BusinessObjects Enterprise Administrator's Guide

Configuring IIS6 for Kerberos end-to-end single sign-on

To support Kerberos for end-to-end single sign-on, you have to set the IIS and w3wp.exe worker process to run as an account that has been trusted for delegation.

You can run the IIS either under the machine domain account or under user domain account. Each approach has advantages and disadvantages:

Which approach you use, depends on how you want to manage your system security.

For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: http://www.microsoft.com.

Refer to either of the following procedures, depending on whether you want to use a machine or user domain account:

To run the IIS6 worker process under the machine domain account
  1. On the domain controller, set account of the IIS machine to be trusted for delegation.

    2. Changing this property can take several minutes to propagate!

    If you don't want to use end-to-end single sign-on but want to provide single sign-on to the database, skip step 1. See also Configuring IIS for single sign-on to databases only.

  2. Configure the account for the w3wp.exe worker process:
    1. In the Internet Service Manager window, right-click the machine name and select Application Pool > New.
    2. Type in a name for the application pool.
    3. In the tree panel on the left, expand to Default Web Site > businessobjects > EnterpriseX (where X equals your version number).
    4. Right-click InfoView and select Properties.
    5. On the Directory tab select the new application pool name from the list, and then click Apply.
    6. Right-click the application pool you created, and select Properties.
    7. On the Identity tab select LocalSystem from the list, and then click Apply.

      8. Note:    Configuring the w3wp.exe account to run as a LocalSystem account will cause all ASP.NET web applications on the web server to run as privileged system accounts.

      Note:    For security reasons, make sure that the account which the IIS worked processes run under does not belong to a mapped group.

  3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

    4. setspn -A HTTP/serverhost.domainname.com serverhost

    For example, if access is via www.domainname.com but the machine name is web.domainname.com.

To run the IIS6 worker process under a user domain account
  1. Set the w3wp.exe to run as a user domain account that has been trusted for delegation. To do this, change the following parameters in the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:
  2. Add the domain account to the IIS_WPG local group, and give it the relevant rights to access the needed files. For more information, see http://msdn.Microsoft.com.
  3. If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

    4. setspn -A HTTP/serverhost.domainname.com serverhost

    For example, if access is via www.domainname.com but the machine name is web.domainname.com.


Business Objects
http://www.businessobjects.com/
Support services
http://www.businessobjects.com/services/support/
Product Documentation on the Web
http://support.businessobjects.com/documentation/