2629070 - How to Securely Integrate BI 4.2 or 4.3 with Windows Active Directory and SSO in Distributed Environments - Best Practices

• How to configure BI 4.2 or 4.3 for integration with Microsoft Active Directory, to allow manual kerberos logon, and kerberos delegation (Aka SSO, spnego, or negotiate) This KBA requires constrained delegation, at least one supported Microsoft encryption type (AES 256, AES 128, or RC4), and will work with HTTPS (TLS/SSL) or insecure HTTP.  
• If your BI servers (the CMS's) are installed on Unix or Linux then the AD plugin is not available, see alternative SSO configuration in KBA 1965433
• NEW! If you prefer to watch the video version, click on this link KBA 2640238
• IMPORTANT INFORMATION about using Microsoft SSO, this KBA and SAP/BI (SSO aka spnego is a 100% Microsoft configuration).  This document shows the settings in Microsoft that are proven to work with BI. There have been many issues lately where customers have decided to implement their own configuration (which isn't working) and then come to SAP for help. There it nothing wrong with using your own Microsoft configuration, in fact we would encourage it when it works and fits your companies security policies.  
  What is important to note, is that SAP engineers are not experts in Microsoft settings, and if this document is not followed exactly SAP/BI will not be able to assist (especially as a very high) unless a representative from Microsoft (the company) is pointing out that something is incorrect. Everything else is an "experimental configuration" that has not been proven to work with BI. 
• In some rare cases, due to customer environmental issues, SAP may guide the customer to make changes to this configuration, this is the only time that it would be supported or suggested by SAP 
  
  
  
• NOTE: All information and pictures were taking from sample test system and do not represent actual data (any resemblance as such is purely coincidental)

• SAP BusinessObjects Business Intelligence Platform 4.x
• Microsoft Active Directory 2008 and above

bip bi 4.x 4.* 4.0 4.1 4.2 4.3 bi4.x bi4.x bi4.* bi4.0 bi4.1 bi4.2 bi4.3 directions documentation documents steps to follow vintela ventila vintella ventela set up setup vintela config configuration configuring AD Active Directory single sign on sign-on silent automatic opendocument intermittent error fail trouble troubleshoot shoot test java tomcat websphere weblogic oracle application server netweaver JDK java SDK development kit BI zie MNHWW mkba htkba biauth Common error messages and symptoms that could occur if any of the above steps are not configured properly Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) HTTP 500 error or page cannot be displayed HTTP 404 error HTTP 400 bad request or bad tag (typical error of attempting SSO on the BI server) jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024) - delegation error secwinad winad launch pad pass through pass-through passthrough end to end-to-end e2e db auth, How to configure Windows AD , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , How To