Skip to Content

BI 4.2 WinAD SSO - Cannot Authenticate Users in Remote Forest

Hi,

I have the following scenario:

  • Server is in Domain A (BI 4.2 SP 7)
  • WinAD SSO has been configured around a service account from Domain A
  • All business users requiring access to SAP BI reside in Domain B
  • Domain A and Domain B are in separate forests. There are no child domains of either in play

Some aspects are working

  • I can log in to client tools such as Universe Designer as a user from Domain A or Domain B (PC is in Domain A)
  • I can manually log on to BI Launchpad as a user from Domain A (I am only interested in manual logins for now)
  • At a command line on the server, logged in as the Domain A service account, I can obtain a Kerberos ticket for user1@Domain B using kinit
  • Tomcat starts up cleanly and obtains all Kerberos tickets that I would expect (my idm.princ is the service account from Domain A)

But, I cannot manually log in to BI Launchpad as a user from Domain B.

End users receives error 'Account informationnot recognised: The Active Directory Authentication plugin could not authenticate at this time...'

Webapp_BIlaunchpad_trace.000001.glf shows 'GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)'

This is my krb5.ini file. I have tried with none, one or the other or both of the capaths entries - the error is the same in all cases. Can't see anything else I could possibly try.

[libdefaults]
default_realm= DOMAINA.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
forwarding = true

[realms]
DOMAINB.COM = {
kdc = DC1.DOMAINB.COM
default_domain = DOMAINB.COM}
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM 
default_domain = DOMAINA.COM}

[capaths]
DOMAINA.COM = {
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = .
}

Any input gratefully received.

Man thanks,

Mike

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • Posted on Oct 22, 2019 at 09:03 AM

    So, it turns out that the domain topology is not as I thought. There is a 3rd domain in play.

    DomainA is the only domain in Forest1 and contains the servers and the service account I want to use

    DomainB and DomainX are root domains in Forest2 - the users that need to authenticate in to SAP BI are in DomainB

    A 2-way Forest trust exists between DomainA and DomainX

    A 2-way Tree Root trust exists between DomainB and DomainX

    So, firstly:

    - do I actually stand a chance of getting this working or am I doomed without a direct Forest trust between DomainA and DomainB?

    - if I am in with a chance as things stand then is this the capaths entry that I am looking for?

    [capaths]

    DOMAINA.COM = {

    DOMAINB.COM = DOMAINX.COM

    DOMAINX.COM = .

    }

    DOMAINX.COM = {

    DOMAINA.COM = .

    DOMAINB.COM = .

    }

    DOMAINB.COM = {

    DOMAINA.COM = DOMAINX.COM

    DOMAINX.COM = .

    }

    Many thanks,

    Mike

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 22, 2019 at 02:38 PM

    Well, I tried it and the capths entry suggested above has allowed me to get manual WinAD SSO working to the BI Launchpad and in IDT.

    Of course that brings us to silent WinAD SSO... which is broken.

    I'm hoping though that that is down to duplicate SPNs across my two forests so will iron that out first before posting any further.

    Thanks,

    Mike

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.