BusinessObjects Enterprise Administrator's Guide

Windows AD security plug-in

Windows AD security plug-in enables you to map user accounts and groups from your Windows 2000 Active Directory (AD) user database to BusinessObjects Enterprise; it also enables BusinessObjects Enterprise to verify all logon requests that specify Windows AD Authentication.

Users are authenticated against the Windows AD user database, and have their membership in a mapped AD group verified before the Central Management Server grants them an active BusinessObjects Enterprise session.

This plug-in is compatible with Windows 2000 Active Directory domains running in either native mode or mixed mode. Note that in order to use the Windows AD security plug-in, the CMS needs to run under a user account that has the "Act as Part of the Operating System" right. See your Windows 2000 documentation for more information. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see "Managing AD accounts" on page 266.

Once you have mapped your AD users and groups, all of the BusinessObjects Enterprise client tools support AD authentication, except for the Import Wizard. You can also create your own applications that support AD authentication. For more information, see the developer documentation available on your product CD. For information on mapping Windows AD users and groups to BusinessObjects Enterprise, see "Managing AD accounts" on page 266.

Note:    

• AD authentication only works for servers running on Windows systems.
• AD authentication and aggregation is not functional without a network connection.
• AD authentication and aggregation may not continue to function if the administration credentials become invalid (for example, if the administrator changes his or her password or if the account becomes disabled).

Single sign-on

The Windows AD security plug-in supports single sign-on, thereby allowing authenticated AD users to log on to BusinessObjects Enterprise without explicitly entering their credentials. The single sign-on requirements depend upon the way in which users access BusinessObjects Enterprise: either via a thick client, or over the Web. In both scenarios, the security plug-in obtains the security context for the user from the authentication provider, and grants the user an active BusinessObjects Enterprise session if the user is a member of a mapped AD group:

• To obtain AD single sign-on functionality from a thick-client application (such as the Publishing Wizard), the user must be running a Windows operating system, and the application must use the BusinessObjects Enterprise SDK.

  In this scenario, the Windows AD security plug-in queries the operating system for the current user's credentials when the client is launched.

• To obtain single sign-on functionality over the Web, the system must use Microsoft components only. Specifically, the user must be running Internet Explorer on a Windows operating system, and the web server must be running Internet Information Server (IIS).

Note:    BusinessObjects Enterprise provides its own form of "anonymous single sign-on," which uses Enterprise authentication, as opposed to Windows AD authentication. Design your own web applications accordingly (or modify InfoView) if you want to use AD single sign-on. For information on AD single sign-on, see "Setting up AD single sign-on" on page 273.