Skip to Content
0

Win AD SSO not working in Win 10 desktops

Oct 18, 2017 at 05:25 PM

326

avatar image
Former Member

Hello Everyone,

I have an issue in performing SSO to BO Launchpad using Win AD in Win 10 machines.It is because of the feature called "Windows Credential guard" which comes along with Win 10.If we disable credential guard, SSO is working fine in Win 10 machines.In case of Win 7 machines, SSO is working fine as expected.But my requirement is to Perform SSO with credential guard in Win 10 because it brings lot of security features.

Also I have performed the BO service account's delegation settings in the below scenarios.

1. Trust this user for delegation to any service(Kerberos only)

Win 7 -----SSO working fine.Win 10(With credential guard)---Not working.

Win 10(Without credential guard)--Working fine.

2. Trust this user for delegation to specified services only. ---Kerberos

Win 7 -----Not working.Win 10(With credential guard)---Not working.

Win 10(Without credential guard)--Not working.

I would be great helpful if you share your experiences in this kind of Win AD SSO issues with Win 10 desktops.

Thanks in advance,

Manhoj

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Jawahar Konduru Oct 18, 2017 at 05:49 PM
0

Did you look at this KB article? SAP is saying in the KB ,that it is a Microsoft issue.


2485300 - Windows AD SSO does not work on Windows 10 version client machines

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Jawahar,

Thanks for your response.I have tried that, its basically suggesting to use constrained delegation & disabling credential guard.

Constrained delegation --- Not working in Win 7 & 10 machines.

Disabling credential guard--- We cannot go for this option as it involves many security features packaged with our company's security policy.

The next step is to configure constrained delegation working at-least in Win 7 machines, so that we can narrow down further to Win 10 with Microsoft.

Thanks,

Manhoj

0

If you followed KBA 2182400 to setup constrained delegation and it failed then it was not setup properly. To note clients cache their previous kerberos tickets so when setting it up you must clear the cache (dos prompt klist purge) before attempting SSO (also mentioned in that KBA).

-Tim

0
Dell Stinnett-Christy Oct 19, 2017 at 02:23 PM
0

Which browser are you using? Is BI Launchpad set up as a Trusted Site?

You also may want to look at the following SAP Notes:

1379894-Configure IE for SSO

1767654-Configure Firefox for SSO

1887193-Configure Chrome for SSO

-Dell

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Oct 31, 2017 at 10:34 PM
0

Manhoj, Did you find a solution?

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Mahesh,

Still working with SAP.

SAP is trying to push it to Microsoft as it involves constrained delegation.

Regards,

0