We are working with an environment with 2 AD domains, each in their own forest. The BOE server is installed in DOMAIN1 (BOE 3.1 FP3.1, Tomcat 5.5, Windows 2003 SP2) and can authenticate DOMAIN1 AD users without issue. We can also SSO users in DOMAIN1 into InfoView and successfully login to Designer using a DOMAIN1 user.
However, user in DOMAIN2 cannot login to Designer, or InfoView. We have successfully run KINIT for both domains, but BOE is being stubborn.
The error when attempting to login to Designer is as follows:
*****************************
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Kerberos target name <service acct's SPN> is unknown. Please contact your system administrator to make sure it's set up properly. (FWM 00003)(hr=#0x80042a01)
******************************
We have attempted using the userID in the following formats:
userID
userID@DOMAIN2
I realize that we cannot SSO the users from another forest, but we could authenticate the the users from DOMAIN2 at one point but we had to rebuild the server due to other issues we were working.
Here is our krb5.ini:
[libdefaults]
default_realm = DOMAIN1
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[domain_realm]
.domain1 = DOMAIN1
domain1 = DOMAIN1
.domain2 = DOMAIN2
domain2 = DOMAIN2
[realms]
DOMAIN1 = {
kdc = DC1.DOMAIN1
kdc = DC2.DOMAIN1
kdc = DC3.DOMAIN1
kdc = DC4.DOMAIN1
admin_server = DC1.DOMAIN1
default_domain = DOMAIN1
}
DOMAIN2 = {
kdc = DC1.DOMAIN2
kdc = DC2.DOMAIN2
admin_server = DC1.DOMAIN2
default_domain = DOMAIN2
}
[capaths]
DOMAIN2 = {
DOMAIN1 =
}
Any thoughts?