BusinessObjects Enterprise Administrator's Guide

Configuring IIS for single sign-on to databases only

When using Kerberos with Windows AD, you can choose whether you want to provide end-to-end single sign-on, or whether you want users to provide their logon credentials when they log in to BusinessObjects Enterprise. When users log on to BusinessObjects Enterprise, the system generates a logon token to provide single sign-on access to the databases.

To use single sign-on to the databases only

Configure the IIS worker processes to run as a domain account in order for the network to recognize their accounts, but the account does not have to be trusted for delegation. Refer to either of the following procedures, depending on whether you are using IIS5 or IIS6:

Configure the web applications for single sign-on to the database instead of end-to-end single sign-on. See Configuring web applications for single sign-on to the databases.

Note: If configuring the IIS for single sign-on to the database only, you do not need to configure the browser for single sign-on. See Configuring the Internet Explorer browser on a client machine.

Clear the Single Sign On is enabled check box on the Windows AD page in the Authentication management area in CMC.

Configuring IIS5 for single sign-on to database only

To support single sign-on to the database only, you have to set the Aspnet_wp.exe worker process to run as a domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and won't expire, nor can it be exposed or modified.
If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.

Which approach you use, depends on how you want to manage your system security.

For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: http://www.microsoft.com.

To configure the IIS5 for single sign-on to databases only

Make sure IIS is running as a domain account
Set the Aspnet_wp.exe to run as a machine domain account. To do this, change the following parameters to the <processModel> block in the \WINDOWS\Microsoft.NET\Framework\version\CONFIG\machine.config file:

userName="SYSTEM"
Password:="AutoGenerate"
In the above path name, version represents the software version.

Note:
Configuring the Aspnet_wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.
For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Configuring IIS6 for single sign-on to database only

To support single sign-on to the database only, you have to set the w3wp.exe worker process to run as a machine or user domain account, but the account does not have to be trusted for delegation. You can run the IIS worker process either under the machine domain account or under a user domain account. Each approach has advantages and disadvantages:

If you use a machine domain account, the password will be automatically generated and won't expire, nor can it be exposed or modified.
If you use a user domain account you have more control over the rights for the account, but the password could be exposed or modified, and it may expire, which would result in an error condition.

Which approach you use, depends on how you want to manage your system security.

For complete information about security risks associated with system or user domain accounts, refer to the Microsoft web site: http://www.microsoft.com.

To configure the IIS6 for single sign-on to databases only

Make sure IIS is running as a domain account.
Configure the account for the w3wp.exe worker process:

In the Internet Service Manager window, right-click the machine name and select Application Pool > New.
Type in a name for the application pool.
In the tree panel on the left, expand to Default Web Site > businessobjects > EnterpriseX (where X equals your version number).
Right-click InfoView and select Properties.
On the Directory tab select the new application pool name from the list, and then click Apply.
Right-click the application pool you created, and select Properties.
On the Identity tab select LocalSystem from the list, and then click Apply.

Note:

Configuring the w3wp.exe account to run as a machine domain account will cause all ASP.NET web applications on the web server to run as privileged system accounts.
For security reasons, make sure that the account which IIS runs under does not belong to a mapped group.

If the machine name for the web server is different from the name that is used to access it, add an SPN for HTTP access on the web server machine:

setspn -A HTTP/serverhost.domainname.com serverhost

For example, if access is via www.domainname.com but the machine name is web.domainname.com.

Business Objects
http://www.businessobjects.com/
Support services
http://www.businessobjects.com/services/support/
Product Documentation on the Web
http://support.businessobjects.com/documentation/