Good morning,
we have a Business Object BI 4.0 Installation , SP4 Patch 6. Our requirement is to define Analysis OLAP views on SSAS2008 OLAP Connection with SSO authentication mode.
Users can belong to different domains, all in a single forest (example: main domain is MAINDOM.COM, there are IT.MAINDOM.COM, FR.MAINDOM.COM, GER.MAINDOM.COM, etc..).
We configured Active Directory SSO following SAP notes:
- 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4
- 1688079 - Configuring BI4 Analysis Edition for OLAP for End-to-End SSO to MS SQL Server Analysis Services
We did following tests, all with positive results:
- AD Users imported in BO environment using AD Plugin and visible in corresponding groups in CMC;
- AD manual login using thick clients (IDT and Web Intelligence Rich Client);
- KINIT test for users belong to different domains (MAINDOM.COM, IT.MAINDOM.COM, FR.MAINDOM.COM);
- bsclogin.conf test (setting debug=true and verifying tomcat log);
- Credentials obtained during start of Tomcat service ("jcsi.kerberos: ** Credentials obtained");
- SSO (user enter in BI Launch pad without writing username/password) using a client connected with MAINDOM.COM and IT.MAINDOM.COM;
- Access to OLAP application published via IIS (http:\\servername\OLAP\msmdpump.dll) using Excel or Microsoft SQL Server Management Studio;
- Analysis OLAP View on a OLAP Connection with "prompt" authentication mode works correctly (user insert username and password while opening a view).
If we try to use a OLAP Connection with SSO, it is not possible to access SSAS cubes. Launching Analysis OLAP application and selecting the connection, system goes in loop. We found following logs produced by MDAS server:
httpclient.wire.header||<< "WWW-Authenticate: Negotiate[\r][\n]"‑
httpclient.wire.header||<< "WWW-Authenticate: NTLM[\r][\n]"‑
httpclient.wire.header||<< "WWW-Authenticate: Basic realm="DOM.COM"[\r][\n]"‑
httpclient.wire.content||<< " <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>[\r][\n]"‑
httpclient.wire.content||<< " <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>[\r][\n]"
...
org.apache.commons.httpclient.auth.AuthenticationException: Error establishing Kerberos security context (ODA10067)
...
Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
...
Caused by: KrbException: Fail to create credential. (63) - No service creds
Few considerations follow:
- Service account used for launching SIA and Tomcat belongs to DOM.COM domain. "BusinessObject Platform" server and "MS SSAS2008" server belong to a subdomain (IT.DOM.COM). I don't know is something could change defining Service Account on the same domain of BOBJ server.
- I think that authentication type should be "Negotiate Kerberos" and not NTLM. It seems that a wrong authentication mode is used;
- "Unauthorized" error should not occur, because the same user can login using Excel or via SS Management Studio (accessing the msmdpump.dll driver)
Could someone give me a hint about this situation? Could we do some other tests to verify the correctness of the configuration?
Any help would be really appreciated!
L