentication to allow AD DS-based accounts access to SharePoint
  resources. Authentication methods include NTLM, Kerberos, and Basic.
  Forms-based authentication can be used against credentials that are stored in an authentication provider that is available through the ASP.NET interface
  SAML token-based authentication in SharePoint 2013 requires coordination with administrators of a claims-based environment, whether it is your own internal environment or a partner environment.
  There is a good article contains all the SharePoint Authentications, including how they work and how to configure.
  http://sp77.blogspot.com/2014/02/authentication-in-sharepoint-2013_5.html#.VFcyQ_mUfkJ
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support