BusinessObjects Enterprise Administrator's Guide

Configuring BusinessObjects Enterprise web applications

In order for the end-to-end single sign on to work, you have to configure the BusinessObjects Enterprise web applications to impersonate the user. See Configuring web applications for end-to-end single sign-on.

Note:    If you want to use single sign-on to the databases instead of end-to-end single sign-on, you have to set the BusinessObjects Enterprise web applications to not impersonate a user. See Configuring web applications for single sign-on to the databases.

Configuring web applications for end-to-end single sign-on

In order to use up end-to-end single sign-on, you have to set both the CMC and InfoView web applications to impersonate the user. To do this, edit the respective Web.config files on the IIS as follows.

To configure the web applications for full single sign-on

1. Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\WebAdmin\Web.config file:
• <identity impersonate="true" />
• <Authentication mode="Windows" />
2. Add the following lines to the <system.web> block in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config file:
• <identity impersonate="true" />
• <Authentication mode="Windows" />
3. Enable Windows authentication by commenting out the following line in the C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise 115\InfoView\Web.config as shown:

<!-- <remove name="WindowsAuthentication"/> -->

Configuring web applications for single sign-on to the databases

If you want to use single sign-on to the databases instead of end-to-end single sign-on, you have to set BusinessObjects Enterprise web applications to not impersonate the user. To do this, edit their Web.config files on the IIS as follows.

Note:    If you want to use single sign-on to the database only, see also Configuring IIS for single sign-on to databases only.

To configure the web applications for single sign-on to the databases

1. Set the CMC to not impersonate the user by adding the following lines to the <system.web> block in the Web Content\Enterprise 115\WebAdmin\Web.config file:
• <identity impersonate="false" />
• <Authentication mode="Windows" />
2. Set InfoView to not impersonate the users, by adding the following lines to the <system.web> block in the Web Content\Enterprise 115\InfoView\Web.config file:
• <identity impersonate="false" />
• <Authentication mode="Windows" />

Note:    Make sure you set identity impersonate to false.

Users will now be able to log on to BusinessObjects Enterprise by providing their logon credentials in the InfoView or CMC logon dialog box and selecting Windows AD authentication. Once they are logged on, the users will have single sign-on access to the databases associated with BusinessObjects Enterprise.

Mapping AD accounts for Kerberos single sign-on

In order for the Kerberos single sign-on to work, you must map the groups containing the AD users that are to have access to BusinessObjects Enterprise to a BusinessObjects Enterprise group. See Mapping AD accounts.

Note:    For security reasons, ensure that the mapped groups do not contain the domain account that the IIS is running under.