cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configure AD authentication in a multi domain environment

Former Member

on ‎03-16-2014 7:57 AM

0 Kudos

Hi,

We have a BO XI3.1 Sp3 server configured with windows AD authentication. This setup was done in 2011.

The BO server is in one domain and the serviceaccount and the user group is in a different domain.

The following are the SPNs run on the DC


setspn -A BOBJCentralMS/ADDX135 DIR\SAPBOService-INT

setspn -A HTTP/ADDX135.ddns.XYZ.com DIR\SAPBOService-INT

ADDX135 : is the name of the BOBJ server

DIR\SAPBOService-INT : is the service account

The domain is DIR.ABC.COM

The BOBJ server and AD Domain controller domains are in 1 way external trust. SAP says they need to be in 2 way forest trust to support. but this is already working on the existing server.

Now i am trying to configure BOBJ on a different server which in the same domain like the existing BOBJ server. i am using the same service account.

Ran the below SPNs

setspn -A BOBJCentralMS/ADDX136 DIR\SAPBOService-INT

setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT


After i run these commands, i go the CMC AD authentication page and try to add the AD Administration name and click on UPDATE.

I get a error : " The domain DIR.ABC.COM doesnot exist or not accessible"


Then i deleted the SPNs and ran the below


setspn -A BOBJCentralMS/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT

setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT


This time i am able to add the AD administration name in the CMC.

When i add the group as DIR\BO_Users and give the kerberos SPN as BOBJCentralMS/ADDX136.ddns.XYZ.com then i get an error: "The secwinAD plugin failed to look up the account for the group "DIR\BO_Users". Please enter non local groups as DomainName\GroupName  and local groups as \\servername\GroupName"

This is a production issue, i have a golive on this coming weekend. Raised a ticket with SAP support and they ask me to have a 2 way forest trust between the domains and which is not possible for security reasons in my organization.

Will be very thankful, if someone can give me a solution...

I have configured AD for many clients for servers and DC's in same domain. i follow Tim Ziemba's document for configuring AD

Regards


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-17-2014 1:16 AM
0 Kudos

There must be a full 2-way forest trust between all forests that contain users that will be mapped into BusinessObjects. Refer the below note for the same.

1323391 - What are the requirements to perform SSO or manual authentication from multiple AD forests in XI 3.1

Refer the below note to have check your AD Domains 2-way transitive trust.

1384606 - How To view Active Directory Trusts using Microsoft Management Console (mmc).

Show replies
Show replies
Former Member
‎03-17-2014 6:35 AM
0 Kudos

Hi Prasad,

I know that there should be 2 forest trust (Transitive), but this is not possible in my company.

I have gone through all the SAP notes for multi forest AD configuration

Thanks

Former Member
‎03-17-2014 7:13 AM
0 Kudos

Try the below things in CMC AD :


In AD Administration Credentials update user name as below

Name:DIR.ABC.COM\SAPBOService-INT

Pwd:***

Default Domain:DIR.ABC.COM

In Service principal name:

SAPBOService-INT@DIR.ABC.COM

Once you completes, the above activity add the Group as BO_Users.

Former Member
‎03-17-2014 8:23 AM
0 Kudos

HI Prasad,

I am able to add the AD administration name.

I am not able to add the user group. getting the error

"The secwinAD plugin failed to look up the account for the group "DIR\BO_Users". Please enter non local groups as DomainName\GroupName  and local groups as \\servername\GroupName"



Thanks

Former Member
‎03-17-2014 9:17 AM
0 Kudos

Try the below

1) add only BO_Users (or) 2) add BO_Users.DIR.ABC.COM (or) 3)DIR.ABC.COM/BO_Users.


If it didn't solve the issue, try to perform the below change.

1653389 - Active Directory Authentication failed to verify the mapped groups. If the problem persists, please delete and remap

into BusinessObjects Enterprise all currently mapped groups

Former Member
‎03-17-2014 3:26 PM
0 Kudos

Hi Prasad,

I tried this..no luck

Read all the SAP notes

Thanks

former_member205064
Active Contributor
‎03-17-2014 6:49 PM
0 Kudos

if there is no trust then it would not be possible to get this working.

At least, try to give external trust.

then it might work.

don't forgot to create this registry entry on all the node where you have CMS:-

1199995 - Error: "The Active Directory Authentication plug in could not authenticate at this time" (FQDN registry key)

-Raunak

Former Member
‎03-18-2014 7:51 AM
0 Kudos

I already mentioned in my post that


"The BOBJ server and AD Domain controller domains are in 1 way external trust. SAP says they need to be in 2 way forest trust to support. but this is already working on the existing server."

Thanks

former_member205064
Active Contributor
‎03-18-2014 4:59 PM
0 Kudos

Did you make FQDN registry key entry on all the CMS server.?

Former Member
‎03-20-2014 2:51 PM
0 Kudos

Added the regstry key on the server....

Not working.

I even tried configuring LDAP Authentication but no luck

former_member205064
Active Contributor
‎03-20-2014 9:11 PM
0 Kudos

log in in the BO server with serviceAccount

if its 2003 serve then go to run and type dsa.msc and connect to your domain and find the group.

if it is 2008 server then go to run and type mmc and connect to your domain and find the group.

check if you are able to navigate to the group or not.

regards,

Raunak

former_member189884
Contributor
‎03-16-2014 10:37 PM
0 Kudos


try to list the spn in the CMC as serviceaccount@DOMAIN.COM instead of the SPN

Show replies
Show replies
Former Member
‎03-17-2014 6:33 AM
0 Kudos

Hi Josh,

This did not work..

I tried every possibility, but no luck

Regards

Ask a Question