Skip to Content
0
Oct 17, 2019 at 04:37 PM

BI 4.2 WinAD SSO - Cannot Authenticate Users in Remote Forest

138 Views

Hi,

I have the following scenario:

  • Server is in Domain A (BI 4.2 SP 7)
  • WinAD SSO has been configured around a service account from Domain A
  • All business users requiring access to SAP BI reside in Domain B
  • Domain A and Domain B are in separate forests. There are no child domains of either in play

Some aspects are working

  • I can log in to client tools such as Universe Designer as a user from Domain A or Domain B (PC is in Domain A)
  • I can manually log on to BI Launchpad as a user from Domain A (I am only interested in manual logins for now)
  • At a command line on the server, logged in as the Domain A service account, I can obtain a Kerberos ticket for user1@Domain B using kinit
  • Tomcat starts up cleanly and obtains all Kerberos tickets that I would expect (my idm.princ is the service account from Domain A)

But, I cannot manually log in to BI Launchpad as a user from Domain B.

End users receives error 'Account informationnot recognised: The Active Directory Authentication plugin could not authenticate at this time...'

Webapp_BIlaunchpad_trace.000001.glf shows 'GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)'

This is my krb5.ini file. I have tried with none, one or the other or both of the capaths entries - the error is the same in all cases. Can't see anything else I could possibly try.

[libdefaults]
default_realm= DOMAINA.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
forwarding = true

[realms]
DOMAINB.COM = {
kdc = DC1.DOMAINB.COM
default_domain = DOMAINB.COM}
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM 
default_domain = DOMAINA.COM}

[capaths]
DOMAINA.COM = {
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = .
}

Any input gratefully received.

Man thanks,

Mike