Skip to Content
Former Member
Jun 12, 2016 at 04:54 AM

SSO not working for secondary domain users


Hello Experts,

We are on BI4.1 SP6 on Win Server 2012 R2, with Tomcat on another server. Basically we have split deployment with BOE on one server and tomcat on another.

In my organization, we have two separate Win AD domains, one domain for corporate users and another for us which is the default domain. I implemented SSO for BILaunchpad with Windows AD authentication and SSO is working fine for the users from the default domain, but it is not working for users from the other domain. They are however are able to manually login by typing in their USERID@DOMAINNAME and their password.

We have the other domain info in the KRB5.ini file and that is how they are able to manually log in. I opened a ticket with SAP for assistance and the rep looked over our configuration and all looked good from the BO side. We are still trying to troubleshoot why the SSO isn't working for other domain users.

We collected wireshark traces from the other domain users and found this error message "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".

We searched for duplicated SPN's in both the domains but couldn't find any. The service account we are using for Win AD authentication is created on the default domain.

Any thoughts what else we should be looking into? I appreciate your help and suggestions.

Thank you,