1. Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006

2. 2 The Key to Single Sign-On

3. 3 Objectives Upon completion of this presentation, you will: Understand how Windows NT Authentication works in Business Objects XIr2 Use Single Sign-on in Business Objects XIr2 Be able to use Windows NT Authentication in your Business Objects XIr2 installation

4. 4 Prerequisites 1.Business Objects XIr2 2.Business Objects XIr2 License Key 3.Administrator NT Id for Business Objects Server 4.Windows 2003 Server Operating System 5.IIS 6

5. 5 What is Single Sign-On? Single Sign-on (SSO) Any user authentication system permitting users to access multiple data sources through a single point of entry. Part of an integrated access management framework. Authentication (Greek: αυθεντικός = real or genuine, from 'authentes' = author ) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true.Greek In computer security, authentication is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. The sender being authenticated may be a person using a computer, a computer itself or a computer program.

6. 6 Why you should use Single Sign-On  No problems within Business Objects with disabled accounts from too many logon attempts  Authentication managed for all applications in the same tool  Users do not need to remember multiple passwords  Password change policy is set company wide and applies to all applications  When a user leaves the company, their access to all applications is removed at the same time  When a user joins the company, their access to all appropriate applications can be quickly set up  Single Sign-On security can be passed through to the database to provide complete end- to-end single sign-on

7. 7  If a user forgets their password or is locked out, they cannot access any applications  It is difficult to log on as another user. For most companies, this is not a problem since it is prohibited  Limited to applications and technologies that use Single Sign-On.  Single Sign-On can be difficult to set-up in some applications.  Some LDAP based applications may still require the user to logon with their ID and password  The authentication server becomes a major single point of failure  Only one Authentication type will work for Single Sign-On  Windows NT, Windows AD, LDAP  Pick one for all users Why you should NOT use Single Sign-On

8. 8 How to enable Single Sign-On Multi-step process 1. Modify web.config file on server 2. Enable IIS authentication 3. Change Central Management Server service to logon as a user with authority to read security groups 4. Enable Single Sign-On in Central Management Console 5. Disable the Guest Account 6. Test Single Sign-On in InfoView

9. 9 Step 1 – enable Single Sign-on in web.config {Drive}:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Web Content\Enterprise115\InfoView\Web.config XML FILE section Add or modify the following lines - Authentication types are (secEnterprise, secLDAP, secWindowsNT, secWinAD) section Add or modify the following lines

10. 10 Step 2 – enable IIS Windows Authentication Internet Information Services (IIS) Manager Find the Business Objects website in IIS Go to Enterprise115 – Infoview under it and view Properties Directory Security tab Edit the Authentication and Access control Ensure the only box checked is the Integrated Windows Authentication box Click OK on the Authentication Method window Click OK on the Infoview Properties window Close the Internet Information Services (IIS) Manager

11. 11 Step 3 – Central Management Server Central Management Server Service – Set service to be able to access your NT Security groups or Active Directory Administrative Tools – Services Central Management Server  Select Properties  Select Log On tab  Enter an Account and Password that can access your NT Security groups or Active Directory  Restart your Business Objects server and ensure that all services start correctly

12. 12 Step 4 – enable Single Sign-on in CMC Central Management Console Authentication Section Windows NT tab  Check the NT Authentication is Enabled box  Check the Single Sign On is enabled box  Fill in the Default NT Domain with the domain for your network  Select Assign each added NT alias to an account with the same name  Select New aliases will be added and new users will be created  Select New users are created as named or concurrent - {whatever your license type is}  Enter your NT Groups (or Active Directory Groups) in the format [Server name]\[group name] or [NT Domain]\[group name]. Click Add  Click Update

13. 13 Step 5 – disable the Guest Account Central Management Console Disable the Guest account to prevent Business Objects log-on for users logged into the domain who do not have their user-id in a mapped NT or Active Directory security group Users Section Guest Account  Properties Tab  Select the Account is disabled box  Click Update

14. 14 Step 6 – test Single Sign-On Log into your domain Ensure your User Id is in a mapped Active Directory or NT security group Go to your InfoView URL You should automatically bypass the InfoView logon screen and go directly into InfoView If you log out of InfoView, you should see the logon screen You should be able to log in again without entering anything in the User Name and Password fields, if Authentication is set to Windows NT, just click the Log On button. Single Sign-On may not work in the Central Management Server or desktop tools. You can select Windows NT authentication and enter your Windows NT User Id and Password to log in.

15. 15 What if I don’t have IIS? If you do not use IIS You can use Netegrity SiteMinder to provide single Sign-on for LDAP and Active Directory authentication. You can use Authentication built into the Java version of Business Objects using Kerberos. There is a guide available on the Business Objects support website to help you with this called AD Authentication on Java App servers. You can set the Java version of Business Objects to use LDAP or Active Directory and use a Windows IIS front end to create a login token and then redirect to the JSP version of Business Objects with the Login Token specified.  Custom Code is needed  http://{servername}:8080/businessobjects/enterprise115/desktoplau nch/InfoView/logon/logon.do?token=CRYSTAL01.NOMACO.COM@5 5112JklitWNk3A9wh6Fk55110J2vYnaBe1eBIrwD6 http://{servername}:8080/businessobjects/enterprise115/desktoplau nch/InfoView/logon/logon.do?token=CRYSTAL01.NOMACO.COM@5 5112JklitWNk3A9wh6Fk55110J2vYnaBe1eBIrwD6

16. 16 Summary Having completed this presentation, you have: Learned how Windows NT Authentication works in Business Objects XIr2 Learned how to use Single Sign-on in Business Objects XIr2 Learned how to use Windows NT Authentication in your Business Objects XIr2 installation For additional Business Objects XIr2 Authentication help please refer to the Business Objects Administrators Guide.

17. 17 Questions? Please contact: Steve Rademacher Consultant Business Solutions 1751 W. Diehl Road Suite 160 Naperville, IL 60563 Office: (630) 305-4630 x407 Cell: (630) 247-3896 Steve.Rademacher@bus-solutions.com

18. 18 Thank You for Attending!!