I am struggling to get Windows AD authentification with BO XI 3.1 running. Right now I am stuck without any clue what to try next, any help is appreciated.
When I add the user group from the AD in the CMC/Authentication/WindowsAD GUI and try to update, I always get the message:
"Error updating Windows AD authentication properties: The secWinAD plugin failed to look up the account for the group “BOUSER”. Please enter non-local groups as DomainName\GroupName and local groups as \ServerName\GroupName. "
After reading many guides and howtos I did the set up exactly as described by Farhan Jaffery in this post:
I checked the SPN with setspn.exe -L accountname and got the SPNs I set before - all fine
I tried the SPNs:
BOBJCentralMS/MYDOMAIN
BOBJCentralMS/servername.mydomain.com
BOBJCentralMS/servername
(where servername is the name of the server the AD is running on, all case sensitive)
→ no impact
I tested Kerberos with KINIT and checked with KLIST - all fine
The account I use to access AD is entered as MYDOMAIN\accountname and MYDOMAIN as standard domain. This is accepted by the CMC, so I guess that the basic communication between BO and the AD works.
What else can I try?
I work in a test environment with two VMs, one running a windows 2003 server with the AD and another running the BOXI server.
After spending too much time with this I am pretty frustrated and I really appreciate any help.
Is BOUSER a valid AD group or can you add any group at all?
What about your SIA? Is that configured with a service account?
Can you post answers to the following checklist?
SIA configured with a service account (Act as part of the OS right assigned/)
At least 1 SPN was created
SSO should be enabled in the AD plugin
SPN added to the Ad plugin
BO group created (Add test users to this group)
You can login to BO with Deski
The web tier checklist depends on your web server. I have this running on JBoss. There is a fantastic document by Tim Ziemba on the SAP websit to set up AD in BO XI 3.1.
Here is the link:
#Is BOUSER a valid AD group or can you add any group at all?
Yes, BOUSER is valid but the only group I tried. I can add local groups, but this is not my objective.
What about your SIA? Is that configured with a service account?
No. As the server the SIA is running on is not in the domain the AD runs on, I was not able to select the service account as local admin for the BO server. Is this mandatory? If yes, how do I realise this under my conditions?
SIA configured with a service account (Act as part of the OS right assigned/)
As above.
At least 1 SPN was created
Yes
SSO should be enabled in the AD plugin
Yes
SPN added to the Ad plugin
Yes
BO group created (Add test users to this group)
No, this is where I am stuck: “update” in the CMC does not resolve the group.
You can login to BO with Deski
No
I will also check my procedure against the document you mentioned, i appreciate your comments on my answers.
and I really appreciate any help.
(BOB member since 2008-09-22)
(BOB member since 2006-07-31)
(BOB member since 2008-09-22)