cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO for SAP BusinessObjects (Vintela) in a single forest multi domain environment

Colt
Active Contributor

on ‎01-25-2019 7:59 AM

0 Kudos

Hi Experts,

before asking this question I have to add, I have already experience with that Launchpad / Vintela / WinAD SSO thingy.

Now I got a new challenge. My customer has one AD forest with some domains (trusting each other). There is a forest root domain, let's call it CUSTOMER.CORP and some other domains on the same level such as CUSTOMER.DE, CUSTOMER.FR, CUSTOMER.CH etc. part of the same forest but with non-contiguous namespaces.

I wasn't able to figure out after doing some research in the SAP KBs two things:

a) where to create the required AD Service Account?

b) must the BO server (Windows) be a member of the CUSTOMER.CORP or not?

My assumption for a) is to create the Service Accounts and SPNs in the forest root domain CUSTOMER.CORP.

The BO server is already there and joined in the CUSTOMER.CH domain. We will start with that setup and I let you know how it will end 😉 If there is someone out there who knows the answers, I would love to learn that.

Thanks and Regards,

Carsten

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

BasicTek
Advisor
Advisor
‎02-19-2019 8:33 PM
0 Kudos

The KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1323391 has the rules, technically the account can be in any of the trusted domains if you are using 2 way forest trusts. If not using two way forest trusts some combinations will not be possible via Microsoft trust rules, and others will be limited. This is for SSO for manual auth the krb5 will decide and the capaths could be a little difficult but should be linked in the above KBA as well

-Tim

Show replies
Show replies
Ask a Question