Skip to Content

BO 4.2 - Win AD login with multiple domains only possible with user@DOMAIN.COM?

Hello,

I am implementing Windows AD Single Sign On on a Business Objects Server 4.2 SP5. The Windows Domain Server contains 4 domains:

Domain1.com -> contains the BI Service users

Domain2, 3 and 4.com contains the endusers

We followed the instructions very carefully and finally I am able to login with the BI Service Users of the default domain (Domain1.com) on the BI Launchpad and CMC.

When i want to login with my user (which is stored in Domain2.com) I am not able to do this without adding username@DOMAIN1.COM (capital letters! case sensitive!).

Is there any other way to change this behaviour? Endusers shouldn´t know which domain they are in and also the case sensitive is weird.

Was reading all notes regarding 2-way forest trust and so on but didn´t find any solution for this one here.

Help would be much appreciated.

Thanks,

Mario

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

7 Answers

  • Best Answer
    avatar image
    Former Member
    Jan 30, 2018 at 08:41 PM

    Hi Mario,

    For any other domain/forest than the default one you have to login to BI applications (CMC, Launchpad, etc) as user@DOMAIN.COM (Domain should always be in caps) and for client tools (UDT, webi rich client, CR, etc) you have to use "DOMAIN\user".
    This is a by design behavior (KBA-1476374). If the users don't know their domain names you can implement SSO (KBA-1631734) and it automatically logs them in (no need to type username and password).


    Regards,

    Nilesh Gawande

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 31, 2018 at 12:48 PM

    Glad to hear that. SSO for windows AD does work for multiple domains/forests. It is just that you should have 2-way trust between those forests.

    Regards,

    Nilesh

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 31, 2018 at 07:53 AM

    Hi Nilesh,

    thanks for your reply. Finally I was able to solve this by implementing Silent Single Sign On and this is working perfectly.

    I was not sure about if Silent SSO should work also with Multi Domain but finally it does! I missed a configuration file and that´s why it didn´t work in the very beginning (i missed a "=" in the global.properties file).

    Thanks for your help!

    Add comment
    10|10000 characters needed characters exceeded

  • May 20 at 12:15 AM

    hi Mario, Would you provide the instructions you followed to configure SSO with multiple domains to access BOBJ.

    regards
    Jonu Joy

    Add comment
    10|10000 characters needed characters exceeded

  • May 22 at 12:46 AM

    thx Mario, SAP told me to map the user from new domain into BI system, do you know how this can be done .

    Add comment
    10|10000 characters needed characters exceeded

  • May 28 at 04:49 AM

    Thx Mario,after adding the second domain , i am able to manually login to BI, but the sso does not seem to work , have you seen this error before

    >>>KRBError: sTime is Tue May 28 14:10:57 AEST 2019 1559016657000 suSec is 323216 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/ABCP.COM@ABCP.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23. default etypes for default_tkt_enctypes: 23. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=WINADC14.SAPCORP.COM TCP:88, timeout=30000, number of retries =3, #bytes=212 >>> KDCCommunication: kdc=WINADC14.SAPCORP.COM TCP:88, timeout=30000,Attempt =1, #bytes=212 >>>DEBUG: TCPClient reading 1700 bytes >>> KrbKdcReq send: #bytes read=1700

    Add comment
    10|10000 characters needed characters exceeded

  • Jun 05 at 01:28 AM

    thx Tim, the issue was resolved after adding the BOBJ hosts name on IE's trusted sites, following SAP note has more info 2043114 .

    Jonu Joy

    Add comment
    10|10000 characters needed characters exceeded