Skip to Content
0
Former Member
Oct 15, 2010 at 07:41 PM

AD Authentication across forests

105 Views

We are working with an environment with 2 AD domains, each in their own forest. The BOE server is installed in DOMAIN1 (BOE 3.1 FP3.1, Tomcat 5.5, Windows 2003 SP2) and can authenticate DOMAIN1 AD users without issue. We can also SSO users in DOMAIN1 into InfoView and successfully login to Designer using a DOMAIN1 user.

However, user in DOMAIN2 cannot login to Designer, or InfoView. We have successfully run KINIT for both domains, but BOE is being stubborn.

The error when attempting to login to Designer is as follows:

*****************************

[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Kerberos target name <service acct's SPN> is unknown. Please contact your system administrator to make sure it's set up properly. (FWM 00003)(hr=#0x80042a01)

******************************

We have attempted using the userID in the following formats:

userID

userID@DOMAIN2

I realize that we cannot SSO the users from another forest, but we could authenticate the the users from DOMAIN2 at one point but we had to rebuild the server due to other issues we were working.

Here is our krb5.ini:

[libdefaults]

default_realm = DOMAIN1

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[domain_realm]

.domain1 = DOMAIN1

domain1 = DOMAIN1

.domain2 = DOMAIN2

domain2 = DOMAIN2

[realms]

DOMAIN1 = {

kdc = DC1.DOMAIN1

kdc = DC2.DOMAIN1

kdc = DC3.DOMAIN1

kdc = DC4.DOMAIN1

admin_server = DC1.DOMAIN1

default_domain = DOMAIN1

}

DOMAIN2 = {

kdc = DC1.DOMAIN2

kdc = DC2.DOMAIN2

admin_server = DC1.DOMAIN2

default_domain = DOMAIN2

}

[capaths]

DOMAIN2 = {

DOMAIN1 =

}

Any thoughts?