2629070 - How to Securely Integrate BI 4.2 , 4.3 or BI 2025 with Windows Active Directory and SSO in Distributed Environments - Best Practices

• How to configure BI 4.2 , 4.3 or BI 2025 for integration with Microsoft Active Directory, to allow manual kerberos logon, and kerberos delegation (Aka SSO, spnego, or negotiate)
• This KBA requires constrained delegation, at least one supported Microsoft encryption type (AES 256 or AES 128), and will work with HTTPS (TLS/SSL) or insecure HTTP.  
• If your BI servers (the CMS's) are installed on Unix or Linux then the AD plugin is not available, see alternative SSO configuration in KBA 1965433
• IMPORTANT INFORMATION
  • This KBA and SAP/BI (SSO aka spnego is a 100% Microsoft configuration).  This document shows the settings in Microsoft that are proven to work with BI.
  • SAP engineers are not experts in Microsoft settings, and if this document is not followed exactly SAP/BI will not be able to assist 
  • If there are issues with the configuration, it may be required to have additional assistance from Microsoft Suport
  • RC4 encryption has been disabled by Microsoft, please refer to the documents:
    How to manage Kerberos KDC usage of RC4 Microsoft Support Article – Kerberos KDC RC4 Changes
    3388483 - Windows AD authentication fails after AD KDC update, BI update to 4.3 SP03 Patch 500+, fresh configuration or swapping from RC4 to AES256
    
    
• NOTE: All information and pictures were taking from sample test system and do not represent actual data (any resemblance as such is purely coincidental)

Read more...

• SAP BusinessObjects Business Intelligence Platform 4.x
• SAP BusinessObjects Business Intelligence Platform 2025
• Microsoft Active Directory

SAP BusinessObjects Business Intelligence platform 2025 ; SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Business Intelligence platform 4.3

bip bi 4.x 4.* 4.0 4.1 4.2 4.3 bi4.x bi4.x bi4.* bi4.0 bi4.1 bi4.2 bi4.3 directions documentation documents steps to follow vintela ventila vintella ventela set up setup vintela config configuration configuring AD Active Directory single sign on sign-on silent automatic opendocument intermittent error fail trouble troubleshoot shoot test java tomcat websphere weblogic oracle application server netweaver JDK java SDK development kit BI zie MNHWW mkba htkba biauth Common error messages and symptoms that could occur if any of the above steps are not configured properly Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) HTTP 500 error or page cannot be displayed HTTP 404 error HTTP 400 bad request or bad tag (typical error of attempting SSO on the BI server) jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024) - delegation error secwinad winad launch pad pass through pass-through passthrough end to end-to-end e2e db auth, How to configure Windows AD , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , How To