BusinessObjects Board

BOBJ 4.3 after AD group removed AD update fails with cannot find group

In BIPlatform 4.3 after obsolete AD groups are removed from CMC: Authentication: Windows AD: Mapped AD Member Groups, Windows Active Directory update fails with Invalid group name, cannot find group (S-1-5-…), (S-1-5-…), (S-1-5-…), what is the root cause?

Did you click “Update” on the Windows AD Authentication page in the CMC after you removed the AD Groups? Just removing them from the list doesn’t remove them from Business Objects.

Yes, the update botton was clicked.

seems that BOBJ 4.3 left and orphaned AD SID behind in the SI_MAPPED_GROUPS

Hmm, haven’t heard of that before but it could be a bug in the patch level you are using.

You could try running the Repository Diagnostic Tool and see if it will clean it up. Run a scan first and see if the output lists the AD groups. I know I’ve seen things like removing principals when I’ve run it. I assumed that these were always individuals that had been removed but I suppose it could apply to AD groups.

if you run in Admin tool query:
SELECT SI_NAME FROM CI_SYSTEMOBJECTS WHERE SI_KIND = ‘UserGroup’

(if the result count is greater than 1000 you shoud add TOP 3000 or more after select)

Do you get some result or error ? if error then there is written name of group you should remove in CMC-auth-WinAD - group list

in windows - eventviewer it is indicated with eventid 60300
continue in removing until you get result, not an error.
this happens (to us) when AD group(s) are deleted sooner than removed from that group list in BO…

Had get SAP engaged. They assisted us to run a tool they provided called RepoMaster.

It seems SAP considers this a bug. Please open a ticket with SAP for assistance.

A workaround (not confirmed by SAP) is:

  • logon to CMC as administrator
  • navigate to Authentication > Windows Active Directory
  • leave Windows AD Authentication enabled
  • under the AD Alias Options > click Cancel Scheduled Updates > click Update to save changes
  • under the AD Group Options > click Cancel Scheduled Updates > click Update to save changes
  • go back up to Mapped AD Member Groups > delete the obsolete AD groups > click Update to save changes
  • set up the AD Alias Options and AD Group Options schedules > click Update to save changes
  • verify that the next AD Alias Options and AD Group Options schedules run clean
1 Like

this workaround will just prevent the issue not fix it.

This makes sense. If an AD group that is used in Business Objects is removed from Active Directory, the AD group has to be manually removed from Business Objects. The Alias and Group update functionality doesn’t do this. Those options just update the users that are members of the AD groups that have been added under the Mapped AD Member Groups.

This works okay when you know in advance that an AD group is going to be removed and can remove it from Business Objects before it’s removed from Active Directory. Clean up afterward can be done though.

1 Like

SAP Support does not view this as a defect.

Please up vote the following Improvement Request
Title: AD PlugIn Causes SSO Failure
https://influence.sap.com/sap/ino/#/idea/327649

Thanks

After engaging a SAP premium support engineer it was determined that one of the AJS on a processing tier server was having errors when trying to run the BO AD Plugin schedule. And these failures were the root cause of the issue. Once this AJS was taken out of service we were able to successfully remove inactive AD groups and BOBJ cleaned up the orphaned S-numbers.

1 Like