BI 4.2 WinAD SSO - Cannot Authenticate Users in Re...

mike-rs · ‎10-17-2019

Hi,

I have the following scenario:

Server is in Domain A (BI 4.2 SP 7)
WinAD SSO has been configured around a service account from Domain A
All business users requiring access to SAP BI reside in Domain B
Domain A and Domain B are in separate forests. There are no child domains of either in play

Some aspects are working

I can log in to client tools such as Universe Designer as a user from Domain A or Domain B (PC is in Domain A)
I can manually log on to BI Launchpad as a user from Domain A (I am only interested in manual logins for now)
At a command line on the server, logged in as the Domain A service account, I can obtain a Kerberos ticket for user1@Domain B using kinit
Tomcat starts up cleanly and obtains all Kerberos tickets that I would expect (my idm.princ is the service account from Domain A)

But, I cannot manually log in to BI Launchpad as a user from Domain B.

End users receives error 'Account informationnot recognised: The Active Directory Authentication plugin could not authenticate at this time...'

Webapp_BIlaunchpad_trace.000001.glf shows 'GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)'

This is my krb5.ini file. I have tried with none, one or the other or both of the capaths entries - the error is the same in all cases. Can't see anything else I could possibly try.

[libdefaults]
default_realm= DOMAINA.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
forwarding = true

[realms]
DOMAINB.COM = {
kdc = DC1.DOMAINB.COM
default_domain = DOMAINB.COM}
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM 
default_domain = DOMAINA.COM}

[capaths]
DOMAINA.COM = {
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = .
}

Any input gratefully received.

Man thanks,

Mike

mike-rs · ‎10-22-2019

Well, I tried it and the capths entry suggested above has allowed me to get manual WinAD SSO working to the BI Launchpad and in IDT.

Of course that brings us to silent WinAD SSO... which is broken.

I'm hoping though that that is down to duplicate SPNs across my two forests so will iron that out first before posting any further.

Thanks,

Mike

mike-rs · ‎10-22-2019

So, it turns out that the domain topology is not as I thought. There is a 3rd domain in play.

DomainA is the only domain in Forest1 and contains the servers and the service account I want to use

DomainB and DomainX are root domains in Forest2 - the users that need to authenticate in to SAP BI are in DomainB

A 2-way Forest trust exists between DomainA and DomainX

A 2-way Tree Root trust exists between DomainB and DomainX

So, firstly:

- do I actually stand a chance of getting this working or am I doomed without a direct Forest trust between DomainA and DomainB?

- if I am in with a chance as things stand then is this the capaths entry that I am looking for?

[capaths]

DOMAINA.COM = {

DOMAINB.COM = DOMAINX.COM

DOMAINX.COM = .

}

DOMAINX.COM = {

DOMAINA.COM = .

DOMAINB.COM = .

}

DOMAINB.COM = {

DOMAINA.COM = DOMAINX.COM

DOMAINX.COM = .

}

Many thanks,

Mike

BI 4.2 WinAD SSO - Cannot Authenticate Users in Remote Forest

Accepted Solutions (0)

Answers (2)

Answers (2)

Re: "Failed to update setup engine executables. Pr...

Re: Timer showing while sending the mails from SAP

Re: Best practice to connect to multiple databases...

SAP Hana Calculation view input parameter from JPA...

Re: Adaptation error in sap mdg ui screen customer