cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XI 3.x (and other) in several WinAD domain and controller

Go to solution
Former Member

on ‎09-05-2013 9:24 AM

0 Kudos

Hello,

One of our customers, have several companies around the world, Each company has its own WinAD and domain. He want to know if it's possible and how to configure his single BI Plateform to allow WinAD Authentification.

Best regards

Laurent

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-05-2013 9:58 AM
0 Kudos

there must be a 2 way transitive trust between the domains for BO AD authentication using Kerberos to work.

Please check the below Points:


1323391  - What are the requirements to perform SSO or manual authentication from multiple AD forest...

What is supported

  • In order to map in groups and authenticate users from multiple AD forests in the AD plug-in you must ensure the following requirements are met
  • There must be a full 2-way forest trust between all forests that contain users that will be mapped into Business Objects
  • Forest trusts are only supported in Microsoft 2003 functional domains and above which eliminates support of any windows 2000 domains for multi forest SSO
  • The Business Objects server components, any web applications, and load balancers need to be members of the trusted forest(s)
  • All users that are performing SSO must be logged into a workstation in the trusted forest(s)
  • Groups that are mapped in the CMC should only contain users from that forest. Do not make remote forest members of domain local groups (this has been known to cause problems described in the symptoms)
  • Ensure that the SPN in the CMC > Authentication > WindowsAD > Service Principal Name has the local domain in it's naming convention (i.e. BOSSO/myserviceaccount.mydomain.com)
  1. Users from remote forests may need to access Infoview with the FQDN rather than the hostname in the URL (i.e. http://myserver:port/InfoViewApp/logon.jsp would be entered  http://myserver.myserverdomain.com:port/InfoViewApp/logon.jsp)
  2. Part two is the FQDN will usually fail SSO based on browser settings. Users from remote forests using the FQDN would need to add the URL to their browsers local intranet sites (not to be confused with trusted sites)

Not supported by Technologies Development but may work in some environments

using a service account from the remote forest has been reported to allow manual AD to work with 2 forests and only a 1 way forest trust

2-way external trusts (used for Windows 2000 and above) may work with manual AD and multiple forests but results have been inconsistent and unreliable.

Show replies
Show replies
Former Member
‎09-05-2013 10:10 AM
0 Kudos

You can verify 2-way transitive trust required for multi forest SSO

Please check the below SAP note first.

1384606  - How To view Active Directory Trusts using Microsoft Management Console (mmc)

former_member189884
Contributor
‎09-05-2013 12:51 PM
0 Kudos

This is correct, for the supported method all forests/domain must have a 2-way trust.

However one potential solution which is NOT supported would be to introduce a virtual directory server which would sit between BOE and the AD servers. Then you would configure LDAP to point to this virtual directory and all of the routing or queries would be performed by the virtual directory.  NOTE: this is very complex to configure and requires a great knowledge of all the directories as well as producing a single point of failure if BOE cannot handle the connections to the virtual directory. Again connecting to virtual directories is NOT supported.

Answers (0)

Ask a Question