BOXI using kerberos gettig moved behind BigIP

Question

I've been tasked with moving a running Business Objects XI server behind BigIP.  The existing setup was using Kerberos login and the server hostname as the URL.&nbsp;
When moving to BigIP, they still want Kerberos to work, and added a second node, so the URL of the BOXI changed to the VIP name (boxi.domain.com).  I've got the basic setup all dne, but am unsure how to attack the Kerberos.&nbsp;
Do I need to set up an APM policy and perform the Kerberos and pass it to the backend servers?&nbsp;

tll_91858 · Answer

Answering my own question.&nbsp;
Yes, set up an APM policy and perform Kerberos just like any other SSO KPT request.  The trick with Business Objects is the set up on the BO server.  Follow all the best practices from SAP on setting up for Kerberos on BO XI, but then add a obscure setting in the web.xml as below:
 
  idm.allowS4U
  true
 &nbsp;
Turns out BO sets allowS4U to disable by default.
 More helpful info at: http://wiki.scn.sap.com/wiki/display/Community/Configuring+SSO+for+Business+Objects+Infoview+with+BEA+Weblogic&nbsp;
Tom&nbsp;

Forum Discussion

BOXI using kerberos gettig moved behind BigIP

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos

Kerberos is Easy - Part 2

Kerberos Is Easy - Part 1

APM Cookbook: Single Sign On (SSO) using Kerberos

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS