on 03-16-2014 7:57 AM
Hi,
We have a BO XI3.1 Sp3 server configured with windows AD authentication. This setup was done in 2011.
The BO server is in one domain and the serviceaccount and the user group is in a different domain.
The following are the SPNs run on the DC
setspn -A BOBJCentralMS/ADDX135 DIR\SAPBOService-INT
setspn -A HTTP/ADDX135.ddns.XYZ.com DIR\SAPBOService-INT
ADDX135 : is the name of the BOBJ server
DIR\SAPBOService-INT : is the service account
The domain is DIR.ABC.COM
The BOBJ server and AD Domain controller domains are in 1 way external trust. SAP says they need to be in 2 way forest trust to support. but this is already working on the existing server.
Now i am trying to configure BOBJ on a different server which in the same domain like the existing BOBJ server. i am using the same service account.
Ran the below SPNs
setspn -A BOBJCentralMS/ADDX136 DIR\SAPBOService-INT
setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT
After i run these commands, i go the CMC AD authentication page and try to add the AD Administration name and click on UPDATE.
I get a error : " The domain DIR.ABC.COM doesnot exist or not accessible"
Then i deleted the SPNs and ran the below
setspn -A BOBJCentralMS/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT
setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT
This time i am able to add the AD administration name in the CMC.
When i add the group as DIR\BO_Users and give the kerberos SPN as BOBJCentralMS/ADDX136.ddns.XYZ.com then i get an error: "The secwinAD plugin failed to look up the account for the group "DIR\BO_Users". Please enter non local groups as DomainName\GroupName and local groups as \\servername\GroupName"
This is a production issue, i have a golive on this coming weekend. Raised a ticket with SAP support and they ask me to have a 2 way forest trust between the domains and which is not possible for security reasons in my organization.
Will be very thankful, if someone can give me a solution...
I have configured AD for many clients for servers and DC's in same domain. i follow Tim Ziemba's document for configuring AD
Regards
There must be a full 2-way forest trust between all forests that contain users that will be mapped into BusinessObjects. Refer the below note for the same.
1323391 - What are the requirements to perform SSO or manual authentication from multiple AD forests in XI 3.1
Refer the below note to have check your AD Domains 2-way transitive trust.
1384606 - How To view Active Directory Trusts using Microsoft Management Console (mmc).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Try the below things in CMC AD :
In AD Administration Credentials update user name as below
Name:DIR.ABC.COM\SAPBOService-INT
Pwd:***
Default Domain:DIR.ABC.COM
In Service principal name:
Once you completes, the above activity add the Group as BO_Users.
HI Prasad,
I am able to add the AD administration name.
I am not able to add the user group. getting the error
"The secwinAD plugin failed to look up the account for the group "DIR\BO_Users". Please enter non local groups as DomainName\GroupName and local groups as \\servername\GroupName"
Thanks
Try the below
1) add only BO_Users (or) 2) add BO_Users.DIR.ABC.COM (or) 3)DIR.ABC.COM/BO_Users.
If it didn't solve the issue, try to perform the below change.
1653389 - Active Directory Authentication failed to verify the mapped groups. If the problem persists, please delete and remap
into BusinessObjects Enterprise all currently mapped groups
if there is no trust then it would not be possible to get this working.
At least, try to give external trust.
then it might work.
don't forgot to create this registry entry on all the node where you have CMS:-
1199995 - Error: "The Active Directory Authentication plug in could not authenticate at this time" (FQDN registry key)
-Raunak
log in in the BO server with serviceAccount
if its 2003 serve then go to run and type dsa.msc and connect to your domain and find the group.
if it is 2008 server then go to run and type mmc and connect to your domain and find the group.
check if you are able to navigate to the group or not.
regards,
Raunak
try to list the spn in the CMC as serviceaccount@DOMAIN.COM instead of the SPN
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.