Bo Share Point Integration

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

© 2010 SAP AG 1

Single Sign-On and Active

Directory-SSO with Integration

Option for Microsoft SharePoint XI

3.1

Applies to:

BusinessObjects Enterprise XI 3.1, Integration Option for Microsoft Office SharePoint Software XI3.1. For more information, visit the Business Objects homepage.

Summary

This document helps users configure Integration Option for Microsoft SharePoint Software 1.0 for Windows Active Directory (AD) authentication and End-to-End Single Sign-On.

Author: Amit Nagar

Company: SAP

Created on: 5 August 2010

Author Bio

Amit Nagar is a Program Manager for SAP BusinessObjects and Microsoft SharePoint Integration products. In previous roles, has managed testing projects in BusinessObjects, i2 technologies, and WebMD.

https://www.sdn.sap.com/irj/boc

Single Sign-On and Active Directory-SSO with Integration Option for Microsoft SharePoint XI 3.1


© 2010 SAP AG 2

Table of Contents

Introduction ................................................................................................................................................... 3

BOE with AD Configuration ........................................................................................................................... 3

Steps for Configuring Windows AD NTLM Authentication ............................................................................ 10

Configuring AD NTLM and single sign-on for Integration Option for Microsoft SharePoint Software 1.0 ........ 11

Modifying web.config for impersonation and Windows authentication .......................................................... 13

Steps for Configuring Windows AD Kerberos Authentication........................................................................ 15

Configuring AD Kerberos Authentication for SharePoint server .................................................................... 19

Configuring AD Kerberos and Single Sign-on for Integration Option for Microsoft SharePoint Software 1.0 .. 20

Modifying web.config for impersonation and Windows authentication .......................................................... 22

Troubleshooting Tips ................................................................................................................................... 23

Finding More Information ............................................................................................................................ 23

Related Content .......................................................................................................................................... 24

Copyright .................................................................................................................................................... 25



© 2010 SAP AG 3

Introduction

This document helps users configure Integration Option for Microsoft SharePoint Software 1.0 for Windows AD authentication and End-to-End Single Sign-On.

The Domain used in the article is DANIEL.COM.

This article refers two machines:

XI30RTM - This is a BusinessObjects server installed with Windows 2003 server. The version is XI

3.1 SP2 and Integration Option for Microsoft SharePoint Software 1.0 SP2.

W2K3-EN-DANIEL - Active Directory server installed with Windows 2003 server. Its Domain

Functional Level is 2003.

This article refers to the SPN account for BusinessObjects with AD.

This article refers to the BusinessObjects group in AD. The users in this group will be mapped to BOE as BO users.

BOE with AD Configuration

1. Install AD in AD server: W2K3-EN-DANIEL. Make sure the DEP (Date Execution Prevention) setting is

as shown.

NOTE: If DEP is not turned off, the error “The service did not start due to a logon failure” appears when you enter

CMC > Authentication > Windows AD after using the SPN to start CMS.



© 2010 SAP AG 4

2. Run the “dcpromo” command.



© 2010 SAP AG 5

3. Create a new DC (Domain Controller).

4. Create a new forest.

5. Enter the domain name as “DANIEL.COM”.

6. Choose the second radio button.



© 2010 SAP AG 6

7. Configure a static IP address to AD server.

8. Restart the computer with AD server after finishing the AD installation. 9. Raise the Domain Functional Level to 2003.



© 2010 SAP AG 8

10. Change the IP address and DNS server address as shown below.

NOTE: The Preferred DNS server is the IP address of the AD server. The following action is completed: BO server.

11. Let BO server XI30RTM join the “DANIEL.COM” domain.



© 2010 SAP AG 9

12. Restart the computer with the BO server.



© 2010 SAP AG 10

Steps for Configuring Windows AD NTLM Authentication

1. Log on to the CMC. Configure Active Directory authentication using NTLM from CMC Authentication Tab.



© 2010 SAP AG 11

NOTE:

By default, the CMC Administrator account is: Administrator/(no password).

The Default Microsoft Active Directory domain must be the Fully Qualified Domain Name of the domain. Besides this, the AD user names and ID are Case-Sensitive.

Regarding New User Options, depending on the license, you should select named users.

Configuring AD NTLM and single sign-on for Integration Option for Microsoft SharePoint Software 1.0

The following assumes a user is created on the SharePoint site and is able to log on to the Integration Option for Microsoft SharePoint Software 1.0 with enterprise user. 1. Ensure Windows AD authentication is visible on the Integration Option for Microsoft SharePoint Software

1.0 login page. From the inetmgr browse to site where Integration Option for Microsoft SharePoint

Software 1.0 is installed.

2. Open the web.config for InfoViewApp and set authentication.visible to true value.

<add key="authentication.visible" value="true"/>

The user is able to see the Windows AD authentication in Integration Option for Microsoft SharePoint Software 1.0 login page and able to log in with Windows AD user.



© 2010 SAP AG 12

3. Add the AD user to the SharePoint 2007 users list. Perform this activity with the SharePoint admin user.

4. Add aduser. Make sure that user is identified.



© 2010 SAP AG 13

5. Log on to SharePoint with AD user.

6. Log on to Integration Option for Microsoft SharePoint Software 1.0 with AD user. This is to make sure that with AD user we are able to log on to SharePoint as well to Integration Option for Microsoft SharePoint Software 1.0.

7. Enabling SSO for Integration Option for Microsoft SharePoint Software 1.0.

Modifying web.config for impersonation and Windows authentication

To enable impersonal and Windows authentication, modify the web.config files for the two applications listed

below.

Use the following steps to edit the web.config using the text in red for impersonation and Windows authentication.

1. Open the web.config file for Integration Option for Microsoft SharePoint Software 1.0. 2. Locate the following line under <system.web>:

<Authentication mode="None" />

3. Modify the line as shown below:

<authentication mode="Windows" /> (modify it as shown)

4. Locate the following line under <system.web>:

<identity impersonate="true" /> (modify it as shown)

5. Edit the strings as indicated in red:

<add key="cmsDefault" value="XI30RTM " />

<add key=" ssoEnabled" value="true" />

<add key="authenticationDefault” value="secWinAD" />

6. Save and close the web.config file. 7. Open the web.config file for PlatformServices. Edit the following lines under <system.web> :

<Authentication mode="Windows" />

<identity impersonate="true" />

8. Save and close the web.config file. Restart IIS. 9. Access the Integration Option for Microsoft SharePoint Software 1.0 login page.



© 2010 SAP AG 14

10. Click the Log On button from content explorer.

The user logs on to Integration Option for Microsoft SharePoint Software 1.0 automatically.

Use the following configuration if user wants perform End-to-End SSO from client system:

Machine A -- BOE + Integration Option for Microsoft SharePoint Software 1.0 is installed, added to Windows AD domain and AD user are mapped.

Machine B (Client System): 1. Add to Windows AD domain. User logs on to system with AD user. 2. From the browser settings, set Automatic logon with current user name and password. 3. Access the Integration Option for Microsoft SharePoint Software 1.0 URL from the new

browser session. 4. Click Integration Option for Microsoft SharePoint Software 1.0 Log On button.

NOTE: Clear browser cookies if there are any issues with Single Sign-On.



© 2010 SAP AG 15

Steps for Configuring Windows AD Kerberos Authentication

1. Create a new user spn in AD server. It will be used as SPN. Give “spn” the following rights:

Password never expires.

Use DES encryption types for this account.

Machine completes this action: AD server.

2. Add spn to be the member of BO server’s Administrator group. Computer that completes this

action: BO server.

3. Go to Local Security Settings and add “spn” to:

Act as part of the operating system.

Log on as a batch job.

Log on as a service.

Computer that completes this action: BO server.



© 2010 SAP AG 16

4. Start SIA with Domain Account “spn”. Computer that completes this action: BO server.

5. Install Windows Support Tools.

Either the AD server or BO server completes this action.

6. Set up SPN in BO server:

On the BO server or AD server, go into the folder C:\Program Files\Support Tools using the DOS prompt. Set a HOST Service Principal Name – also known as SPN - for this user using the following

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en



© 2010 SAP AG 17

commands:

C:\Program Files\Support Tools \>setspn -R spn

C:\Program Files\Support Tools \>setspn -A BOBJCentralMS/XI30RTM.DANIEL.COM spn

C:\Program Files\Support Tools \>setspn –L XI30RTM

C:\Program Files\Support Tools \>setspn -L spn

7. After “setspn”, the “Delegation” tab will appear in the “spn Properties” on the AD server. Choose the

second radio button.

The AD server completes this action.



© 2010 SAP AG 18

8. Log on to the CMC. Configure Active Directory authentication using Kerberos as shown below. The BO server completes this action.



© 2010 SAP AG 19

IMPORTANT: Service name should be: BOBJCentralMS/XI30RTM.DANIEL.COM (Service name specified at

SETSPN).

NOTE:

By default, the CMC Administrator account is: Administrator/(no password).

The Default Microsoft Active Directory domain must be the Fully Qualified Domain Name of the domain. Besides this, the Service Principal Name and Kerberos are Case-Sensitive.

Regarding the last option, New User Options, depending on the license, you should select named users.

Configuring AD Kerberos Authentication for SharePoint server

Please refer to the Microsoft knowledge base article How to configure SharePoint Server 2007 and Excel Services for Kerberos authentication for more information on configuring SharePoint server for AD Kerberos authentication.

http://support.microsoft.com/kb/953130/en-us

http://support.microsoft.com/kb/953130/en-us



© 2010 SAP AG 20

Configuring AD Kerberos and Single Sign-on for Integration Option for Microsoft SharePoint Software 1.0

This assumes the user is created on the SharePoint site and able to log on to Integration Option for Microsoft SharePoint Software 1.0 with enterprise user. 1. Ensure Windows AD authentication is visible on the Integration Option for Microsoft SharePoint Software

1.0 login page. From the inetmgr browse to site where Integration Option for Microsoft SharePoint Software 1.0 is

installed.

2. Open the web.config for InfoViewApp and set authentication.visible to true value.

<add key="authentication.visible" value="true"/>

3. User is able to see the Windows AD authentication in Integration Option for Microsoft SharePoint Software 1.0 login page and log in with Windows AD user.

4. Add AD user to SharePoint 2007 users list. Perform this activity with SharePoint admin user.



© 2010 SAP AG 22

7. Log on to Integration Option for Microsoft SharePoint Software 1.0 with AD user. This is to make sure that with AD user we are able to log on to SharePoint as well to Integration Option for Microsoft SharePoint Software 1.0.

8. Enable SSO for Integration Option for Microsoft SharePoint Software 1.0.

Modifying web.config for impersonation and Windows authentication

To enable impersonal and Windows authentication, modify the web.config files for the two applications listed

below. Perform the edits noted in red.

1. Open the web.config file for Integration Option for Microsoft SharePoint Software 1.0.


<Authentication mode="None" />

3. Modify the line as shown below:

<authentication mode="Windows" /> (modify it as shown)


<identity impersonate="true" /> (modify it as shown)

5. Edit the following strings:

<add key="cmsDefault" value="XI30RTM " />

<add key=" ssoEnabled" value="true" />

<add key="authenticationDefault” value="secWinAD" />

6. Save and close the web.config file.

7. Open the web.config file for PlatformServices.

8. Edit the lines under <system.web> as indicated:

<Authentication mode="Windows" />

<identity impersonate="true" />

9. Save and close the web.config file. Restart IIS.



© 2010 SAP AG 23

10. Access the Integration Option for Microsoft SharePoint Software 1.0 login page. Click the Log On button

from content explorer.

User logs on to Integration Option for Microsoft SharePoint Software 1.0 automatically.

If the user wants perform End to End SSO from client system, use the following configuration:

Machine A -- BOE + Integration Option for Microsoft SharePoint Software 1.0 is installed, added to windows AD domain and AD user are mapped.

Machine B (Client System)

1. Add user to Windows AD domain to log on to the system with AD user.

2. From the browser settings set Automatic logon with current user name and password.

3. Access the Integration Option for Microsoft SharePoint Software 1.0 URL from the new browser session.

4. Click Integration Option for Microsoft SharePoint Software 1.0 Log On button.

Troubleshooting Tips

Clear browser cookies if you face issues with Single Sign On for IOMS.

If user gets account information not recognized internal error while login to IOMS using SSO

apply the following workaround:

1. Open IIS admin service using inetmgr from the command prompt.

2. Browse to the web site where IOMS is deployed.

3. Select InfoViewApp folder under _layouts.

4. Right-click and select Properties.

5. Select Directory & Security tab.

6. Click Edit under Authentication & Access control tab.

7. Uncheck Anonymous access.

8. Repeat the above steps for the PlatformServices and IOMS websites.

9. Ensure only integrated windows authentication is checked for PlatformServices, InfoViewApp

and SharePoint site virtual directories.

10. Restart IIS.

Finding More Information

For more information and resources, refer to the product documentation and visit the support area of the web

site at: http://help.sap.com.

http://help.sap.com/



© 2010 SAP AG 24

Related Content

Introduction to Integration Option for Microsoft SharePoint software

Product Screen Shots: Integration Option for Microsoft SharePoint software 1.0

For more information, visit the Business Objects homepage.

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/16090

http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/16377

https://www.sdn.sap.com/irj/boc



© 2010 SAP AG 25

Copyright

© Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,

PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,

Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP

Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the

express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Bo Share Point Integration

Documents

Transcript of Bo Share Point Integration