Does anyone know how BO supports authentication with multiple domains? In the settings tab for AD, I notice that there is only one placeholder for a default AD domain. If I put the USA domain as the default domain, how is XI/AD able to authenticate users from other domains such as a European domain? Is there special settings i need to setup to make this work?
Dazed and Confused
router79 (BOB member since 2007-07-24)
Hi,
Never seen this before. For me impossible using standard feature and not sure if it’s possible using sdk. Did you contact BO Customer Support for that?
Regards
it looks like it is possible but may be tricky to implement.
The user you create in AD for authentication will need to be in a group that crosses mulitple domains. Also because you have to define a default domain, all users of that domain can sign in without a prefix to their User id. ie USA/user1. any other users on another domain will need to put a prefix domain in front of their user name.
I’m thinking though if i get SSO to work, maybe they won’t have to do this whole domain prefix stuff. Since windows login requires you to define your domain, shouldn’t this pass onto BO to AD back to BO to authenticate the user regardless of their domain?
Will let you guys if I get SSO to work
router79 (BOB member since 2007-07-24)
We have this working but we set the default at the top of the tree. All users need to prefix their username with their domain. The only issue we ran into was that the BO app server could not authenticate users outside of its domain. This was fixed by adding all of the domain suffixes in the DNS suffix list in the advanced TCP/IP settings on the network connection.
schromm 
(BOB member since 2006-03-15)
Hi schromm,
We have come up against the same problem but I don’t really understand exactly what you have done to resolve it. Can you elaborate? (I appreciate this is an old topic; we’re now on XIr3 SP3)
Many thanks,
Steve
steveayres 
(BOB member since 2006-11-23)
Hi, We’re testing XIr3 SP3 FP 3.3.
I’m not a Windows AD person so I don’t understand this part: My Windows AD person said that the domains have to have a two-way trust (?). I’m pretty sure this is also what SAP docs state.
We have three different domains (DOMa, DOMb, DOMc). The server is on DOMa. The service account that accesses AD is from DOMa, but it can see DOMb too (part of the same forest?).
DOMa and DOMb have a two-way trust, and I can get Windows AD SSO to work for them. I just add the user group from each domain to Windows AD Authentication in the CMC.
DOMa and DOMc have a one-way trust. DOMc users have to log in using DOMa\username, so it’s using AD but not from DOMc. If they try DOMc\username, they get an AD error. BTW, I think the service account that accesses AD can also see DOMc, but since it’s not a two-way trust, Business Objects Enterprise can’t do Windows AD (SSO or not).
KSG
KSG (BOB member since 2002-07-17)
Moderator Note: Steve, you posted a similar question in another thread. Cross-posting is not allowed on BOB, so I will remove your post from the other thread.
MichaelWelter 
(BOB member since 2002-08-08)
Fair enough, Michael. I posted to this one first but thought it was a bit old and the other thread was the same topic. Apologies.
steveayres (BOB member since 2006-11-23)
No problem, Steve. I’ll let it slide this time, but next time, I may have to feed you to the dragons. 
MichaelWelter 
(BOB member since 2002-08-08)
Steve…I have configured the SSO across multiple domains and it works perfect in XI 3.x. The only thing needed from the AD team is - there should be 2-way trust between domains you are choosing.
The Service Account I used - belongs to same domain in which BO server resides. And there is only 1 service account needed. For configuring SSO, you will need HTTP SPN’s. And for manual authentication, any SPN should work.
The users from other domains…login with user@DOMAIN.COM this format. Hope this helps.
Michael…please be cautious while calling Dragons.
nicholas (BOB member since 2008-07-31)
Thanks Nicholas,
So just to clarify, are users from domains other than the service/ server domain able to log in automatically or do they see the login screen?
Cheers,
Steve “Slayer” Ayres 
steveayres (BOB member since 2006-11-23)
Off course they are able to logon. In fact, when I configured SSO, the Single Sign On was also working fine for users from both domains.
As I said, for manual, they need to login with - user@DOMAIN.COM format. But yes, this was working. 8)
nicholas (BOB member since 2008-07-31)
Let me re-phrase: my requirement is that users from all domains do not see the login screen.
My situation is that I have a WebI report hosted in an iFrame within another web-based system. This system automatically recognises the user and when they click on a link to the report, they should not be asked for any BO login credentials.
Have you mentioned the manual method because some or all of your users do actually have to login, albeit with their AD passwords?
Many thanks,
Steve
steveayres (BOB member since 2006-11-23)
I dont have experience with this setup. I was talking about SSO to InfoView…Now, if the system is not recognizing the user…there might be issue with this system (or indeed between iFrame and BO)
If I understand correctly, this system is now asking for BO Login Credentials? So what if users provide there credentials? Did they get any error?
Yes…with manual, the users get the InfoView login screen where they provide their AD credentials. And with SSO, the users gets into InfoView as soon as they click on the InfoView link.
nicholas (BOB member since 2008-07-31)
Ignore the other system, Nicholas, it’s just background info.
So all of your users in all of your Windows domains use SSO and don’t see the login screen, is that correct?
steveayres (BOB member since 2006-11-23)
Yes.
nicholas (BOB member since 2008-07-31)
Great, thanks very much.
steveayres (BOB member since 2006-11-23)
I need help with configuring SSO using LDAP autenthication for multiple domain.
I have a 2 way trust between domain A and Domain B.
I have a group in Domain A. groupA, and a group from Domain B, groupB. When I look at Group A, I can see that Group B is linked to group A.
in CMC, I Mapped group A, but I can’t see groupB.
What do I need to do to make this work? Or can anyone send me to documentation I can read to mak eit work?
Aude Freeman (BOB member since 2009-06-19)
Try to map GroupB explicitly in CMC and check the relationship.
nicholas (BOB member since 2008-07-31)
It will not accept Group B. I tried to map it and can’t. It says it cannot find it or something of that sort.
Aude Freeman (BOB member since 2009-06-19)