Skip to Content
0

BO 4.2 - Win AD login with multiple domains only possible with user@DOMAIN.COM?

Jan 29 at 12:06 PM

280

avatar image

Hello,

I am implementing Windows AD Single Sign On on a Business Objects Server 4.2 SP5. The Windows Domain Server contains 4 domains:

Domain1.com -> contains the BI Service users

Domain2, 3 and 4.com contains the endusers

We followed the instructions very carefully and finally I am able to login with the BI Service Users of the default domain (Domain1.com) on the BI Launchpad and CMC.

When i want to login with my user (which is stored in Domain2.com) I am not able to do this without adding username@DOMAIN1.COM (capital letters! case sensitive!).

Is there any other way to change this behaviour? Endusers shouldn´t know which domain they are in and also the case sensitive is weird.

Was reading all notes regarding 2-way forest trust and so on but didn´t find any solution for this one here.

Help would be much appreciated.

Thanks,

Mario

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Best Answer
avatar image
Former Member Jan 30 at 08:41 PM
1

Hi Mario,

For any other domain/forest than the default one you have to login to BI applications (CMC, Launchpad, etc) as user@DOMAIN.COM (Domain should always be in caps) and for client tools (UDT, webi rich client, CR, etc) you have to use "DOMAIN\user".
This is a by design behavior (KBA-1476374). If the users don't know their domain names you can implement SSO (KBA-1631734) and it automatically logs them in (no need to type username and password).


Regards,

Nilesh Gawande

Share
10 |10000 characters needed characters left characters exceeded
avatar image
Former Member Jan 31 at 12:48 PM
1

Glad to hear that. SSO for windows AD does work for multiple domains/forests. It is just that you should have 2-way trust between those forests.

Regards,

Nilesh

Share
10 |10000 characters needed characters left characters exceeded
Mario Panzenboeck Jan 31 at 07:53 AM
0

Hi Nilesh,

thanks for your reply. Finally I was able to solve this by implementing Silent Single Sign On and this is working perfectly.

I was not sure about if Silent SSO should work also with Multi Domain but finally it does! I missed a configuration file and that´s why it didn´t work in the very beginning (i missed a "=" in the global.properties file).

Thanks for your help!

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Mario,

can you please tell me what configuration file was missing and which changes you made which solved the issue at last?

Thank you very much,

Manfred

0

Hello Manfred,

make sure to enter all Domain Realms in the krb5.ini file.

For example:

[libdefaults]
default_realm = DEFAULT.DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1

DEFAULT.DOMAIN.COM ={
default_domain=DEFAULT.DOMAIN.COM
kdc=KDC.COM
kdc=KDC.COM
}
SECOND.DOMAIN.COM ={
default_domain = second.domain.com
kdc = kdc.second.domain.com
kdc = kdc.backup.second.domain.com
}

In the global.properties file we are using the DEFAULT.DOMAIN.COM for the value idm.realm:

sso.enabled=true
siteminder.enabled=false
vintela.enabled=true
idm.realm=DEFAULT.DOMAIN.COM
idm.princ=BIService
idm.allowUnsecured=true
idm.allowNTLM=false
idm.logger.name=simple
idm.logger.props=error-log.properties
idm.keytab=C:/WINDOWS/bosso.keytab

Hope this helps!

Best regards,

Mario

0