Skip to Content
0

AD SSO without domain join

Sep 04, 2017 at 07:33 AM

133

avatar image

Hi all,

I am facing an issue with configuring AD SSO with BI 4.2. However, it's not a technical issue but rather a fundamental question. Customer is refusing to add the BO server to domain but wants to configure AD SSO,.. They claim that it is possible to query AD, run services with domain accounts, etc. even without adding the server into domain.

I have searched the BI4 Administrators guide and I couldn't find any trace where it would be explicitly written that the BO server needs to be added to domain. However, it references AD and domain in almost every second sentence in that chapter.

Will AD SSO work on server which has not joined domain?

Thanks, Erik.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Denis Konovalov
Sep 05, 2017 at 12:49 PM
0

I think customer mis-understands how domain's work.
If the server is not a member of a domain - how would a domain user have any authority on that server ?

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Yes. Customer finally agreed to add server to AD.

Erik.

1
Tim Ziemba
Sep 05, 2017 at 03:39 PM
0

If you connect LDAP to AD https://apps.support.sap.com/sap/support/knowledge/preview/en/1245218 you will lose many of the functions of the AD plugin but you can read about the limitations in that KBA. Essentially you don't have AD if you are not joined to AD, that goes for server, client, everyone, this is not an SAP requirement but a Microsoft one. Go ask Microsoft how to perform spnego without being joined to logged into a domain.

But using LDAP we can allow users to login to BI (if they are in the domain) and even allow SSO using KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1965433

However this is more of a workaround than supported or best practice

regards,

Tim

Share
10 |10000 characters needed characters left characters exceeded
Jawahar Konduru Sep 05, 2017 at 01:34 AM
0

Yes. You can configure AD SSO in multi domain environment. See below link.

https://archive.sap.com/discussions/thread/3520608

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Jawahar,

Thanks for your comment. The question is addressed more towards whether the BO server needs to be included into domain at all and not to a different domain/forest.

Erik.

0
Mohammed Ashraf
Sep 05, 2017 at 06:38 AM
0

Without adding BO server to domain, how the Server understands the service account user and importing of AD users will not be possible into BO Server.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

That is exactly my point. To my best knowledge, you won't be able to see the domain hierarchy under Locations when you try to add users - you will see only the localhost and therefore able to add only local users. There are many other points where in my opinion AD SSO indirectly expects BO server in domain (Kerberos, domain groups, principals, setspn, etc.).

0