BusinessObjects Enterprise Administrator's Guide

Configuring the Windows AD plug-in for Kerberos authentication

In order to support Kerberos single sign-on, you have to configure the Windows AD security plug-in in the CMC to use Kerberos authentication. This includes:

• Ensuring Windows AD authentication is enabled.
• Setting up an AD Administrator account. This account requires read access to Active Directory only; it does not require any other rights.
• Enabling Kerberos single sign-on and setting the service principal name (SPN) to use a service account.

To configure the Windows AD security plug-in

1. Go to the Authentication management area of the CMC.
2. Click the Windows AD tab.
3. Ensure that the Windows Active Directory Authentication is enabled check box is selected.
4. Select the Single sign-on is enabled check box.

Note:    For related information about configuring the Windows AD plug-in, see Managing AD accounts.

5. Set up the AD administrator account:
1. Click AD Administrator Name.
2. Enter the name and password for the account and the default AD Domain.

Note:    The AD Administrator account requires read access to Active Directory only; it does not require any other rights.

3. Click Update.
6. In the "Mapped AD Member Group" area, map the AD group for the AD users who require access to BusinessObjects Enterprise via AD authentication and single sign-on. See Mapping AD accounts.
7. Under Authentication Options select the following:
• Select the Use Kerberos authentication check box.
• Select the Cache Security context (required for SSO to database) check box.
• In the Service Principal Name box, enter the service principal name of the service account.

  Note:    This must be the same account that you use to run the BusinessObjects Enterprise servers. See Setting up a service account.

8. Click Update.