SSO configuration for BOBJ BI launchpad 4.3 (Ldap Authentication)

SSO configuration for BOBJ BI launchpad 4.3 (Ldap Authentication)
Estimated read time 19 min read

In this blog I will go through the steps to configure Single Sign on in BOBJ System for BI Launchpad. This blog will be applicable for BOBJ which is running on Windows /Linux.

Process Overview

The following tasks needs to be done to enable Single Sign on in BOBJ:

Create an AD service account and SET SPN ValuesLDAP configuration and map AD groupsSetup QUERY_STRING Trusted authenticationSetup part of vintela SSO for the application serverSetup the client browser and test SSOLimitationSAP Notes

1. Create an AD service account and Set SPN Values

Request Active Directory admin to create a service account (in this blog we will call it as: SAPServiceUser)

At a command prompt set the SPN to the service account.

setspn -s HTTP/myappserver SAPServiceUser
setspn -s HTTP/myappserverhostname.com SAPServiceUser
Validate the SPN is set up correctly using the command.

setspn -L sapserviceuser

2.LDAP configuration and map AD groups

Map an AD group to the LDAP plugin page in the CMC and verify users are imported.

Log on to CMC with Administrator rights.Link for CMC – http://myappserverhostname.com:8080/BOE/CMC/Navigate to the CMC | Authentication | LDAPBegin the LDAP WizardAdd the following info then press Next

      Ldap Host and Port

     b. Select Microsoft Active Directory 

     

     c.Change Default User Search Attribute to sAMAccountName &Change Username to sAMAccountName and press next

     Attribute Change

    d.Enter the credentials of AD user and Password

    You need to enter the AD service user distinguished name and password

     CN=SAPServiceUser,OU=SAP Service Accounts,OU=Batch,DC=<Example>,DC=<com>

     

      e.Click next select Basic (no SSl)

    

    f. Click next and select Basic (no SSO)

    

    g. Select the following entries and press Next

    

     h. Press finish to complete Wizard

     

     i. Add the LDAP groups 

    

3. Setup QUERY_STRING Trusted authentication

3.1 Steps to be done in CMC

Navigate to CMC > Authentication > EnterpriseScroll down to the bottom and check the box for Trusted Authentication is enabledClick the button for New Shared SecretClick the button for Download Shared Secret (save as TrustedPrincipal.conf file)load the TrustedPrincial.conf into the server. (Refer 3.2)Click the button Update

3.2 Steps to be done in Server

3.2.1 Steps to be done in Windows Server

Save the TrustedPrincipal.conf attached to this message, to the following locations on your application server:

INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win32_x86

INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64

          TrustedPrincipal.conf location

          TrustedPrincipal.conf location

Click Update to save the settings in CMC.Navigate to Start | Programs | Tomcat | Tomcat ConfigurationClick on the Java tabAdd the following to the bottom of the Java Options

-Dbobj.trustedauth.home= INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64
-Dbobj.trustedauth.home= INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x86

Navigate to INSTALLDIR:Program Files (x86)SAP BusinessObjectstomcatwebappsBOEWEB-INFconfigcustomCreate a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)

sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING                

 Create a file named FioriBI.properties and add the following information.

sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

Wait until Tomcat Server is upIn a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=ADuser

3.2.2 Steps to be done in Linux Server

Save the TrustedPrincipal.conf attached to this message, to the following locations on your application server:

Linux: /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x64 and /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x86

Click Update to save the settings.Navigate to /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/customCreate a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)

sso.enabled=true
trusted.auth.user.param=user
trusted.auth.user.retrieval=QUERY_STRING 

Restart TomcatNavigate to /usr/sap/SID/SBO/sap_bobj /Tomcat/logs/stderr.log and wait until you see INFO: Server startup in ###### msIn a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=x_userid

4.Setup part of Vintela SSO for the application server

4.1. Enable low level vintela tracing in Tomcat’s Java Options

4.1.1 Enable low level vintela tracing in Tomcat’s Java Options in Windows

Navigate to Start | Programs | Tomcat | Tomcat ConfigurationClick on the Java tabAdd the following to the bottom of the Java Options We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.

4.1.2 Enable low level vintela tracing in Tomcat’s Java Options in Linux

Backup and edit the env.sh located in /bo_install_dir/bobje/setup with your preferred text editor (NOTE: path & syntax can vary depending on tomcat version)Make the additions inside the single quotes, on the same line (there may be terminal wrap-around, just assure you are not adding a carriage return (Enter) on this line.We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.

# set the JAVA_OPTS for tomcat
JAVA_OPTS=”-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false”

To:

# set the JAVA_OPTS for tomcat
JAVA_OPTS=”-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false -Djcsi.kerberos.debug=true”

4.2 Add trustedvintela line to the FioriBi properties (Windows and Linux)

Backup and edit your fioribi.properties file.Ensure the following lines are present:

sso.types.and.order=trustedVintela
authentication.default=secLDAP
authentication.visible=true
logon.authentication.visibleList=secEnterprise,secLDAP,secWinAD,secSAPR3,secOraApps,secPSE1,secpsenterprise,secSiebel7
cms.default=<System Alias>
cms.visible=true
sso.types.and.order=trustedVintela
sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminder

NOTE: When sso.types.and.order= is used (above) then the settings in the global.properties for sso.enabled, vintela.enabled, and trusted.auth.user.retrieval are no longer needed below (and have been removed)

4.3 Add Vintela lines to the global.properties file (Windows and Linux)

Backup and edit your global.properties file.Navigate to INSTALLDIR:Program Files (x86)SAP BusinessObjectstomcatwebappsBOEWEB-INFconfigcustom in case of Windows and /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom in case of linuxFollowing lines are added:

siteminder.enabled=false
sso.enabled=true
vintela.enabled=true
idm.realm=<DOMAIN NAME>.COM
idm.princ=SAPServiceUser
idm.allowS4U=true
idm.password=<Password of SAPServiceUser>
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties

4.4 Remove legacy settings in global.properties from testing query_string

While you have the global.properties file open remove the line trusted.auth.user.param=userRemove the trusted.auth.user.retrieval=QUERY_STRING (this is all handled by the sso.types.and.order)

Note:

Copy the contents of your custom folder (<INSTALLDIR>tomcatwebappsBOEWEB-INFconfigcustom) to <INSTALLDIR>SAP BusinessObjects Enterprise XI4.0warfileswebappsBOEWEB-INFconfigcustom in case of WindowsCopy the contents of your custom folder (/usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom) to /usr/sap/SID/SBO/sap_bobjwarfileswebappsBOEWEB-INFconfigcustom in case of linux OS

4.5 Increase Tomcat’s maxHttpHeaderSize

Increase Tomcat’s maxHttpHeaderSizeFor Tomcat servers it is necessary to increase the default HTTP Header size in the server.xml. Kerberos login requests contain, among other things, group information. The more AD groups a user is a member of the larger the http header must be to accommodate the size of the kerberos packet. 16384 is usually large enough but if your mapped users are a member of many groups (50 or more AD groups) you may need to increase this size to 32768, 65536 or more (multiples of 16384).NOTE: Make a backup copy of server.xml file prior to editingThe line should look like this after adding the bold text and single space:

<Connector port=”8080″ protocol=”HTTP/1.1″ connectionTimeout=”20000″ redirectPort=”8443″ compression=”on” URIEncoding=”UTF-8″ compressionMinSize=”2048″ noCompressionUserAgents=”gozilla, traviata” compressableMimeType=”text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json” maxHttpHeaderSize=”65536″/>

NOTE: Do not copy/paste. Also, this file is case sensitive.

4.6 Restart Tomcat and check to make sure the Vintela filter has loaded

Check for message “Message sent sucessfully to KDC and credentials obtained” in stderr.log

 [DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: Message sent sucessfully to KDC: /10.167.255.113:88
[DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: ** credentials obtained .. **

5. Setup the client browser and test SSO

Goto Internet ExplorerClick menu à  Internet Options à Advanced menu à Enable Windows Integrated AuthenticationEnsure Internet Options à  Security à Local Intranet à Custom Level à Automatic logon in Intranet zone is selected.If the URL for BI Launch Pad is not a hostname (such as the FQDN or it contains a . then it must be added to the client’s local intranet sites)Ensure you are logged onto a workstation with the domain credentials of a user who can manually log into BI Launch Pad and attempt SSONavigate to http://server:port/BOE/BI and ensure SSO occursOn a separate browser, login to the CMC as the Administrator, click Sessions and note that the AD user’s session exists as an Enterprise session

6. Limitation

Multi forest (or even tree root trusts) in AD are NOT supported due to limitations on the LDAP Plug-InMultiple AD domains in the same tree (parent child) are supported on a limited basis see KBA 1245218kerbeors SSO to the database is NOT supported for any database as it requires users to login with the AD Plug-InSSO via BI client tools is NOT supported either through the tool or web services (web services SSO requires logon via AD Plug-In)

7. SAP Notes

The below notes will be useful for implementing SSO in BI launchpad

1965433 Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE***

1245218 How to connect the LDAP plugin to Active Directory

1593628Setting up Trusted Authentication for the BOE web applications using the QUERY_STRING method

1549258BI 4.x: Authentication drop down option is missing from “BI launch pad” login page

1615492How to preserve custom settings for SAP BusinessObjects Tomcat WebApps in Business Intelligence Platform 4.x

2629070 How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments – Best Practices

2041379Explaining the sso.types.and.order parameter in BI 4.1 & 4.2

2781286How To: Configure Security Token Service (STS) communication on BI 4.2, BI 4.3 and above

3239174Quick setup of STS for Cloud (such as HEC) customers

2524775Certificates generation using Java Keytool when configuring STS in BI 4.2 SP04 (Patch 4) onwards instead of PKCS12 tool

1653890 Your security profile does not include permission to create documents. (Error: ERR_WIS_30263) error given in Webi Rich Client

Conclusion

The above steps complete the SSO configuration in BOBJ BI Launchpad. Please refer the below KBA for entire solution

1965433 – Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE*** for entire solution

 

​ In this blog I will go through the steps to configure Single Sign on in BOBJ System for BI Launchpad. This blog will be applicable for BOBJ which is running on Windows /Linux.Process OverviewThe following tasks needs to be done to enable Single Sign on in BOBJ:Create an AD service account and SET SPN ValuesLDAP configuration and map AD groupsSetup QUERY_STRING Trusted authenticationSetup part of vintela SSO for the application serverSetup the client browser and test SSOLimitationSAP Notes1. Create an AD service account and Set SPN ValuesRequest Active Directory admin to create a service account (in this blog we will call it as: SAPServiceUser)At a command prompt set the SPN to the service account.setspn -s HTTP/myappserver SAPServiceUsersetspn -s HTTP/myappserverhostname.com SAPServiceUserValidate the SPN is set up correctly using the command.setspn -L sapserviceuser2.LDAP configuration and map AD groupsMap an AD group to the LDAP plugin page in the CMC and verify users are imported.Log on to CMC with Administrator rights.Link for CMC – http://myappserverhostname.com:8080/BOE/CMC/Navigate to the CMC | Authentication | LDAPBegin the LDAP WizardAdd the following info then press Next      Ldap Host and Port     b. Select Microsoft Active Directory           c.Change Default User Search Attribute to sAMAccountName &Change Username to sAMAccountName and press next     Attribute Change    d.Enter the credentials of AD user and Password    You need to enter the AD service user distinguished name and password     CN=SAPServiceUser,OU=SAP Service Accounts,OU=Batch,DC=<Example>,DC=<com>           e.Click next select Basic (no SSl)        f. Click next and select Basic (no SSO)        g. Select the following entries and press Next         h. Press finish to complete Wizard          i. Add the LDAP groups     3. Setup QUERY_STRING Trusted authentication3.1 Steps to be done in CMCNavigate to CMC > Authentication > EnterpriseScroll down to the bottom and check the box for Trusted Authentication is enabledClick the button for New Shared SecretClick the button for Download Shared Secret (save as TrustedPrincipal.conf file)load the TrustedPrincial.conf into the server. (Refer 3.2)Click the button Update3.2 Steps to be done in Server3.2.1 Steps to be done in Windows ServerSave the TrustedPrincipal.conf attached to this message, to the following locations on your application server:INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win32_x86INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64          TrustedPrincipal.conf location          TrustedPrincipal.conf locationClick Update to save the settings in CMC.Navigate to Start | Programs | Tomcat | Tomcat ConfigurationClick on the Java tabAdd the following to the bottom of the Java Options-Dbobj.trustedauth.home= INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x64-Dbobj.trustedauth.home= INSTALLDIR:Program Files (x86)SAP BusinessObjectsSAP BusinessObjects Enterprise XI 4.0win64_x86Navigate to INSTALLDIR:Program Files (x86)SAP BusinessObjectstomcatwebappsBOEWEB-INFconfigcustomCreate a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)sso.enabled=truetrusted.auth.user.param=usertrusted.auth.user.retrieval=QUERY_STRING                 Create a file named FioriBI.properties and add the following information.sso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminderWait until Tomcat Server is upIn a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=ADuser3.2.2 Steps to be done in Linux ServerSave the TrustedPrincipal.conf attached to this message, to the following locations on your application server:Linux: /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x64 and /usr/sap/SID/SBO/sap_bobj/enterprise_xi40/linux_x86Click Update to save the settings.Navigate to /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/customCreate a file named global.properties and add the following information: (Warning: Copy/paste may add a space at the end of the following lines that will break TA SSO)sso.enabled=truetrusted.auth.user.param=usertrusted.auth.user.retrieval=QUERY_STRING Restart TomcatNavigate to /usr/sap/SID/SBO/sap_bobj /Tomcat/logs/stderr.log and wait until you see INFO: Server startup in ###### msIn a browser navigate to your BI launchpad URL with the bolded parameters added to the end. Eg: http://myappserverhostname.com/BOE/BI?user=x_userid4.Setup part of Vintela SSO for the application server4.1. Enable low level vintela tracing in Tomcat’s Java Options4.1.1 Enable low level vintela tracing in Tomcat’s Java Options in WindowsNavigate to Start | Programs | Tomcat | Tomcat ConfigurationClick on the Java tabAdd the following to the bottom of the Java Options We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.4.1.2 Enable low level vintela tracing in Tomcat’s Java Options in LinuxBackup and edit the env.sh located in /bo_install_dir/bobje/setup with your preferred text editor (NOTE: path & syntax can vary depending on tomcat version)Make the additions inside the single quotes, on the same line (there may be terminal wrap-around, just assure you are not adding a carriage return (Enter) on this line.We will also be adding the tracing parameter -Djcsi.kerberos.debug=true which can be removed later.# set the JAVA_OPTS for tomcatJAVA_OPTS=”-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false”To:# set the JAVA_OPTS for tomcatJAVA_OPTS=”-d$OBJECT_MODEL -Dbobj.enterprise.home=${BOBJEDIR}enterprise120 -Djava.awt.headless=true -Djava.net.preferIPv4Stack=false -Djcsi.kerberos.debug=true”4.2 Add trustedvintela line to the FioriBi properties (Windows and Linux)Backup and edit your fioribi.properties file.Ensure the following lines are present:sso.types.and.order=trustedVintelaauthentication.default=secLDAPauthentication.visible=truelogon.authentication.visibleList=secEnterprise,secLDAP,secWinAD,secSAPR3,secOraApps,secPSE1,secpsenterprise,secSiebel7cms.default=<System Alias>cms.visible=truesso.types.and.order=trustedVintelasso.supported.types=vintela, trustedIIS, trustedHeader, trustedParameter, trustedCookie, trustedSession, trustedUserPrincipal, trustedVintela, trustedX509, sapSSO, siteminderNOTE: When sso.types.and.order= is used (above) then the settings in the global.properties for sso.enabled, vintela.enabled, and trusted.auth.user.retrieval are no longer needed below (and have been removed)4.3 Add Vintela lines to the global.properties file (Windows and Linux)Backup and edit your global.properties file.Navigate to INSTALLDIR:Program Files (x86)SAP BusinessObjectstomcatwebappsBOEWEB-INFconfigcustom in case of Windows and /usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom in case of linuxFollowing lines are added:siteminder.enabled=falsesso.enabled=truevintela.enabled=trueidm.realm=<DOMAIN NAME>.COMidm.princ=SAPServiceUseridm.allowS4U=trueidm.password=<Password of SAPServiceUser>idm.allowUnsecured=trueidm.allowNTLM=falseidm.logger.name=simpleidm.logger.props=error-log.properties4.4 Remove legacy settings in global.properties from testing query_stringWhile you have the global.properties file open remove the line trusted.auth.user.param=userRemove the trusted.auth.user.retrieval=QUERY_STRING (this is all handled by the sso.types.and.order)Note:Copy the contents of your custom folder (<INSTALLDIR>tomcatwebappsBOEWEB-INFconfigcustom) to <INSTALLDIR>SAP BusinessObjects Enterprise XI4.0warfileswebappsBOEWEB-INFconfigcustom in case of WindowsCopy the contents of your custom folder (/usr/sap/SID/SBO/sap_bobj/tomcat/webapps/BOE/WEB-INF/config/custom) to /usr/sap/SID/SBO/sap_bobjwarfileswebappsBOEWEB-INFconfigcustom in case of linux OS4.5 Increase Tomcat’s maxHttpHeaderSizeIncrease Tomcat’s maxHttpHeaderSizeFor Tomcat servers it is necessary to increase the default HTTP Header size in the server.xml. Kerberos login requests contain, among other things, group information. The more AD groups a user is a member of the larger the http header must be to accommodate the size of the kerberos packet. 16384 is usually large enough but if your mapped users are a member of many groups (50 or more AD groups) you may need to increase this size to 32768, 65536 or more (multiples of 16384).NOTE: Make a backup copy of server.xml file prior to editingThe line should look like this after adding the bold text and single space:<Connector port=”8080″ protocol=”HTTP/1.1″ connectionTimeout=”20000″ redirectPort=”8443″ compression=”on” URIEncoding=”UTF-8″ compressionMinSize=”2048″ noCompressionUserAgents=”gozilla, traviata” compressableMimeType=”text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json” maxHttpHeaderSize=”65536″/>NOTE: Do not copy/paste. Also, this file is case sensitive.4.6 Restart Tomcat and check to make sure the Vintela filter has loadedCheck for message “Message sent sucessfully to KDC and credentials obtained” in stderr.log [DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: Message sent sucessfully to KDC: /10.167.255.113:88[DEBUG] Tue Sep 27 10:31:23 EDT 2011 jcsi.kerberos: ** credentials obtained .. **5. Setup the client browser and test SSOGoto Internet ExplorerClick menu à  Internet Options à Advanced menu à Enable Windows Integrated AuthenticationEnsure Internet Options à  Security à Local Intranet à Custom Level à Automatic logon in Intranet zone is selected.If the URL for BI Launch Pad is not a hostname (such as the FQDN or it contains a . then it must be added to the client’s local intranet sites)Ensure you are logged onto a workstation with the domain credentials of a user who can manually log into BI Launch Pad and attempt SSONavigate to http://server:port/BOE/BI and ensure SSO occursOn a separate browser, login to the CMC as the Administrator, click Sessions and note that the AD user’s session exists as an Enterprise session6. LimitationMulti forest (or even tree root trusts) in AD are NOT supported due to limitations on the LDAP Plug-InMultiple AD domains in the same tree (parent child) are supported on a limited basis see KBA 1245218kerbeors SSO to the database is NOT supported for any database as it requires users to login with the AD Plug-InSSO via BI client tools is NOT supported either through the tool or web services (web services SSO requires logon via AD Plug-In)7. SAP NotesThe below notes will be useful for implementing SSO in BI launchpad1965433 – Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE***1245218 – How to connect the LDAP plugin to Active Directory1593628 – Setting up Trusted Authentication for the BOE web applications using the QUERY_STRING method1549258 – BI 4.x: Authentication drop down option is missing from “BI launch pad” login page1615492 – How to preserve custom settings for SAP BusinessObjects Tomcat WebApps in Business Intelligence Platform 4.x2629070 – How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments – Best Practices2041379 – Explaining the sso.types.and.order parameter in BI 4.1 & 4.22781286 – How To: Configure Security Token Service (STS) communication on BI 4.2, BI 4.3 and above3239174 – Quick setup of STS for Cloud (such as HEC) customers2524775 – Certificates generation using Java Keytool when configuring STS in BI 4.2 SP04 (Patch 4) onwards instead of PKCS12 tool1653890 – Your security profile does not include permission to create documents. (Error: ERR_WIS_30263) error given in Webi Rich ClientConclusionThe above steps complete the SSO configuration in BOBJ BI Launchpad. Please refer the below KBA for entire solution1965433 – Setting up AD SSO when CMS is on Unix or Linux in BI4.x ***BEST PRACTICE*** for entire solution   Read More Technology Blogs by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author

+ There are no comments

Add yours