Skip to Content
avatar image
Former Member

Unable to load users from a child domain in BI 4.2 SP3 patch 4.

Hi,

I have this issue regarding windows authentication in BI 4.2 SP3 patch 4. I cant load users from a group that belongs to a child domain.

This is the setup :

Domain AA.local (DC = Windows 2012)

Domain BB.com (DC = Windows 2012)

Domain Childno1.CC.org (DC = windows 2003)

There is full two way thrust between, AA.local and BB.COM, AA.local and CC.org, BB.com and CC.org.

BO server is in domain AA.local and the user that runs the service comes from AA.local.

There is no problem loading users from domain BB.com and the SSO via BI launchpad is also working for users from domain BB.com. (Kerberos SSO)

But the problem is that I cant load users from Childno1.CC.org. It give me this error :

“The secWinAD plugin failed to look the account for the group “Childno1\Domain Users”.

If have tried to monitor the traffic via Wireshark when the BO system is trying to locate the group, and there is NO traffic from the BO server towards the DC from the child domain. (Firewall has been checked, and nothing is blocked.)

If I try to load a group from the parent domain indstead, “CC\Domain Users”, there is no problem.

I’m quite sure that the SSO also will work, when the BO is able to load the users from the child domain.

Does anybody know if the constallation of mix 2012/2003 is supported ?

Any advice / help is highly appreciated.

Here is my krb5.ini file :

[libdefaults]

default_realm = AA.LOCAL

dns_lookup_kdc = true

dns_lookup_realm = true

default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

upd_preference_limit = 1

forwardable = true

[domain_realm]

.bb.com = BB.COM

bb.com = BB.COM

.CHILDNO1.cc.org = CHILDNO1.CC.ORG

CHILDNO1.cc.org = CHILDNO1.CC.ORG

.aa.local = AA.LOCAL

aa.local = AA.LOCAL

.cc.org = CC.ORG

cc.org = CC.ORG

[realms]

AA.LOCAL= {

kdc = XXXX.AA.LOCAL

default_domain = AA.LOCAL

}

BB.COM = {

kdc = XXXX.BB.COM

default_domain = BB.COM

}

CC.ORG = {

kdc = XXXX.CC.ORG

default_domain = CC.ORG

}

CHILDNO1.CC.ORG = {

kdc = XXXXX.CHILDNO1.CC.ORG

default_domain = CHILDNO1.CC.ORG

}

[capaths]

CHILDNO1.CC.ORG = {

AA.LOCAL= CC.ORG

CC.ORG = .

}

AA.LOCAL= {

CHILDNO1.CC.ORG = CC.ORG

CC.ORG = .

}

CC.ORG = {

AA.LOCAL= .

CHILDNO1.CC.ORG = .

}

AA.LOCAL= {

AA.LOCAL= .

CC.ORG = AA.LOCAL

CHILDNO1.CC.ORG = CC.ORG

}

Cheers

Henrik

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • avatar image
    Former Member
    Nov 10, 2017 at 12:19 PM

    We were able to solve this with a shortcut trust from AA.local to Childno1.CC.ORG. Now we are able to load users.

    But now we have a different problem. Distribution of Kerberos tickets to the 2003 domain. The users in that domain aren't receiving anything, and think it might be because the encryption of the ticket is AES256/128.

    Does anybody know if this setup ever will work ?

    Add comment
    10|10000 characters needed characters exceeded

  • Nov 14, 2017 at 03:27 PM

    Loading groups uses the LDAP protocol so there is no AES RC4 etc but it can be encrypted with SSL/TLS

    When dealing with kerberos across a multi forest domain you need to follow all the Microsoft requirements so that every process can complete and DNS has all the information it needs.

    for trusts follow https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391

    and for managing krb5 see https://apps.support.sap.com/sap/support/knowledge/preview/en/1245178

    To note 2003 has been removed from the PAM years ago so it is technically not supported, but should work as most of the AD functionality was designed in 2003.

    You may need to enable Microsoft kerberos tracing or use packet scanning to see where the failures are occurring...

    Regards,

    Tim

    Add comment
    10|10000 characters needed characters exceeded