cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BO 4.2 SSO Win AD - No users replicated to BO from AD Group

Go to solution
mario_panzenboeck
Contributor

on ‎02-02-2017 3:09 PM

0 Kudos

Hello everyone,

I am facing an issue in our demo Environment and after testing for serveral hours I am wondering if you guys can help me out.

I am using two Windows Server 2012: 1 is the BO 4.2 Server, the other one is the Domain Controller (Master). The BO Server already joined the Domain and everything is working fine.

I tried to Setup the SSO configuration between BO and Win AD and followed some instructions up to step 4:

Firstly, let’s define our server names and IPs (you must obviously adjust these and the commands below to reflect your server names and IPs:

  • Domain Name: DOMAIN (FQDN: DOMAIN.INTERNAL)
  • Service Account: biservice (password: Password1)
  • Domain Controller: adserver.DOMAIN.INTERNAL
  • BusinessObjects Server: bi4server.DOMAIN.INTERNAL
  • BusinessObjects AD Group: DOMAIN\UserGroup

    Step 1

    Create an Active Directory service account, biservice (pass: Password1). Ensure the user config has ‘Password never expires’ option checked on.

    On the BusinessObjects server, add the DOMAIN/biservice user to the Local Administrators group. Also assign the biservice user the right ‘Act as part of Operating System’ in the Local Security Policy snap-in.

    Step 2

    Run the following command on the Active Directory server to create appropriate Service Principal Names (SPNs):

  • setspn -a BICMS/biservice.domain.internal biservice
  • setspn -a HTTP/bi4server biservice
  • setspn -a HTTP/bi4server.domain.internal biservice

    Verify the SPNs have been created by running ‘setspn -l biservice’.

    Step 3

    Change the user config of ‘biservice’ user in Active Directory configuration, and under the Delegation tab, turn on ‘Trust this user for delegation to any service (Kerberos only)’.

    Step 4

    Under the AD Authentication area in the Central Management Console, take the following actions:

  • Enable Windows Active Directory (AD)
  • AD Administration Name = DOMAIN\biservice
  • Default AD Domain: DOMAIN.INTERNAL
  • Add AD Group: DOMAIN\UserGroup
  • Use Kerberos Authentication
  • Service principal name = BICMS/biservice.domain.internal
  • Enable Single Sign On for selected authentication mode

    Click Save to save all your entries. Check under the Groups area to make sure your AD group has been added.

My Problem is that no user is getting merged to BO. I created a Group on the Windows AD Server and added some users (also the Service user). I can do the Windows AD configuration in CMC and I also can add the Domain Group. When I hit the button "Update" the Group Name get´s resolved correctly. In the CMC "Users & Groups" I can see the Domain Group but there is no user in it.

I tried different things and also checked the first 4 steps in Detail with no success.

Is it possible that this isn´t an SAP issue but something to do with the Windows AD Server?

I also disabled all the Firewalls in our demo Environment on both Servers...didn´t help for now!

Many thanks and best regards,

Mario

Show replies
Show replies
amitrathi239
Active Contributor
‎02-02-2017 3:47 PM
0 Kudos

can you share your CMC->Authentication->Windows AD authentication page screenshot?

Also check if you have similar setting?

https://wiki.scn.sap.com/wiki/display/BOBJ/Setting+up+the+Windows+AD+plug-in

Answer

Accepted Solutions (1)

Accepted Solutions (1)

Derek_Fox
Contributor
‎02-03-2017 3:34 AM

Hi Mario

You mention that you are using SAP BusinessObjects BI 4.2, but not which support package. I've had this issue as well with BI 4.2 Support Package 3 (no patches).

If you are on BI 4.2 Support Package 3, this is a known issue (refer to the following SAP Notes below), which is fixed in BI 4.2 Support Package 3 Patch 3:

  • 2388068 - Intermittent issues with role and group mapping in BI 4.2 SP3
  • 2389833 - Mapping of roles and groups fails in BI 4.2 SP03

After apply the BI 4.2 Support Package 3 Patch 3 to our system, the importing of users from WinAD worked then again in our system.

Regards

Derek

Show replies
Show replies
former_member208389
Explorer
‎02-07-2017 7:17 PM

That's the correct answer. My customer has same problem. it is a bug in BI4.2 SP3, patch 1 and Patch 2. Fixed in Patch 3 and later version.

By the way the steps above contains both WinAD authentication and SSO steps. However SSO config steps are based on WinAD authentication. You do not need to setup SSO to make WinAD autheitcation working. Just setup WInAD configuration in BI4.2 SP3 patch 3+ and check results again

Answers (2)

Answers (2)

mario_panzenboeck
Contributor
‎03-15-2017 8:48 AM
0 Kudos

Thanks - my Problem is solved! Installed the Support package and everything is working fine again.

Br,

Mario

Show replies
Show replies
Former Member
‎02-02-2017 5:01 PM
0 Kudos

what license have you got? Name or concurrent Users license? what user type have you select?


Show replies
Show replies
Ask a Question