Crystal Reports Server 2008, WACS and AD Auth on 2008 Domain

Image representing SAP as depicted in CrunchBase
Image via CrunchBase
This was kicking my butt the past couple of days. Up to this point, I'd simply been using the server to schedule and email reports out to people. What I wanted was to allow users to log in with their AD credentials, browse InfoView and run their own reports. Simple, right?

This is how I did it.
  1. Create a service account in AD. This account doesn't need elevated privileges  Tick the User cannot change password and Password never expires boxes. In my example the account is svc_crs.
  2. Use setspn.exe to create the Service Principal Name. Run the command on a DC in a command prompt with elevated privileges. Here is more info on setspn. The convention is setspn -a MySpnName/MySvcAcct.Domain.Com MySvcAcct. In my environment I used setspn.exe -a CrystalSvr/svc_crs.NETWORK.INTERNAL svc_crs.
  3. Open your service account Account Properties in Active Directory Users and Computers, select the Delegation tab, and change delegation to Trust this user for delegation to any service (Kerberos only).
  4. In Central Management Console (CMC), go to the Authentication area. Open Windows AD and Enable Windows Active Directory (AD)
    • Click the field to the right of AD Administration Name and add your service account UPN like mine, svc_crs@NETWORK.INTERNAL, and the Default AD Domain. Make sure you use ALL CAPS for your domain info in both the UPN and domain fields.
    • Map in an AD Group, using DOMAIN\GROUP convention.
    • Select Use Kerberos authentication and fill in your Service principal name, e.g. CrystalSvr/svc_crs.NETWORK.INTERNAL.
    • Tick the box under Synchronization of Credentials to ensure account sync on user log in.
  5. Schedule Users AD Alias Updates, and accept defaults. Select the options I've got selected below, and also accept the default scheduling for AD Group Graph Updates. Select Update and close this window. You should see users from your selected group populated in the Users and Groups area.
  6. Add the service account to the local administrators group on the Crystal Reports server.
  7. In the Local Security Policy settings on the server, expand Local Policies, and highlight User Rights Assignment. Add your service account to Act as part of the operating system.
  8. At this point you should be able to log into the server using client tools, like browsing the Enterprise Server using Crystal Reports 2008. If not, see my troubleshooting links below.
  9. Now you'll need to add a C:\WINNT directory on your server.
  10. Place a file named bscLogin.conf into this directory with these contents:

    com.businessobjects.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required debug=true;
    };
    
    
  11. Place a file named krb5.ini into this same directory with these contents, replacing MYDOMAIN.COM with your upper-case domain, and MYDCHOSTNAME.MYDOMAIN.COM with your AD controller host name followed by domain name in upper-case:

    [libdefaults]
    default_realm = MYDOMAIN.COM
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac
    udp_preference_limit = 1
    [realms]
    MYDOMAIN.COM = {
    kdc = MYDCHOSTNAME.MYDOMAIN.COM
    default_domain = MYDOMAIN.COM
    }
  12. You can validate your setup by executing kinit.exe in the BOintstall\javasdk\bin directory, enter your UPN with the domain name capitalized. You'll be prompted for your password, and should be told a ticket was issued and deposited in your profile directory.
  13. In CMC go to Servers, Service Categories, Core Services. Locate the Web Application Container Server in the description column. Open it.
  14. In the Properties area, locate Active Directory Configuration Settings.
  15. In the Krb5.ini File Location box, enter
    c:\winnt\krb5.ini
  16. In the bscLogin.conf File Location box, enter
    c:\winnt\bscLogin.conf
  17. Restart SIA
Good resources for info:
  • SAP site. Create a free account in their community. Look for the following KB articles:
    • KB 1483762, two great PDF documents at the end of this article.
    • KB 1529040, top KB's for setting this up on XI SP3 and later.
    • KB 1476374, detailed setup instructions.
  • Hexaware Blog
  • David Taylor's Blog
Enhanced by Zemanta

Comments

Sean Killeen said…
First off, thank you for posting this!

One problem here for us: the SPN has been created, and the users have been mapped, and the .ini and .conf files have been created. However, I do not see WACS listed in the servers list anywhere.

In lieu of this, do you know where I can find the place to specify the krb5.ini and bsclogin.conf file locations?

As of now, I can pull the users list but cannot log on with my username and password.

Thanks again for this awesome article! Haven't found a resource nearly as good as these steps.

John Croson said…
Thanks Sean.

What you are looking for is located in the Servers folder, Servers List object, and probably page 2 of the list will be the Description, "Web Application Container Server".

Right-click this object and check the Active Directory Configuration Settings area. That's where you'll tell the service where to look for the krb5.ini and bcsLogin.conf. Just like this: c:\winnt\krb5.ini.

Good luck!

Popular posts from this blog

NPI Search Redundancy

freeFTPD

Using ImageMagick and Tesseract to sort TIFFs on Windows