Whats this about?
This is an adjunct to Steve Fredell document in 1631734 - Configuring Active Directory Manual Authentication and SSO for BI4in regard to manual authentication of SSO for BI4 which is tomcat centric.
However at a recent client there a similar use case required however was for deployment of the BO on NW7.31>rather< than tomcat as the web application server.
There is also a worthwhile troubleshooting guide for tomcat here 1476374 - ***Best Practices*** including Basic and Advanced AD Troubleshooting Steps for Manual Logon, NTLM, Kerberos and Vintela Single Sign On
Background
I have been asked to configure AD authentication, following Steve Fredell's "Configure Active Directory Manual Authentication and SSO for BI4" I could successfully get AD authentication working fine with tomcat 
, but got stuck with NW as the web application server.
After spending close to 1 day of my customers time attempting this I failed to get it to work and posted this forum message AD authentication for BI4.0 on NW7.3x portal
----------------- Forum Post ----------------------------
However when I use the same BOE/CMC with imported early into portal I get the error:
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
So tomcat obviously understands the kerberos authentication, I have made sure the same server principle name and AD administrator credentials are the same, is in use by tomcat and portal both use SAPService<SID>
Any tips as to what I need to do to get Windows AD authentication working to BOE/CMC from a NW7.3 portal? Do I need to re-import the BOE deployment?
------------------
Unfortunately in the available notes there is almost zero about how to get NW7 working as the web application server, I placed a service call to SAP in regard to the problem. Days later I got the response that there is a unpublished internal note 1852377 that describes the solution to my problem, I had got 95% of the way there but had not performed the subnode configuration in NW config tool.
Whilst I cannot republish this note I will post my solution ( albeit sanitized of customer details) which fairly much covers the same trajectory as 1852377
Step 0. Ensure principle names for Kerberos
Find and ensure you have set principle names for the service running your NW (portal) web application server.
You may need to setspn -A to configure your principle names, however scope is beyond this blog for a start try here . However here is a sanitized list of principle names for the service owner ( which is more than needed)
Step 1. Create your kerberos configuration file
You will need a krb5.ini file as per notes above into C:\windows, I copied mine from an existing tomcat configuration I had working.
Step 2. Add kerberos module to Netweaver Administrator
You will need to enable krb5 module to NWA http://theportalserver.com:50200/nwa
Configuration -> Authentication and Single Sign-On -> "Login Modules" tab
Create a module with the display name Krb5LoginModule with the class name of com.sun.security.auth.module.Krb5LoginModule
Then in tab "Components" tab create a custom configuration called com.businessobjects.security.jgss.initiate
Choose the lower authentication stack tab and then add the login module "krb5LoginModule" with the flag "REQUIRED"
Dont forget to save
Step 3 Using SAP Java configuration tool we add Java options.
I found it is best to do this during downtime of the NW portal.
Call configtool.bat from usr\sap\<SID>\J<id>\j2ee\configtool
I normally choose expert mode.
Choose the instance then choose "VM Parameters" tab
Select sap from the vendor list and global from the platform list.
Choose the "system" tab and new.
Add Name java.security.krb5.conf and the value of C:\windows\krb5.ini
Create another parameter called javax.security.auth.useSubjectCredsOnly with the value "false"
Choose File -> Apply changes.
Step 4. Adding sub-nodes for com.businessobjects.security.jgss.initiate policy.
Continuing with config tool
Choose Tools -> Configuration editor
Choose Edit mode.
Navigate to Configurations -> Security -> Configurations -> com.businessobjects.security.jgss.initiate -> security -> authentication.
Right click and choose "Create sub-node"
Choose "Value-Entry" name create_security_session with the value "false"
Then apply changes again.
Step 5. Restart NW Portal
Testing after 10 minutes system will restart and you should be able to authenticate with NW7.3 Web.
For me it just worked first time , so I don't have any troubleshooting validation except check your syntax each time.
Tips:
a) Get it working with your tomcat server first as per the guide attached to note 1631734 use the troubleshooting guide 1476374
b) Then follow this blog or note 1852377