cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure Multi domain and SSO enable

Go to solution
Former Member

on ‎05-15-2014 5:01 AM

0 Kudos

Dear Experts,

Currently our system have single domain with SSO enabled and now client asked us to add another domain with SSO enable. I have gone through the scn forums and SAP note, and I need answers for following questions:

     Multiple domain means - both are separate like Domain1 and Domain2?

     If we have two domain what about the service account? it should be any one domain or same account should be create in two domains

     The krb5.ini file should be like this right?

[libdefaults]

default_realm = MYDOMAIN1.COM

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = rc4-hmac

default_tkt_enctypes = rc4-hmac

udp_preference_limit = 1

[realms]

MYDOMAIN1.COM = {

kdc = MYDCHOSTNAME.MYDOMAIN1.COM

default_domain = MYDOMAIN1.COM

}

MYDOMAIN2.COM = {

kdc = MYDCHOSTNAME.MYDOMAIN2.COM

default_domain = MYDOMAIN2.COM
}

Please help me on this

Regards,

Karuppiah N

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-15-2014 7:17 AM
0 Kudos

Hi Karuppiah,

A.COM and B.COM are called as multi domain. Say for eg: your BO is installed on A.COM which is currently a single domain and AD is configured for the domain where users are succesfully able to login and SSO to Infoview/BI Launchpad and now the client requirement is to bring in the Active Directory users from B.COM to access the application.

To allow the users to access the application coming from B.COM, you should meet the requirements as per SAP Note: 1323391 and 1199995

Once a 2-way transtive forest trust is established and registry key is maintained, AD users promoted from B.COM should be able to manually login and SSO to the application.

http://service.sap.com/sap/support/notes/1323391

http://service.sap.com/sap/support/notes/1199995

As far as service account is concerned it does not need to be changed.

-Ambarish-

Show replies
Show replies
Former Member
‎05-15-2014 11:04 AM
0 Kudos

Hi,

Thanks for your reply! I will do the configure and update in case any issues occur.

Regards

Karuppiah N

Former Member
‎06-03-2014 3:35 AM
0 Kudos

Hi,

After made the changes and followed the pre-requiste, I have got error while add the second domain group in CMC. So I have enabled logs and identify below lines in the logs.

WINAD: CAccountEntity::ConvertDomainToNTFormat() -- <DomainName> is already in NT format

So no need create string in registry? as per pre-requiste

Please help

Regards

Karuppiah N

Former Member
‎06-03-2014 7:01 AM
0 Kudos

Hi Karuppiah,

What is the error when you mapped the group in AD plugin ?

Any error in the event viewer ?

I would recommend to create the FQDN registry and then check the addition of group in AD plugin.

Also refer 1478891 http://service.sap.com/sap/support/notes/1478891

-Ambarish-

Former Member
‎06-03-2014 7:22 AM
0 Kudos

Hi Ambarish,

Thanks for your reply.

The error message is "The secWinAD plugin failed to look up the account for the group <groupname>. Please enter non-local groups as DomainName\GroupName and local groups as \\ServerName\GroupName"

No errors in eventviewer, already I have created string in registry and still have got error.

I have tried both options to add

Option 1: DomainName\GroupName

Option 2: CN=GroupName,OU=Groups,DC=domainName,dc=corp,dc=root

So please let me know what is correct option to map 2nd domain group?

Platform: BI4.1 SP2

Former Member
‎06-03-2014 9:57 AM
0 Kudos

I think the plugin is yet to identify that the group is promoted from a different domain. A two way transitive forest trust should actually do the trick.

Can you attach a screenshot of trust established between domains. Run domain.msc and take a screenshot of trust tab, screenshot of FQDN registry and group properties

-Ambarish-

Former Member
‎06-05-2014 6:10 AM
0 Kudos

Hi Ambarish and Experts,

Thanks! Now I have successfully added second domain in CMC and using able to login to BILaunchpad, but still SSO is not working.

The issue is when user try to open the url https:\\servername.domainname\BOE\BI, windows security window popup and asking username and password, but even provided the username and password, SSO is not working.

So is any setting will do to work SSO for second domain,

Note: first domain SSO works fine

Thanks,

Regards

Karuppiah

former_member136842
Employee
Employee
‎06-05-2014 9:27 AM
0 Kudos

Hi,

something to keep in mind:

1. The user needs to enter the LP URL in the FQDN format. its needs to be the domain where the BI Server resides.

2. Add the URL to the trusted Sites.

3. Add the URL to the local intranet Sites.

Regards

Seb.

Former Member
‎06-10-2014 4:41 AM
0 Kudos

Hi,

Yes I have done the above steps but still SSO is not working, I have gone through the global.properties file and seen in that file they asked domain name and so for second domain name should need to add in global.properties file like this:

sso.enabled=true

siteminder.enabled=false

vintela.enabled=true

idm.realm=VTIAUTH08.COM --first domain name

idm.realm=domain2.com -- second domain name

idm.princ=bossosvcacct

idm.allowUnsecured=true

idm.allowNTLM=false

idm.logger.name=simple

idm.logger.props=error-log.properties

Please let me know.

Regards

Karuppiah N





Answers (0)

Ask a Question