Skip to Content
author's profile photo Henrik Bentzen
0
Henrik Bentzen
Nov 09, 2017 at 05:05 PM

Unable to load users from a child domain in BI 4.2 SP3 patch 4.

139 Views

Hi,

I have this issue regarding windows authentication in BI 4.2 SP3 patch 4. I cant load users from a group that belongs to a child domain.

This is the setup :

Domain AA.local (DC = Windows 2012)

Domain BB.com (DC = Windows 2012)

Domain Childno1.CC.org (DC = windows 2003)

There is full two way thrust between, AA.local and BB.COM, AA.local and CC.org, BB.com and CC.org.

BO server is in domain AA.local and the user that runs the service comes from AA.local.

There is no problem loading users from domain BB.com and the SSO via BI launchpad is also working for users from domain BB.com. (Kerberos SSO)

But the problem is that I cant load users from Childno1.CC.org. It give me this error :

“The secWinAD plugin failed to look the account for the group “Childno1\Domain Users”.

If have tried to monitor the traffic via Wireshark when the BO system is trying to locate the group, and there is NO traffic from the BO server towards the DC from the child domain. (Firewall has been checked, and nothing is blocked.)

If I try to load a group from the parent domain indstead, “CC\Domain Users”, there is no problem.

I’m quite sure that the SSO also will work, when the BO is able to load the users from the child domain.

Does anybody know if the constallation of mix 2012/2003 is supported ?

Any advice / help is highly appreciated.

Here is my krb5.ini file :

[libdefaults]

default_realm = AA.LOCAL

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

upd_preference_limit = 1

forwardable = true

[domain_realm]

.bb.com = BB.COM

bb.com = BB.COM

.CHILDNO1.cc.org = CHILDNO1.CC.ORG

CHILDNO1.cc.org = CHILDNO1.CC.ORG

.aa.local = AA.LOCAL

aa.local = AA.LOCAL

.cc.org = CC.ORG

cc.org = CC.ORG

[realms]

AA.LOCAL= {

kdc = XXXX.AA.LOCAL

default_domain = AA.LOCAL

}

BB.COM = {

kdc = XXXX.BB.COM

default_domain = BB.COM

}

CC.ORG = {

kdc = XXXX.CC.ORG

default_domain = CC.ORG

}

CHILDNO1.CC.ORG = {

kdc = XXXXX.CHILDNO1.CC.ORG

default_domain = CHILDNO1.CC.ORG

}

[capaths]

CHILDNO1.CC.ORG = {

AA.LOCAL= CC.ORG

CC.ORG = .

}

AA.LOCAL= {

CHILDNO1.CC.ORG = CC.ORG

CC.ORG = .

}

CC.ORG = {

AA.LOCAL= .

CHILDNO1.CC.ORG = .

}

AA.LOCAL= {

AA.LOCAL= .

CC.ORG = AA.LOCAL

CHILDNO1.CC.ORG = CC.ORG

}

Cheers

Henrik