07-15-2011 3:47 PM
Hello,
we configured on EP 7.02 spnego with AD domain EMEA.OUR-WORLD.COM, which works very well.
Now I want also configure the trust relationship to the other domains like AMERICA.OUR-WORLD.COM and APA.OUR-WORLD.COM to login from this domain too. In the old spnego modules you can configure this in krb5.conf. But I can't find a file of this name anymore.
How can I do this now?
Thanx for help!
Wolfgang
07-15-2011 4:53 PM
Hi,
I don't think you have something to do from the SAP side.
The trust relationship has to be done for the Windows Domain controlers of the different domains.
This works in my company.
Regards,
Olivier
07-18-2011 8:20 AM
Hi Olivier,
yes you are right, there is configured a trust relationship between the three domains controlers.
But how can I tell the spnego module if an user who is coming from AMERICA.OUR-WORLD.COM to trust this domain too.
Do I have to define a new realm for each domain with own keytab file and service user?
Or do I have just to modify the krb5.ini/conf directly? But where can I find this file?
Regards,
Wolfgang
07-19-2011 9:42 AM
Hi Wolfgang,
We don't use SAP spnego/kerberos standard implementation but a SAP certified product because, at the time, SAP Kerberos could only use DES which was forbidden in my company.
So, I don't know if there is a specific configuration for multi windows domain with SAP standard kerberos.
But I do know that I did not have to configure something specific to multi domain for the product I use.
Regards,
Olivier
07-27-2011 7:56 PM
Hi,
As far as I can tell for the new SPNego, for each Domain you just add a new realm at the start of the wizard, then follow the same configuration for the initial realm.
Kind regards,
Cathal
Edited by: Cathal O'Hare on Jul 27, 2011 8:56 PM
07-28-2011 7:02 AM
Hi Cathal,
for my understanding: do I need a new keytab file for each domain controller/domain with own service user to add the realms?
Kind ragards
Wolfgang
07-28-2011 9:10 AM
Hi Wolfgang,
As the keytab file depends on the Domain, yes you would have to create one for each domain.
Kind regards,
Cathal