Skip to Content

BO 4.2 SSO Win AD - No users replicated to BO from AD Group

Hello everyone,

I am facing an issue in our demo Environment and after testing for serveral hours I am wondering if you guys can help me out.

I am using two Windows Server 2012: 1 is the BO 4.2 Server, the other one is the Domain Controller (Master). The BO Server already joined the Domain and everything is working fine.

I tried to Setup the SSO configuration between BO and Win AD and followed some instructions up to step 4:

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

  • Service Account: biservice (password: Password1)
  • Domain Controller: adserver.DOMAIN.INTERNAL
  • BusinessObjects Server: bi4server.DOMAIN.INTERNAL
  • BusinessObjects AD Group: DOMAIN\UserGroup

    Step 1

    Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.

    On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.

    Step 2

    Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

  • setspn -a BICMS/biservice.domain.internal biservice
  • setspn -a HTTP/bi4server biservice
  • setspn -a HTTP/bi4server.domain.internal biservice

    Verify the SPNs have been created by running ‘setspn -l biservice’.

    Step 3

    Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

    Step 4

    Under the AD Authentication area in the Central Management Console, take the following actions:

  • Enable Windows Active Directory (AD)
  • AD Administration Name = DOMAIN\biservice
  • Default AD Domain: DOMAIN.INTERNAL
  • Add AD Group: DOMAIN\UserGroup
  • Use Kerberos Authentication
  • Service principal name = BICMS/biservice.domain.internal
  • Enable Single Sign On for selected authentication mode

    Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.

My Problem is that no user is getting merged to BO. I created a Group on the Windows AD Server and added some users (also the Service user). I can do the Windows AD configuration in CMC and I also can add the Domain Group. When I hit the button "Update" the Group Name get´s resolved correctly. In the CMC "Users & Groups" I can see the Domain Group but there is no user in it.

I tried different things and also checked the first 4 steps in Detail with no success.

Is it possible that this isn´t an SAP issue but something to do with the Windows AD Server?

I also disabled all the Firewalls in our demo Environment on both Servers...didn´t help for now!

Many thanks and best regards,


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    Feb 03, 2017 at 03:34 AM

    Hi Mario

    You mention that you are using SAP BusinessObjects BI 4.2, but not which support package. I've had this issue as well with BI 4.2 Support Package 3 (no patches).

    If you are on BI 4.2 Support Package 3, this is a known issue (refer to the following SAP Notes below), which is fixed in BI 4.2 Support Package 3 Patch 3:

    • 2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3
    • 2389833 - Mapping of roles and groups fails in BI 4.2 SP03

    After apply the BI 4.2 Support Package 3 Patch 3 to our system, the importing of users from WinAD worked then again in our system.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      That's the correct answer. My customer has same problem. it is a bug in BI4.2 SP3, patch 1 and Patch 2. Fixed in Patch 3 and later version.

      By the way the steps above contains both WinAD authentication and SSO steps. However SSO config steps are based on WinAD authentication. You do not need to setup SSO to make WinAD autheitcation working. Just setup WInAD configuration in BI4.2 SP3 patch 3+ and check results again

  • avatar image
    Former Member
    Feb 02, 2017 at 05:01 PM

    what license have you got? Name or concurrent Users license? what user type have you select?

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 15, 2017 at 08:48 AM

    Thanks - my Problem is solved! Installed the Support package and everything is working fine again.



    Add comment
    10|10000 characters needed characters exceeded