Symptom
How do I configure SAP Lumira for Kerberos Authentication?
NOTE: This KBA has been written for Lumira Desktop 1.X - elements of the configuration might differ between 1.X and 2.X clients.
To configure and troubleshoot Lumira Discovery 2.0, refer to KBA 2538325 - How to configure and troubleshoot Windows AD authentication in Lumira Discovery 2.0
Environment
- SAP Lumira Desktop 1.x
Resolution
Overview
SAP Lumira, desktop edition supports Kerberos authentication and requires specific steps to configure it.
Steps are applicable when authenticating against any server using Kerberos including SAP BusinessObjects Business Intelligence Platform and SAP HANA.
Trace Logs are extremely helpful in troubleshooting with instructions in the additional knowledge base articles.
Steps
- Kerberos jgss configuration file
- Kerberos services configuration file
- SAP Lumira configuration file
- Allow Ticket Granting Ticket Session
- Run As Administrator
1. Kerberos jgss configuration file
Create C:\Windows\bscLogin.conf with following content:
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.businessobjects.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true client=true;
};
com.businessobjects.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true debug=true client=true useTicketCache=true;
};
sap.bo.dsws.client {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;
};
2. Kerberos services configuration file
Create C:\Windows\krb5.ini with following content (example taken from BI Platform Administrator Guide):
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
.domain2.com = DOMAIN2.COM
domain2.com = DOMAIN2.COM
[realms]
DOMAIN.COM = {
default_domain = DOMAIN.COM
kdc = HOSTNAME.DOMAIN.COM
}
DOMAIN2.COM = {
default_domain = DOMAIN2.COM
kdc = HOSTNAME.DOMAIN2.COM
}
[capaths]
DOMAIN2.COM = {
DOMAIN.COM =
}
DOMAIN.COM | The DNS name of your domain which must be entered in uppercase in FQDN format |
kdc | The Host name of the Domain Controller |
[capath] | Defines the trust between domains that are in another AD forest. In the example above DOMAIN2.COM is a domain in an external forest and has direct two way transitive trust to DOMAIN.COM. |
default_realm | In a multiple domain configuration, under [libdefaults] the default_realm value may be any of the source domains. The best practice is to use the domain with the greatest number of users that will be authenticating with their AD accounts. If no UPN suffix is supplied at log on, it defaults to the value of default_realm. This value should be consistent with the default domain setting in the CMC. All domains must be specified in uppercase as shown in the example above. |
3. SAP Lumira configuration file
Add following lines to C:\Program Files\SAP Lumira\Desktop\SAPLumira.ini
-Djava.security.auth.login.config=C:\Windows\bscLogin.conf
-Djava.security.krb5.conf=C:\Windows\krb5.ini
4. Allow Ticket Granting Ticket Session
A new registry key is required to instruct Windows to allow a ticket granting ticket session.
Option | Description |
Registry path | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters |
Value Name | allowtgtsessionkey |
Value Type | REG_DWORD |
Value | 0x01 |
Details on editing the registry can be found in Knowledge Base Article 1323322 - Editing the Windows Registry - Warning
5. Run As Administrator
If the Windows user is an Administrator then must run SAP Lumira As Administrator in order for Kerberos to work
Additional Knowledge Base Articles
- 1995864 - Cannot connect to Universe using Windows AD from Lumira desktop
- 2065396 - Does SAP Lumira support connecting to a Universe using Single Sign On?
- 2172746 - SAP Lumira - Connecting to a universe data source
- 2181269 - Issue with Windows AD Connectivity from Lumira Desktop to SQL Server
- 2206553 - High Level SAP Lumira Desktop Trace Log Files Using enabletracing.bat File
- 2251461 - Getting HDB 05401 When Saving Lumira Documents to BI Platform
- 2300144 - FAQ: Lumira Desktop and BI Platform Single sign-on
See Also
For information on SAP BusinessObjects Lumira 2.x, see KBA 2538325 - How to configure and troubleshoot Windows AD authentication in Lumira Discovery 2.0
Keywords
kerberos single sign on krb5 krb active directory authentication ad auth sso windows howto how-to how to , KBA , BI-LUM-DIS , Lumira Desktop/Discovery , BI-LUM-SRV-BIP , SAP Lumira Server for BI Platform , How To