on 06-12-2016 5:54 AM
Hello Experts,
We are on BI4.1 SP6 on Win Server 2012 R2, with Tomcat on another server. Basically we have split deployment with BOE on one server and tomcat on another.
In my organization, we have two separate Win AD domains, one domain for corporate users and another for us which is the default domain. I implemented SSO for BILaunchpad with Windows AD authentication and SSO is working fine for the users from the default domain, but it is not working for users from the other domain. They are however are able to manually login by typing in their USERID@DOMAINNAME and their password.
We have the other domain info in the KRB5.ini file and that is how they are able to manually log in. I opened a ticket with SAP for assistance and the rep looked over our configuration and all looked good from the BO side. We are still trying to troubleshoot why the SSO isn't working for other domain users.
We collected wireshark traces from the other domain users and found this error message "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".
We searched for duplicated SPN's in both the domains but couldn't find any. The service account we are using for Win AD authentication is created on the default domain.
Any thoughts what else we should be looking into? I appreciate your help and suggestions.
Thank you,
ilyas
Thank you all for your replies.
It turns out that the service account we were using as SPN in CMC-->authentication was not registered as a SPN. So we created a new SPN for it under the same service account and it resolved the issue.
Ironically, it was working fine for the default domain users but was broken for the other domain users. Now, with the SPN created, it is working for the other domain as well.
Thank you,
Ilyas
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ilyas,
I believe you will have to setup two way transitive trust between 2 domains.
KDC parameter for another domain should be present in the krb5.ini file. Also in the AD plugin, check if the AD Administration mane is in the format "domainname\servicename" and not "servicename@domainname"
-The type of the group should be "security"
-Also the group on domain A should not have any user from group on domain B
Regards,
Kapil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kapil,
Thanks for the response.
Any other thoughts?
Thanks,
Ilyas
Have you worked through the steps in SAP Note 1323391?
What browser are your users using?
In IE, have the users from the other domain added the BO URL to their Local Internet Sites in the browser? SSO only works for Local Internet Sites - not for "Trusted" sites.
For Chrome, they need to follow the steps in SAP Note 1887193 to configure for SSO.
For Firefox, they need to follow the steps in SAP Note 1767654 to configure for SSO.
-Dell
Its mainly due to the DNS.
Run a wireshark for working and not working domain and share with your network admin and check what is preventing for SSO.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.