2777306 - How to configure the Import Connection to Business Intelligence Platform Universe using Windows Active Directory authentication in SAP Analytics Cloud (SAC)

Symptom

How to configure the Import / Acquired Connection to BIP Universe (UNX) using the manual AD Kerberos authentication in in SAP Analytics Cloud (SAC)?
Get the error when configuring the Import Connection to BIP using AD authentication: Error occurred logging onto BOE

Environment

SAP Analytics Cloud 2019
SAP Business Objects Business Intellgience 4.1 SP5 or higher, or 4.2 SP4 or higher

Reproducing the Issue

Log on SAP Analytics Cloud tenant
Choose menu Connection > click + plus sign at the top right corner
Expand Acquired Data > choose SAP Universe
Fill in all required fields, and select Windows AD in the Authentication Type dropdown list.
Click Create button

Resolution

For SAP Analytics Cloud to use Import Connection to on-premise backend BI system via Windows AD Kerberos authentication, there are steps required to configure Java program, which is SAP Analytics Cloud Agent (C4A_AGENT Java Web Application) , for manual AD Kerberos logon.

Modify the Java options for Kerberos on Tomcat hosting SAP Analytics Cloud Agent

Start menu, select Programs > Tomcat > Tomcat Configuration
Click Java tab
Add the following options:

-Djava.security.auth.login.config=C:\XXXX\bscLogin.conf
-Djava.security.krb5.conf=C:\XXXX\krb5.ini

Replace XXXX with the location where you stored the krb5.ini file and bscLogin.conf file.

Tomcat needs to be restarted after any of options is added, changed or removed to take effect
bsclogin.conf file tells Java to use the AD logon module. In most case the file can be created with the exact info below

com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

krb5.ini file contains information to assist Java with finding domain controllers. The file below is just an example only and must be changed with information from your own environment. For more detailed krb5.ini refer to KBA 1245178

[libdefaults]
default_realm = EXAMPLE.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
udp_preference_limit = 1

[realms]
EXAMPLE.COM = {
kdc = EXAMPLE-DC.EXAMPLE.COM
default_domain = EXAMPLE.COM
}

Domain name and KDC need to be in upper case. For example, the domain name is PSAUTH08.COM, and KDC is VANPSATVMWIN001.PSAUTH08.COM, the krb5.ini looks like following:

[libdefaults]
default_realm = PSAUTH08.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96 RC4-HMAC
udp_preference_limit = 1

[realms]
PSAUTH08.COM = {
kdc = VANPSATVMWIN001.PSAUTH08.COM
default_domain = PSAUTH08.COM
}

Alternatively, you can copy bscLogin.conf and krb5.ini from your BIP server. They are usually located in C:\Windows or C:\WINNT folder.

NOTE:

* When the SAP Analytics Cloud Agent is located in the DMZ or a separate nework segment, ensure there is no communication issue to connect to KDC server from Tomcat server.

* Ensure bscLogin.conf and krb5.ini files are saved without adding a default extenstion, ie. krb5.ini.txt

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, EPM-ODS, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics, Kerberos , unx ,acquired connection, , KBA , LOD-ANA , SAP Analytics Cloud (SAC) , LOD-ANA-BI , Business Intelligence Functionality, Analytic Models , LOD-ANA-PL , Planning , LOD-ANA-BR , SAC Boardroom , LOD-ANA-PR , SAC Predictive , Problem

Product

SAP Analytics Cloud 1.0