cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO not working for secondary domain users

Former Member

on ‎06-12-2016 5:54 AM

0 Kudos

Hello Experts,

We are on BI4.1 SP6 on Win Server 2012 R2, with Tomcat on another server. Basically we have split deployment with BOE on one server and tomcat on another.

In my organization, we have two separate Win AD domains, one domain for corporate users and another for us which is the default domain. I implemented SSO for BILaunchpad with Windows AD authentication and SSO is working fine for the users from the default domain, but it is not working for users from the other domain. They are however are able to manually login by typing in their USERID@DOMAINNAME and their password.

We have the other domain info in the KRB5.ini file and that is how they are able to manually log in. I opened a ticket with SAP for assistance and the rep looked over our configuration and all looked good from the BO side. We are still trying to troubleshoot why the SSO isn't working for other domain users.

We collected wireshark traces from the other domain users and found this error message "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".

We searched for duplicated SPN's in both the domains but couldn't find any. The service account we are using for Win AD authentication is created on the default domain.

Any thoughts what else we should be looking into? I appreciate your help and suggestions.

Thank you,

ilyas

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎06-17-2016 4:58 AM
0 Kudos

Thank you all for your replies.

It turns out that the service account we were using as SPN in CMC-->authentication was not registered as a SPN. So we created a new SPN for it under the same service account and it resolved the issue.

Ironically, it was working fine for the default domain users but was broken for the other domain users. Now, with the SPN created, it is working for the other domain as well.

Thank you,

Ilyas

Show replies
Show replies
Former Member
‎06-13-2016 8:08 AM
0 Kudos

Hello Ilyas,

I believe you will have to setup two way transitive trust between 2 domains.

KDC parameter for another domain should be present in the krb5.ini file. Also in the AD plugin, check if the AD Administration mane is in the format "domainname\servicename" and not "servicename@domainname"

-The type of the group should be "security"

-Also the group on domain A should not have any user from group on domain B

Regards,

Kapil

Show replies
Show replies
Former Member
‎06-13-2016 2:30 PM
0 Kudos

Hi Kapil,

Thanks for the response.

  • Yes we have two way transitive trust between the 2 domains. It is working fine in our old XIR environment but not in BI4.
  • Yes, we have the KDC Parameter of the other domain in the krb5.ini file and so those users are able to manually log on to BILaunchpad.
  • Yes, the AD Administration name is in the format of domainname\service name.
  • What do  you mean by the type of the group should be 'security'?
  • We have users from the other domain group in the default domain group as well. It would be very difficult to remove the other domain users from the default domain as those users are managers and above and they are all over the default groups.
  • But I have been testing with a user who is a member of only ONE AD group from the other domain and still it is not working.

Any other thoughts?

Thanks,

Ilyas

DellSC
Active Contributor
‎06-13-2016 3:29 PM
0 Kudos

Have you worked through the steps in SAP Note 1323391?

What browser are your users using? 


In IE, have the users from the other domain added the BO URL to their Local Internet Sites in the browser?  SSO only works for Local Internet Sites - not for "Trusted" sites.


For Chrome, they need to follow the steps in SAP Note 1887193 to configure for SSO.


For Firefox, they need to follow the steps in SAP Note 1767654 to configure for SSO.


-Dell

former_member205064
Active Contributor
‎06-13-2016 2:27 AM
0 Kudos

Its mainly due to the DNS.

Run a wireshark for working and not working domain and share with your network admin and check what is preventing for SSO.

Show replies
Show replies
Former Member
‎06-13-2016 2:24 PM
0 Kudos

Hi Raunak,

We ran the wireshark logs and found this error "KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN".

  • We have valid SPN's created under one service account created in the default domain.
  • There are no duplicate SPN in either of the domains

Any thoughts?

Thanks,

Ilyas

former_member205064
Active Contributor
‎06-14-2016 2:26 AM
0 Kudos

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

that means your machine is not able to get the SPN created .

As i said earlier its a DNS issue.

Check with your network team

Ask a Question