SAP Knowledge Base Article - Preview

2629070 - How to Securely Integrate BI 4.x with Windows Active Directory and SSO in Distributed Environments - Best Practice


  • How to configure BI 4x for integration with Microsoft Active Directory, to allow manual kerberos logon, and kerberos delegation (Aka SSO, spnego, or negotiate)
  • This KBA is a prerequisite for setting up SSO to the database via kerberos see KBA 1869952 or web services client tools SSO in KBA 1646920 and many other scenarios
  • In most cases this KBA will replace KBA 1631734 for all BI systems on 4.1 and above, although 1631734 can still be used (but does not contain as much updated info) 
  • This new KBA will allow for a more secure configuration between BI and AD by integrating constrained delegation, the ability to use only RC4, AES 128 or 256 encryption as well as SSL/TLS on the web/app and contains all of the latest BI features that were added as of 4.2 SP5
  • SSO browser issues found in IE 11 (on Win 10) see KBA 2485300 Edge, and Google Chrome KB 1887193 should work out of the box without modifying credential guard or adding URL's to the registry
  • If your BI servers (the CMS's) are installed on Unix or Linux then the AD plugin is not available, see alternative SSO configuration in KBA 1965433
  • NEW! If you prefer to watch the video version, click on this link KBA 2640238
  • NOTE: All information and pictures were taking from sample test system and do not represent actual data (any resemblance as such is purely coincidental)



  • SAP BusinessObjects Business Intelligence Platform 4.x
  • Microsoft Active Directory 2008 and above


SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Business Intelligence platform 4.3


bip bi 4.x 4.* 4.0 4.1 4.2 4.3 bi4.x bi4.x bi4.* bi4.0 bi4.1 bi4.2 bi4.3 directions documentation documents steps to follow vintela ventila vintella ventela set up setup vintela config configuration configuring AD Active Directory single sign on sign-on slient automatic opendocument intermittent error fail trouble troubleshoot shoot test java tomcat websphere weblogic oracle application server netweaver JDK java SDK development kit BI zie MNHWW mkba htkba biauth Common error messages and symoptoms that could occur if any of the above steps are not configured properly Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) HTTP 500 error or page cannot be displayed HTTP 404 error HTTP 400 bad request or bad tag (typical error of attempting SSO on the BI server) jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024) - delegation error secwinad winad launch pad pass through pass-through passthrough end to end-to-end e2e db auth, How to configure Windows AD , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.