Skip to Content

BO 4.2 SSO Win AD - No users replicated to BO from AD Group

Feb 02, 2017 at 03:09 PM


avatar image

Hello everyone,

I am facing an issue in our demo Environment and after testing for serveral hours I am wondering if you guys can help me out.

I am using two Windows Server 2012: 1 is the BO 4.2 Server, the other one is the Domain Controller (Master). The BO Server already joined the Domain and everything is working fine.

I tried to Setup the SSO configuration between BO and Win AD and followed some instructions up to step 4:

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

  • Service Account: biservice (password: Password1)
  • Domain Controller: adserver.DOMAIN.INTERNAL
  • BusinessObjects Server: bi4server.DOMAIN.INTERNAL
  • BusinessObjects AD Group: DOMAIN\UserGroup

    Step 1

    Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.

    On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.

    Step 2

    Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

  • setspn -a BICMS/biservice.domain.internal biservice
  • setspn -a HTTP/bi4server biservice
  • setspn -a HTTP/bi4server.domain.internal biservice

    Verify the SPNs have been created by running ‘setspn -l biservice’.

    Step 3

    Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

    Step 4

    Under the AD Authentication area in the Central Management Console, take the following actions:

  • Enable Windows Active Directory (AD)
  • AD Administration Name = DOMAIN\biservice
  • Default AD Domain: DOMAIN.INTERNAL
  • Add AD Group: DOMAIN\UserGroup
  • Use Kerberos Authentication
  • Service principal name = BICMS/biservice.domain.internal
  • Enable Single Sign On for selected authentication mode

    Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.

My Problem is that no user is getting merged to BO. I created a Group on the Windows AD Server and added some users (also the Service user). I can do the Windows AD configuration in CMC and I also can add the Domain Group. When I hit the button "Update" the Group Name get´s resolved correctly. In the CMC "Users & Groups" I can see the Domain Group but there is no user in it.

I tried different things and also checked the first 4 steps in Detail with no success.

Is it possible that this isn´t an SAP issue but something to do with the Windows AD Server?

I also disabled all the Firewalls in our demo Environment on both Servers...didn´t help for now!

Many thanks and best regards,


10 |10000 characters needed characters left characters exceeded

can you share your CMC->Authentication->Windows AD authentication page screenshot?

Also check if you have similar setting?

* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
Derek Fox Feb 03, 2017 at 03:34 AM

Hi Mario

You mention that you are using SAP BusinessObjects BI 4.2, but not which support package. I've had this issue as well with BI 4.2 Support Package 3 (no patches).

If you are on BI 4.2 Support Package 3, this is a known issue (refer to the following SAP Notes below), which is fixed in BI 4.2 Support Package 3 Patch 3:

  • 2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3
  • 2389833 - Mapping of roles and groups fails in BI 4.2 SP03

After apply the BI 4.2 Support Package 3 Patch 3 to our system, the importing of users from WinAD worked then again in our system.



Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

That's the correct answer. My customer has same problem. it is a bug in BI4.2 SP3, patch 1 and Patch 2. Fixed in Patch 3 and later version.

By the way the steps above contains both WinAD authentication and SSO steps. However SSO config steps are based on WinAD authentication. You do not need to setup SSO to make WinAD autheitcation working. Just setup WInAD configuration in BI4.2 SP3 patch 3+ and check results again

avatar image
Former Member Feb 02, 2017 at 05:01 PM

what license have you got? Name or concurrent Users license? what user type have you select?

10 |10000 characters needed characters left characters exceeded
Mario Panzenboeck Mar 15, 2017 at 08:48 AM

Thanks - my Problem is solved! Installed the Support package and everything is working fine again.



10 |10000 characters needed characters left characters exceeded