Skip to Content

SSO for SAP BusinessObjects (Vintela) in a single forest multi domain environment

Hi Experts,

before asking this question I have to add, I have already experience with that Launchpad / Vintela / WinAD SSO thingy.

Now I got a new challenge. My customer has one AD forest with some domains (trusting each other). There is a forest root domain, let's call it CUSTOMER.CORP and some other domains on the same level such as CUSTOMER.DE, CUSTOMER.FR, CUSTOMER.CH etc. part of the same forest but with non-contiguous namespaces.

I wasn't able to figure out after doing some research in the SAP KBs two things:

a) where to create the required AD Service Account?

b) must the BO server (Windows) be a member of the CUSTOMER.CORP or not?

My assumption for a) is to create the Service Accounts and SPNs in the forest root domain CUSTOMER.CORP.

The BO server is already there and joined in the CUSTOMER.CH domain. We will start with that setup and I let you know how it will end ;) If there is someone out there who knows the answers, I would love to learn that.

Thanks and Regards,

Carsten

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Feb 19 at 08:33 PM

    The KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391 has the rules, technically the account can be in any of the trusted domains if you are using 2 way forest trusts. If not using two way forest trusts some combinations will not be possible via Microsoft trust rules, and others will be limited. This is for SSO for manual auth the krb5 will decide and the capaths could be a little difficult but should be linked in the above KBA as well

    -Tim

    Add comment
    10|10000 characters needed characters exceeded