Windows AD authentication for Business Objects using Kerberos

Hi All,

Hope you continue to read our Series of blogs. Let me discuss something about Single Sign-on implementation in Business Objects in this blog.

Configuring Windows Active Directory SSO with the SAP BusinessObjects XI 3.1 is one of the challenges for a Business Objects Administrator. If you go with java based BO deployment, utmost care should be taken as Java is case sensitive.

What is Single sign-on?

Single sign-on (SSO) is a user authentication process that permits a user to enter one name and password to access multiple applications. This authenticates the user for all the applications they have been given rights to and eliminates further prompts.

Role of Kerberos in SSO

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography where a user authenticates to an authentication server that creates a ticket. This ticket is actually sent to the application which can recognize the ticket and the user is granted access.

This blog refers

TESTSERVER - BusinessObjects server installed with Windows 2008 server. The version is XI 3.1 SP3

ADSERVER – Active Directory server installed with Windows 2003 server. Its Domain Functional Level is 2003.

BOLAB-ADMIN – Service Account used to run Business Objects Service.

Steps for configuring Windows AD authentication

Below is the general overview of the steps, which are required to configure the Business objects windows authentication using Kerberos.

• Setting up a service account
• Configure the service account rights
• Register Service Principle Name (SPN)
• Configuring the Server Intelligence Agent to use the service account
• Configure the AD plug-in
• Configure Tomcat web.xml file
• Configure the Krb5AuthLoginModule and krb5.ini
• Configure the Tomcat Java option

Setting up a service account

To configure Business Objects Enterprise using Kerberos and Windows AD authentication, we require a service account which should be a domain account that has been trusted for delegation. We can either use an existing domain account or create a new domain account. The service account will be used to run the Business Objects Enterprise servers.

Setting up a service account with delegation on a Windows 2003 Domain

• Create an account on the domain controller or use an existing account.
• Right-click on the user accounts, then select Properties.
• Click the Delegation tab.
  • Select the Trust this user for delegation to any service(Kerberos Only

1.     Configure the service account rights

In order to support the Active Directory authentication, you must grant the service account the right to act as part of the operating system and log on as a service. This must be done on each machine running the Server Intelligence Agent Service.

To configure this

1. Click Start -> Administrative Tools -> Local Security Policy

2. Then Local Policies and then click User Rights Assignment.

3. Double-click Act as part of the operating system and click Add User or Group button.

4. Add the user account that has been trusted for delegation and clicked OK.

5. Double-click Logon as service and click Add and click Add User or Group button.

6. Add the user account that has been trusted for delegation and clicked OK.

In order to support Kerberos, we must grant the service account the right to act as part of the operating system. This must be done on each machine running the below servers:

• CMS
• Page Server
• Report Application Server
• Web Intelligence Report Server

Adding the Service account to the Administrators Group

• On the desired machine, right-click My Computer and then click Manage.
• Go to Configuration > Local Users and Groups > Groups.
• Right-click Administrators and then click Add to Group
• Click Add… and enter the logon name of the service account.
• Click Check Names to ensure the account resolves.
• Click Ok and then click OK again.
• Repeat these steps for each Business Objects server that has to be configured.

2.     Register Service Principle Name (SPN)

If you are deploying Business Objects Services in a network that uses the Kerberos protocol for mutual authentication, you must create a Service Principal Name (SPN) for the Business Objects services if you configure it to run as a domain user account. The SETSPN utility is a program that allows managing the Service Principal Name (SPN) for service accounts in Active Directory.

• Open a command prompt and enter this command:

SETSPN.exe –A BOBJCentralMS/HOSTNAME serviceaccount

Replace HOSTNAME with the fully qualified domain name of the machine running the CMS service, for example Testserver.NA.HEXAWARE.COM. Replace service account with the name of the service account that runs the CMS service. In this case it is BOLab-Admin.

SETSPN.exe –A BOBJCentralMS/TESTSERVER.NA.HEXAWARE.COM BOLab-Admin

• Once run, we should receive a message similar to the below:

Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object

To get a listing of what is currently registered for the account.

SETSPN.exe –L BOLab-Admin

I will discuss more about the subsequent steps in the upcoming blog.

Read More about  Windows AD Authentication

Business Objects File Repository Servers

Functions of File Repository server (FRS)

The BusinessObjects File Repository Servers(FRS) are responsible for listing files on the server, adding files to the repository, and removing files from the repository. FRS also responsible for the creation of file system objects such as exported reports, and imported files in non-native formats.

Default FRS location in BOE Installation?

FRS can be found on your disk at \Program Files\Business Objects\BusinessObjects Enterprise 12\FileStore (for XI 3.x) in default installation. The two main directories under this location are Input and Output. The Input directory stores the report templates and thumbnail images, while the Output directory stores the results from running those templates. Thus, the Output directory is normally many times larger than the Input directory. Each of these directories is managed by its own BO XI File Repository server.

In every BusinessObjects Enterprise implementation there is an Input and an Output File Repository Server. Both manage their respective directories and handle all aspects of file management.

Input FRS

The Input File Repository Server manages all of the report objects and program objects that have been published to the repository. It can store .RPT, .CAR, .EXE, .BAT, .JS, .XLS, .DOC, .PPT, .RTF, .TXT, .PDF, .WID files. In the case of .RPT files, they are stored as report definition files only which do not contain any data.

The Report Properties page of the CMC shows you the location of the Input report files. The RPT report template can be found at frs://Input/a_084/004/000/1108/ca067d4f1710cbc.rpt

Exploring to this location shows two files: the RPT file with the name indicated on the report properties page of the CMC and a JPEG file, which serves as the thumbnail image.

Output FRS

The Output File Repository Server manages all of the report instances (saved data copy of the report) generated by the Report Job Server or the Web Intelligence Report Server, and the program instances generated by the Program Job Server. It also manages instances generated by the Web Intelligence Report Server and the LOV Job Server. It can store the following files: .RPT, .CSV, .XLS, .DOC, .RTF, .TXT, .PDF, .WID. For .RPT and .WID files are stored as reports/documents with saved data.

Since Output FRS stores the report instances, deleting instances would remove instances not the actual reports. However the report structure will be stored in the Input FRS.

Using Query Builder we can find the location of the Output File repository files. The following query may be handy if you already know the report name.

SELECT SI_NAME, SI_KIND, SI_FILES, SI_INSTANCE from CI_INFOOBJECTS
Where SI_NAME =’xxxx’

If the SI_INSTANCE value is false then the InfoObject is the actual report and SI_PATH will be in Input FRS. If SI_INSTANCE is true then the InfoObject would be an Instance and the SI_PATH will be in Output FRS.

Exploring to this location shows the actual instance file pertaining report data with the appropriate export format based on the scheduling parameters.

Diagnosing File Repository Servers

Repository Diagnostic Tool (RDT) is a command-line tool that scans, diagnoses, and repairs inconsistencies between your Central Management Server (CMS) system database and the File Repository Servers (FRS) filestore, or inconsistencies that can occur in the metadata of InfoObjects stored in the CMS database. This inconsistencies may occur during unexpected events such as disaster recovery, back-up restoration, or network outages. During these events, the CMS system database may be interrupted while performing a task. This can cause inconsistencies with objects in the CMS system database.

List of inconsistencies that could potentially occur in repository which RDT can identify are

Inconsistency	Description	Repair Actions
InfoObject exists, but no file	It is possible that an InfoObject exists in the CMS, but there is no file FRS	Delete the InfoObject, unless otherwise told
File exists but no InfoObject	It is possible the file exists but there is no corresponding InfoObject	User is notified to republish the object
Invalid Parent ID	An InfoObject can potentially have an invalid parent reference	The object and its children will be moved Into a folder call ‘Repair’.
Last Successful Instance	The reference to the last successful scheduled instance could be invalid	Remove the ID and let the CMS automatically recalculate it
Invalid Target ID	A shortcut could be pointing to an invalid object	The shortcut object will be deleted, unless told otherwise.
File size is wrong	There can be information discrepancies between the InfoObject and actual file	Update the InfoObject
Empty folders in the system	There may be empty folders due to old objects	Remove the empty directories, unless otherwise told.

Limitations for File Repository Servers

• The Input and Output File Repository Servers cannot share the same directories. This is because one of the File Repository Servers could then delete files and directories belonging to the other.
• In larger deployments, there may be multiple Input and Output File Repository Servers, for redundancy. In this case, all Input File Repository Servers must share the same directory. Likewise, all Output File Repository Servers must share a directory.          

Xcelsius Dashboards – using QAAWS and Live Office

Hi All,

Hope you did not encounter any issues in integrating Xcelsius with SQL Server Reporting Services and SharePoint data.  In this blog, I would like to explain to you on integrating Xcelsius dashboard with Query As A Web Service (abbreviated QAAWS) and Live Office.

Introduction

• QAAWS is an Xcelsius provided web service that gets data from a Business Objects Universe using queries and exposes the URL that can be used to fetch data at run-time from the database using the universe metadata.
• Live Office integrates with Microsoft Office, embedding up-to-the-minute corporate data in Microsoft PowerPoint, Excel, and Word documents.
• The server component of QAAWS is installed automatically when BusinessObjects Enterprise XI Release 2 Service Pack 2 with Web Intelligence.

• The server component of Live Office is installed automatically with BusinessObjects Premium while keys need to be purchased for Professional edition.
• Client tool for QAAWS needs to be purchased as a separate license.
• Client components of both Live Office and QAAWS are available in the collaterals CD in the Adds-on folder.

Xcelsius Connector to be used

• Using Query as a Web Service client tool installed in the user’s machine, login and connect to the universe from where data needs to be fetched for the dashboard
• Generate a WSDL (Web Service Definition Language) similar to creating a query using a desktop intelligence report query.  Result objects and Filter objects will be defined in the WSDL.
• Prompts can be specified in case parameters need to be passed between the queries.
• In the Xcelsius dashboard, the Query as a Web Service component should be used to fetch data using the URL created through the client tool as described above.

• Live Office client once installed on a machine appears as another Tool Bar option in Office tools.
• Using the menu, data from Web Intelligence reports and Crystal reports can be fetched into Excel that can be a source of information for the dashboard.
• Similar to QAAWS, the Web Intelligence and Crystal Report queries can have prompts to pass parameters between queries at run-time.
• In the Xcelsius dashboard, the Live Office component can be used to fetch data from Web Intelligence reports and Crystal reports.

Dashboard Features

• For a dashboard shown as sample that depicts the Service Requests (SRs) handled for a client, there are three queries to fetch the data.
  • SRs raised, opened and closed
  • High and Critical SRs open more than 3 days
  • High and Critical SRs opened today

• For the first two queries Live Office queries is used to fetch data and the third query QAAWS is used to fetch data.
• Live Office queries are used when data needs to be fetched in the form of cross-tabs which is not possible through QAAWS.
• Using both QAAWS and Live Office, it is possible to fetch data from more than one data source.
• On clicking a specific month, details of the SRs would be displayed in a new window.  The details are typically a drill down in business intelligence terminology.
• Drill downs

• • Drill down can be provided from the main dashboard to another Xcelsius dashboard with more details or a Web intelligence / Crystal report
  • Even PDF documents that have been generated from other tools can be viewed in the Xcelsius dashboards
  • Flash variables can be used to pass data from the main dashboard to the drill down dashboard
  • opendocument URL can be used to call drill down reports and pass parameters from the dashboard to the drill down reports
• Security
  • Xcelsius dashboards can handle the security similar to web intelligence documents.  The dimension level security specified in the universe, applies to the dashboards too.
  • In the specific sample shown, if the SRs are from different applications, it is possible for managers, to view only the applications to which they are responsible for.

We have provided ways of integrating Xcelsius dashboards with live data using QAAWS, Live Office, Reporting Services and SharePoint Consumer, Provider and Param components.

Let me know if you would like to know more on other dashboard topics.  Get back to me in case on any specific queries.  I would be happy to assist you.  Happy reading!

Read More about  QAAWS

Business Objects Query Builder – Part II

OM CI_INFOOBJECTS WHERE SI_KIND=’Webi’ AND SI_NAME LIKE ‘Annual%’ AND SI_RUNNABLE_OBJECT=1

3. To extract  list of Web Intelligence documents that are scheduled in a specified period of time

SELECT SI_NAME FROM CI_INFOOBJECTS WHERE SI_KIND=’Webi’  and SI_RUNNABLE_OBJECT=1 and

SI_NEXTRUNTIME between ‘2010.07.08.09′ and ‘2010.07.08.11′

4. To return all report folders containing a string

SELECT * FROM CI_INFOOBJECTS WHERE SI_NAME LIKE ‘%Service%’ AND SI_KIND=’Folder’

5. To returns all Universe folders containing a string

SELECT * FROM CI_APPOBJECTS WHERE SI_NAME LIKE ‘%Sales%’ AND SI_KIND=’Folder’

6. To see what type of rights you have for your BO software

SELECT SI_NAME from CI_SYSTEMOBJECTS where SI_NAMEDUSER=0 AND SI_KIND=’User’

7. To find all crystal and webi reports – not instances

Select si_id, si_name from ci_infoobjects where (si_kind = ‘CrystalReport’ or si_kind = ‘Webi’) and si_instance = 0 and si_children = 0

• To find all crystal reports – not instances or shortcuts

select si_id, SI_NAME,   si_owner,  SI_PARENT_FOLDER,  si_children, SI_PROCESSINFO.SI_FILES,  SI_PROCESSINFO.SI_LOGON_INFO, SI_PROCESSINFO.SI_RECORD_FORMULA from CI_INFOOBJECTS where (si_kind = ‘CrystalReport’) and si_instance = 0 and not si_name like ‘Shortcut to%’

• To find all the failed instances

select SI_NAME, SI_OWNER, SI_AUTHOR, SI_STATUSINFO from CI_INFOOBJECTS where SI_SCHEDULEINFO.SI_OUTCOME>=2 and SI_SCHEDULEINFO.SI_STARTTIME>=’2011.01.01′

• To find successful instances

select SI_NAME, SI_OWNER, SI_AUTHOR, SI_STATUSINFO, SI_SCHEDULEINFO from CI_INFOOBJECTS where SI_SCHEDULEINFO.SI_OUTCOME<2 and SI_SCHEDULEINFO.SI_STARTTIME>=’2011.01.01′

• To find successful instances of a particular report after a specific date

select SI_NAME, SI_OWNER, SI_AUTHOR, SI_STATUSINFO, SI_SCHEDULEINFO from CI_INFOOBJECTS where SI_SCHEDULEINFO.SI_OUTCOME<2 and SI_SCHEDULEINFO.SI_STARTTIME>=’2011.01.01′ and SI_NAME = ‘Test.rpt’

• To find scheduled instances for a specific time range

select SI_NAME, SI_SCHEDULEINFO.SI_submitter, SI_SCHEDULEINFO.SI_STARTTIME from CI_INFOOBJECTS where SI_SCHEDULEINFO.SI_STARTTIME>=’2011.01.01.16.00.00′ and SI_SCHEDULEINFO.SI_STARTTIME<’2011.01.02.13.00.00′ order by SI_SCHEDULEINFO.SI_STARTTIME

• To find successfully scheduled reports (not instances) scheduled after a certain date

select si_id, SI_NAME, si_owner, SI_PARENT_FOLDER, si_children, SI_PROCESSINFO.SI_FILES, SI_PROCESSINFO.SI_LOGON_INFO, SI_PROCESSINFO.SI_RECORD_FORMULA,  SI_SCHEDULEINFO.SI_STARTTIME, SI_SCHEDULEINFO.SI_SUBMITTER,  SI_SCHEDULEINFO.SI_DESTINATION, SI_SCHEDULEINFO.SI_UISTATUS from CI_INFOOBJECTS where SI_SCHEDULEINFO.SI_OUTCOME = 1 and si_instance = 0 and SI_SCHEDULEINFO.SI_STARTTIME>=’2008.11.01′

• To find recurring instances

select si_id, SI_NAME, si_owner, SI_PARENT_FOLDER, si_children, si_recurring, SI_PROCESSINFO.SI_FILES, SI_PROCESSINFO.SI_LOGON_INFO, SI_PROCESSINFO.SI_RECORD_FORMULA, SI_SCHEDULEINFO.SI_STARTTIME, SI_SCHEDULEINFO.SI_SUBMITTER, SI_SCHEDULEINFO.SI_DESTINATION, SI_SCHEDULEINFO.SI_UISTATUS from CI_INFOOBJECTS where not si_name like ‘Shortcut to%’ and si_recurring=1 and SI_SCHEDULEINFO.SI_STARTTIME>=’2008.11.01′

• To find users who have logged in since a specified date or whose userid was created after a specified date, but may not have logged in

select si_name, SI_CREATION_TIME, si_lastlogontime from ci_systemobjects where si_kind = ‘user’ and (si_lastlogontime > ’2008.11.01.04.59.59′ or SI_CREATION_TIME > ’2009.04.01.04.59.59′ )

• To find reports that have not been scheduled

select SI_NAME, SI_OWNER, SI_AUTHOR, SI_SCHEDULEINFO, SI_PARENT_FOLDER from CI_INFOOBJECTS where (si_kind = ‘CrystalReport’ or si_kind = ‘Webi’) and si_instance = 0 and si_children = 0 and SI_SCHEDULEINFO.SI_SCHED_NOW = 0

• To find users are all logged in to Business Objects at a given Point of time

SELECT TOP 1000 * FROM CI_SystemObjects WHERE si_kind = 'Connection' AND si_parent_folder = 41 AND si_authen_method != 'server-token' ORDER BY si_name

• To get list of Crystal reports by data connection from BO Enterprise

SELECT SI_NAME FROM CI_APPOBJECTS WHERE SI_KIND=’MetaData.DataConnection’

• To find universe used by the report

SELECT SI_ID, SI_NAME, SI_WEBI , SI_OWNER
FROM CI_INFOOBJECTS, CI_SYSTEMOBJECTS, CI_APPOBJECTS
Where PARENTS(“SI_NAME=’Webi-Universe’”,”SI_NAME =’Your Universe Name’”)

• To get all recurring reports from Specific folder

SELECT * FROM CI_INFOOBJECTS WHERE si_parent_folder = ’3711′ and

SI_recurring = 1

• To get all recurring reports from Specific folder NOT Paused

SELECT * FROM CI_INFOOBJECTS WHERE si_parent_folder = ’3711′ and

SI_recurring = 1 and SI_SCHEDULEINFO.SI_SCHEDULE_FLAGS = ’0′

• To get all recurring reports from Specific Folder, All Recurring PAUSED:

SELECT * FROM CI_INFOOBJECTS WHERE si_parent_folder = ’3711′ and

SI_recurring = 1 and SI_SCHEDULEINFO.SI_SCHEDULE_FLAGS = ’1′

• To get list of users who is logged in to your Business Objects XI at a given Point of time

SELECT TOP 3000 * FROM CI_SystemObjects WHERE si_kind = 'Connection' AND si_parent_folder = 41 AND si_authen_method != 'server-token'

ORDER BY si_name

• To get Get All Webi reports from the repository

Select SI_ID, SI_NAME From CI_INFOOBJECTS Where SI_PROGID=’CrystalEnterprise.Webi’ And SI_INSTANCE=0

• To get Full Client Reports from the repository

SELECT SI_ID, SI_NAME,SI_FILES FROM CI_INFOOBJECTS WHERE SI_KIND in( ‘webi’ ,’FullClient’)

1. To get all reports from the repository
2. 
   Select SI_ID, SI_NAME From CI_INFOOBJECTS Where SI_PROGID=’CrystalEnterprise.Report’ And SI_INSTANCE=0
3. 
   
4. To get all universes from the repository
5. 
   Select SI_ID, SI_NAME, SI_WEBI, SI_KIND From CI_APPOBJECTS where SI_KIND =’Universe’
6. 
   
7. To get all Users from the repository
8. 
   SELECT SI_ID, SI_NAME FROM CI_SYSTEMOBJECTS WHERE SI_PROGID=’CrystalEnterprise.USER’
9. 
   
10. To get all groups from the repository
11. 
    Select * from CI_SYSTEMOBJECTS Where SI_KIND=’UserGroup’
12. 
    
13. To get all folders from the repository
14. 
    Select SI_ID, SI_NAME From CI_INFOOBJECTS Where SI_PROGID=’CrystalEnterprise.Folder’
15. 
    
16. To get all categories from the repository
17. 
    SI_ID, SI_NAME From CI_INFOOBJECTS Where SI_KIND=’Category’
18. 
    
19. To get all personal categories from the repository
20. 
    Select SI_ID, SI_NAME From CI_INFOOBJECTS Where SI_KIND=’PersonalCategory’

Hope all these could be useful to you when it comes in to handy. In the forthcoming post, I will discuss on Business Objects file repository servers in detail.

You can Read it more Business Objects Query Builder