on 10-17-2019 5:37 PM
Hi,
I have the following scenario:
Some aspects are working
But, I cannot manually log in to BI Launchpad as a user from Domain B.
End users receives error 'Account informationnot recognised: The Active Directory Authentication plugin could not authenticate at this time...'
Webapp_BIlaunchpad_trace.000001.glf shows 'GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)'
This is my krb5.ini file. I have tried with none, one or the other or both of the capaths entries - the error is the same in all cases. Can't see anything else I could possibly try.
[libdefaults]
default_realm= DOMAINA.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
forwarding = true
[realms]
DOMAINB.COM = {
kdc = DC1.DOMAINB.COM
default_domain = DOMAINB.COM}
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM
default_domain = DOMAINA.COM}
[capaths]
DOMAINA.COM = {
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = .
}
Any input gratefully received.
Man thanks,
Mike
Well, I tried it and the capths entry suggested above has allowed me to get manual WinAD SSO working to the BI Launchpad and in IDT.
Of course that brings us to silent WinAD SSO... which is broken.
I'm hoping though that that is down to duplicate SPNs across my two forests so will iron that out first before posting any further.
Thanks,
Mike
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So, it turns out that the domain topology is not as I thought. There is a 3rd domain in play.
DomainA is the only domain in Forest1 and contains the servers and the service account I want to use
DomainB and DomainX are root domains in Forest2 - the users that need to authenticate in to SAP BI are in DomainB
A 2-way Forest trust exists between DomainA and DomainX
A 2-way Tree Root trust exists between DomainB and DomainX
So, firstly:
- do I actually stand a chance of getting this working or am I doomed without a direct Forest trust between DomainA and DomainB?
- if I am in with a chance as things stand then is this the capaths entry that I am looking for?
[capaths]
DOMAINA.COM = {
DOMAINB.COM = DOMAINX.COM
DOMAINX.COM = .
}
DOMAINX.COM = {
DOMAINA.COM = .
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = DOMAINX.COM
DOMAINX.COM = .
}
Many thanks,
Mike
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.