on 05-15-2014 5:01 AM
Dear Experts,
Currently our system have single domain with SSO enabled and now client asked us to add another domain with SSO enable. I have gone through the scn forums and SAP note, and I need answers for following questions:
Multiple domain means - both are separate like Domain1 and Domain2?
If we have two domain what about the service account? it should be any one domain or same account should be create in two domains
The krb5.ini file should be like this right?
[libdefaults]
default_realm = MYDOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
[realms]
MYDOMAIN1.COM = {
kdc = MYDCHOSTNAME.MYDOMAIN1.COM
default_domain = MYDOMAIN1.COM
}
MYDOMAIN2.COM = {
kdc = MYDCHOSTNAME.MYDOMAIN2.COM
default_domain = MYDOMAIN2.COM
}
Please help me on this
Regards,
Karuppiah N
Hi Karuppiah,
A.COM and B.COM are called as multi domain. Say for eg: your BO is installed on A.COM which is currently a single domain and AD is configured for the domain where users are succesfully able to login and SSO to Infoview/BI Launchpad and now the client requirement is to bring in the Active Directory users from B.COM to access the application.
To allow the users to access the application coming from B.COM, you should meet the requirements as per SAP Note: 1323391 and 1199995
Once a 2-way transtive forest trust is established and registry key is maintained, AD users promoted from B.COM should be able to manually login and SSO to the application.
http://service.sap.com/sap/support/notes/1323391
http://service.sap.com/sap/support/notes/1199995
As far as service account is concerned it does not need to be changed.
-Ambarish-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
After made the changes and followed the pre-requiste, I have got error while add the second domain group in CMC. So I have enabled logs and identify below lines in the logs.
WINAD: CAccountEntity::ConvertDomainToNTFormat() -- <DomainName> is already in NT format
So no need create string in registry? as per pre-requiste
Please help
Regards
Karuppiah N
Hi Karuppiah,
What is the error when you mapped the group in AD plugin ?
Any error in the event viewer ?
I would recommend to create the FQDN registry and then check the addition of group in AD plugin.
Also refer 1478891 http://service.sap.com/sap/support/notes/1478891
-Ambarish-
Hi Ambarish,
Thanks for your reply.
The error message is "The secWinAD plugin failed to look up the account for the group <groupname>. Please enter non-local groups as DomainName\GroupName and local groups as \\ServerName\GroupName"
No errors in eventviewer, already I have created string in registry and still have got error.
I have tried both options to add
Option 1: DomainName\GroupName
Option 2: CN=GroupName,OU=Groups,DC=domainName,dc=corp,dc=root
So please let me know what is correct option to map 2nd domain group?
Platform: BI4.1 SP2
I think the plugin is yet to identify that the group is promoted from a different domain. A two way transitive forest trust should actually do the trick.
Can you attach a screenshot of trust established between domains. Run domain.msc and take a screenshot of trust tab, screenshot of FQDN registry and group properties
-Ambarish-
Hi Ambarish and Experts,
Thanks! Now I have successfully added second domain in CMC and using able to login to BILaunchpad, but still SSO is not working.
The issue is when user try to open the url https:\\servername.domainname\BOE\BI, windows security window popup and asking username and password, but even provided the username and password, SSO is not working.
So is any setting will do to work SSO for second domain,
Note: first domain SSO works fine
Thanks,
Regards
Karuppiah
Hi,
Yes I have done the above steps but still SSO is not working, I have gone through the global.properties file and seen in that file they asked domain name and so for second domain name should need to add in global.properties file like this:
sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=VTIAUTH08.COM --first domain name
idm.realm=domain2.com -- second domain name
idm.princ=bossosvcacct
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
Please let me know.
Regards
Karuppiah N
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.