search cancel

How to configure Trusted Authentication for CA Business Intelligence using IIS and the Tomcat Connector?


Article ID: 52728


Updated On:


SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager



When displaying CA Business Intelligence (CABI) reports on the CA Service Desk Reports tab, the default integration between Service Desk and CABI automatically signs the user into CABI using the Service Desk user's userid and password. However, when Service Desk is configured to use external authentication this automatic sign in does not work because Service Desk does not have the user's password. To enable the integration between Service Desk and CABI when Service Desk is configured to use external authentication, CABI must also be configured to use external authentication. External authentication is known as Trusted Authentication within BusinessObjects.

One of the most recognized authentication methods today is to use Integrated Windows Authentication (IWA) to automatically authenticate with Microsoft's Active Directory. IWA is an integral feature of IIS, however, it is not supported natively within Apache Tomcat which is the java application server for SDM. IWA can be added to Tomcat via third party utilities such as IOPLEX's Java Active Directory Integration (Jespa) software library or Quest Software's Quest Single Sign On for Java (formerly Vintela Single Sign On for Java). Alternatively IWA can be performed in a front end Web Server such as IIS or Apache HTTP Server and Tomcat can be configured to accept the user's identity from this Web Server. Tomcat can be integrated with a front end Web Server via the Apache Tomcat Connector which supports both IIS and Apache HTTP Server or by the mod_proxy_ajp module which is built in to Apache HTTP Server. With regards to authentication protocol support, Jespa, IIS and Apache HTTP Server support the NTLM protocol, Jespa and IIS support the NTLMv2 protocol, and Quest Single Sign On for Java, IIS and Apache HTTP Server support the Kerberos protocol.

NB - CA no longer recommends the use of the JCIFS NTLM HTTP Authentication filter to add IWA to Tomcat because the JCIFS open source project no longer supports it. Please see for further information.

This document provides step by step instructions on how to configure CABI to use IWA by integrating CABI Tomcat with IIS via the Apache Tomcat Connector.


Click here to view full text of the document.


Component: SDBOXI