Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006

Download Report

Transcript Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006 

Business Objects XIr2
Windows NT Authentication
Single Sign-on
18 August 2006
The Key to Single Sign-On
2
Objectives
Upon completion of this presentation, you will:
 Understand how Windows NT Authentication works in Business Objects XIr2
 Use Single Sign-on in Business Objects XIr2
 Be able to use Windows NT Authentication in your Business Objects XIr2
installation
3
Prerequisites
1. Business Objects XIr2
2. Business Objects XIr2 License Key
3. Administrator NT Id for Business Objects Server
4. Windows 2003 Server Operating System
5. IIS 6
4
What is Single Sign-On?
Single Sign-on
<security> (SSO) Any user authentication system permitting users to access
multiple data sources through a single point of entry. Part of an integrated access
management framework.
Authentication
(Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of
establishing or confirming something (or someone) as authentic, that is, that claims
made by or about the thing are true.
In computer security, authentication is the process of attempting to verify the digital
identity of the sender of a communication such as a request to log in. The sender
being authenticated may be a person using a computer, a computer itself or a
computer program.
5
Why you should use Single Sign-On
 No problems within Business Objects with disabled accounts from too many logon
attempts
 Authentication managed for all applications in the same tool
 Users do not need to remember multiple passwords
 Password change policy is set company wide and applies to all applications
 When a user leaves the company, their access to all applications is removed at the same
time
 When a user joins the company, their access to all appropriate applications can be quickly
set up
 Single Sign-On security can be passed through to the database to provide complete endto-end single sign-on
6
Why you should NOT use Single Sign-On
 If a user forgets their password or is locked out, they cannot access any applications
 It is difficult to log on as another user. For most companies, this is not a problem since it is
prohibited
 Limited to applications and technologies that use Single Sign-On.
 Single Sign-On can be difficult to set-up in some applications.
 Some LDAP based applications may still require the user to logon with their ID and
password
 The authentication server becomes a major single point of failure
 Only one Authentication type will work for Single Sign-On
Windows NT, Windows AD, LDAP
Pick one for all users
7
How to enable Single Sign-On
Multi-step process
1. Modify web.config file on server
2. Enable IIS authentication
3. Change Central Management Server service to logon as a user with authority
to read security groups
4. Enable Single Sign-On in Central Management Console
5. Disable the Guest Account
6. Test Single Sign-On in InfoView
8
Step 1 – enable Single Sign-on in web.config
{Drive}:\Program Files\Business Objects\BusinessObjects Enterprise
11.5\Web Content\Enterprise115\InfoView\Web.config
XML FILE
<WebDesktopSettings> section
Add or modify the following lines - Authentication types are
(secEnterprise, secLDAP, secWindowsNT, secWinAD)
<add key="authenticationDefault" value="secWindowsNT" />
<add key="ssoEnabled" value="true" />
<system.web> section
Add or modify the following lines
<identity impersonate="true" />
<authentication mode="Windows" />
9
Step 2 – enable IIS Windows Authentication
Internet Information Services (IIS) Manager
Find the Business Objects website in IIS
Go to Enterprise115 – Infoview under it and view Properties
Directory Security tab

Edit the Authentication and Access control

Ensure the only box checked is the Integrated Windows Authentication box

Click OK on the Authentication Method window

Click OK on the Infoview Properties window

Close the Internet Information Services (IIS) Manager
10
Step 3 – Central Management Server
Central Management Server Service – Set service to be able to access
your NT Security groups or Active Directory
Administrative Tools – Services Central Management Server




Select Properties
Select Log On tab
Enter an Account and Password that can access your NT Security
groups or Active Directory
Restart your Business Objects server and ensure that all services start
correctly
11
Step 4 – enable Single Sign-on in CMC
Central Management Console
Authentication Section Windows NT tab
 Check the NT Authentication is Enabled box
 Check the Single Sign On is enabled box
 Fill in the Default NT Domain with the domain for your network
 Select Assign each added NT alias to an account with the same name
 Select New aliases will be added and new users will be created
 Select New users are created as named or concurrent - {whatever your license type is}
 Enter your NT Groups (or Active Directory Groups) in the format [Server name]\[group
name] or [NT Domain]\[group name]. Click Add
 Click Update
12
Step 5 – disable the Guest Account
Central Management Console
Disable the Guest account to prevent Business Objects log-on for
users logged into the domain who do not have their user-id in a
mapped NT or Active Directory security group
Users Section
Guest Account
 Properties Tab
 Select the Account is disabled box
 Click Update
13
Step 6 – test Single Sign-On
Log into your domain
 Ensure your User Id is in a mapped Active Directory or NT security group
 Go to your InfoView URL
 You should automatically bypass the InfoView logon screen and go directly into
InfoView
 If you log out of InfoView, you should see the logon screen
 You should be able to log in again without entering anything in the User Name and
Password fields, if Authentication is set to Windows NT, just click the Log On button.
 Single Sign-On may not work in the Central Management Server or desktop tools.
You can select Windows NT authentication and enter your Windows NT User Id and
Password to log in.
14
What if I don’t have IIS?
If you do not use IIS
 You can use Netegrity SiteMinder to provide single Sign-on for LDAP and
Active Directory authentication.
 You can use Authentication built into the Java version of Business Objects
using Kerberos. There is a guide available on the Business Objects support
website to help you with this called AD Authentication on Java App servers.
 You can set the Java version of Business Objects to use LDAP or Active
Directory and use a Windows IIS front end to create a login token and then
redirect to the JSP version of Business Objects with the Login Token
specified.
Custom Code is needed
http://{servername}:8080/businessobjects/enterprise115/desktoplau
nch/InfoView/logon/logon.do?token=CRYSTAL01.NOMACO.COM@5
5112JklitWNk3A9wh6Fk55110J2vYnaBe1eBIrwD6
15
Summary
Having completed this presentation, you have:
 Learned how Windows NT Authentication works in Business Objects XIr2
 Learned how to use Single Sign-on in Business Objects XIr2
 Learned how to use Windows NT Authentication in your Business Objects XIr2
installation
 For additional Business Objects XIr2 Authentication help please refer to the Business
Objects Administrators Guide.
16
Questions?
Please contact:
Steve Rademacher
Consultant
Business Solutions
1751 W. Diehl Road
Suite 160
Naperville, IL 60563
Office: (630) 305-4630 x407
Cell: (630) 247-3896
[email protected]
17
Thank You for Attending!!
18