Hi,
I have the following scenario:
- Server is in Domain A (BI 4.2 SP 7)
- WinAD SSO has been configured around a service account from Domain A
- All business users requiring access to SAP BI reside in Domain B
- Domain A and Domain B are in separate forests. There are no child domains of either in play
Some aspects are working
- I can log in to client tools such as Universe Designer as a user from Domain A or Domain B (PC is in Domain A)
- I can manually log on to BI Launchpad as a user from Domain A (I am only interested in manual logins for now)
- At a command line on the server, logged in as the Domain A service account, I can obtain a Kerberos ticket for user1@Domain B using kinit
- Tomcat starts up cleanly and obtains all Kerberos tickets that I would expect (my idm.princ is the service account from Domain A)
But, I cannot manually log in to BI Launchpad as a user from Domain B.
End users receives error 'Account informationnot recognised: The Active Directory Authentication plugin could not authenticate at this time...'
Webapp_BIlaunchpad_trace.000001.glf shows 'GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)'
This is my krb5.ini file. I have tried with none, one or the other or both of the capaths entries - the error is the same in all cases. Can't see anything else I could possibly try.
[libdefaults]
default_realm= DOMAINA.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
forwarding = true
[realms]
DOMAINB.COM = {
kdc = DC1.DOMAINB.COM
default_domain = DOMAINB.COM}
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM
default_domain = DOMAINA.COM}
[capaths]
DOMAINA.COM = {
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINA.COM = .
}
Any input gratefully received.
Man thanks,
Mike
2 Answers
-
Posted on Oct 22, 2019 at 09:03 AM
So, it turns out that the domain topology is not as I thought. There is a 3rd domain in play.
DomainA is the only domain in Forest1 and contains the servers and the service account I want to use
DomainB and DomainX are root domains in Forest2 - the users that need to authenticate in to SAP BI are in DomainB
A 2-way Forest trust exists between DomainA and DomainX
A 2-way Tree Root trust exists between DomainB and DomainX
So, firstly:
- do I actually stand a chance of getting this working or am I doomed without a direct Forest trust between DomainA and DomainB?
- if I am in with a chance as things stand then is this the capaths entry that I am looking for?
[capaths]
DOMAINA.COM = {
DOMAINX.COM = .
}
DOMAINX.COM = {
DOMAINA.COM = .
DOMAINB.COM = .
}
DOMAINB.COM = {
DOMAINX.COM = .
}
Many thanks,
Mike
Add a comment
-
Posted on Oct 22, 2019 at 02:38 PM
Well, I tried it and the capths entry suggested above has allowed me to get manual WinAD SSO working to the BI Launchpad and in IDT.
Of course that brings us to silent WinAD SSO... which is broken.
I'm hoping though that that is down to duplicate SPNs across my two forests so will iron that out first before posting any further.
Thanks,
Mike
Add a comment
Add a comment