cancel
Showing results for 
Search instead for 
Did you mean: 

Not able to add groups to Windows AD authentication

Former Member
0 Kudos

I have installed Crystal Server 2008 and am trying to configure Windows AD for authentication. I have added and AD administration name as well as the default domain. The problem I am encountering is that when I try to add any AD group I get the following error: The secWinAD plugin failed to look up the account for the group "DOMAINNAME\GROUP". Please enter non-local groups as DomainName\GroupName and local groups as
ServerName\GroupName.

I have used the "DOMAINNAME\GROUP" format as well as cn=xxxx, dc=xxxxxx, dc=com format with no luck.

Any help you could provide would be appreciated.

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Active Contributor
0 Kudos

well, by default the CMS uses netbios names when resolving domains. You can try forcing FQDN by editing the hkeylocalmachine\software\businessobjects\suite 11.5\enterprise\auth plugins\secwinad

add UseFQDNForDirectoryServers (string) choose a value of True and restart the CMS.

Also if you have a user account running the CMS/SIA insure they have local Admin group membership.

Regards,

Tim

Former Member
0 Kudos

I have Crystal Server 2008, so I edited the following key per your suggestion: HKEY_local_machine\software\Wow6432Node\businessobjects\suite 12.0\enterprise\auth plugins\secwinad

After rebooting the server I am getting the same error.

BasicTek
Active Contributor
0 Kudos

OK so we really have very little control when mapping in groups.

You enter the AD query account in the CMC/authentication/windowsAD

then map groups

we can change resolution to force FQDN's with the above string but other than that all calls are made to DNS and it's out of our hands.

Typically if this is the case you would need to open a message with support to get and engineer to webex and try to trace down the problem.

Regards,

Tim

Former Member
0 Kudos

I had everything working with version 11.5, but wanted to upgrade to 2008 since our service account allows us to do so. This may be more work than it is worth. Thanks for you help and I will search the site to find the proper location to open a support ticket. Have a great day!

BasicTek
Active Contributor
0 Kudos

The software/workflow should be exactly the same in CRSR2 and CRS2008. Without looking at the system I'm not sure where it's breaking down.

Do you still have the 11.5 system to compare?

[per case support|https://www.sdn.sap.com/irj/sdn/businessobjects-support]

[SMP Portal|http://service.sap.com/bosap-support]

-Tim

Former Member
0 Kudos

No I do not have the 11.5 version to look at because I originally tried to upgrade that server to 2008 and at the end of the installation it was reccomended that the older version be removed, which I did.

The upgrade did not work, the CMC would not start. After uninstalling and then reinstalling I got the same result. I eventually installed 2008 to another server choosing all of the default settings just to get it to work. My intentions were to get everything setup and then repoint it to a SQL database on another server (ODBC). (Although I am not sure if this is even possible.) As you can see I have not made it that far because I cannot get it to add my AD groups.

2008 seems to be very different than 11.5, i.e. IIS not supported only Java (for CMC and Infoview). This alone causes the AD authentication configuration to change dramatically.

I would greatly appreciate any other advice you may have in dealing with this issue. Thanks

Former Member
0 Kudos

Can you point me to any log files that would be helpful in determining what the issue is?

BasicTek
Active Contributor
0 Kudos

Enable CMS tracing by adding -trace to the command line in the CCM

Also any packet scanner(built in netmon, netmon 3.1, wireshark) would be helpful as the mapping process involves LDAP queries sent from the CMS to AD

-Tim

Former Member
0 Kudos

How do I enable CMS tracing? I am in the CCM but cannot find a way to edit the CMS command line.

Secondly, once tracing is enabled where do I look for the results? In a specific log file?

BasicTek
Active Contributor
0 Kudos

you have to stop the CMS to edit and then BOinstall\Business objects enterprise 12\logging

Answers (0)