on 10-19-2016 10:57 AM
I have been using the AD authentication.
I use single domain to make redundancy.
※reference:1581958 - Windows AD authentication takes very long time to logon
--------------------
[libdefaults]
default_realm = ABCD.MFROOT.ORG
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
ABCD.MFROOT.ORG = {
kdc = ABCDIR99.ABCD.MFROOT.ORG ←non-existent domain
kdc = ABCDIR21.ABCD.MFROOT.ORG
kdc = ABCDIR22.ABCD.MFROOT.ORG
kdc = ABCDIR23.ABCD.MFROOT.ORG
default_domain = ABCD.MFROOT.ORG
}
--------------------
In order to test the redundancy, I use a domain not to exist.
But an error(FWM 00006) is output.
Or you can not test in the absence of domain?
the bsclogin.conf must have debug=true set at the end of the 2nd line for the kerberos errors to output to the tomcat std.out
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true;
};
If the non existent domain is at all reachable (resolves to an IP) then the krb5 will likely timeout trying to communicate with it. If it is really non existent then it should simply skip it and try the next, the multiple KDC's work like round robin.
For real redundancy using SSO via KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/2629070 would be the way to go as that uses DNS instead of the krb5.ini the krb5 is only used for manual logon which currently goes through our java SDK.
-Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.