I’m in an environment with with multiple domains, but I’ll focus on 2 (DOMA and DOMB).
DOMA hosts the Business Objects Server and the AD Service accounts for Business Objects. DOMA is the “trusting domain” as it trusts DOMB. DOMB holds many of the user accounts we are trying to authenticate via AD. DOMB does not trust DOMA.
Does Business Objects Enterprise support AD authentication via a “One-Way Selective Trust” where the Business Objects server and service accounts are located in the Trusting Domain?
If anyone else strikes this problem I’m told the short answer is no, it’s not possible to use AD authentication over a 1 way selective trust.
Correction - I may have drawn the wrong conclusion earlier from a confusing support note
SAP advise that if the domains are in different forests there must be a 2 way transitive trust between the domains for BOXI AD authentication using Kerberos to work. SAP directed me to Business Objects Support Note 1283871 which is badly worded but says BOXI 3.1 supports AD authentication with Kerberos where domains are in different forests. This note applies to Windows Server 2003 and BOXI 3.1.
Investigating the feasibility of creating a 2 way trust between domains at the moment, so haven’t been able to confirm whether this does work. Apologies for any confusion.
Hi,
I’ve been down this road and hit the same roadblock. I have been told the same from BO support…where two way “transitive” trust needs to be enabled for Vintela to work across domains of different forest. We have “two way trust” here, meaning the two domains trust each other, but it’s not “transitive”. This is possible for us here because our domains are also different versions. We are a growth by acquisition company and one of our divisions, or companies we purchased, is actually on a newer version of AD. So we run in “mixed mode” with MS AD 2000 and 2003. I found a note on MS website about transitive not possible across different versions of AD, or at least not possible when 2000 is in play.
So, what did we do about it? Couple approaches. Those users that are not in the BO domain don’t get SSO. We have to create Enterprise accounts for them and make them logon manually and type in a pwd.
The second approach is to “front Tomcat with IIS” and use Trusted auth in BO. In this case we stood up an IIS box and used a Jakarti isapi filter redirector to reroute incoming traffic to IIS on port 80 over to the BO Tomcat server on port 8080. In IIS we turned on Windows Integrated Auth, which took care of the auth across domains, then in BO with trusted turned on (via REMOTE_USER entry in web.xml file) users are just let into BO. There’s a little more to it, and some tips and tricks to optimize the configuration, but I’m doing it in my XI 3.0 system and it’s pretty stable once it’s ironed out.
Also, to see your level of trust, if you have local Admin rights on your BO server you can do a Start,Run,MMC,Add Snap In, Choose AD Domains and Trusts, Right Click on your domain and choose properties, Trusts tab. Then on the right you should see a column for Transitive and a yes or no.
Thanks CC for sharing a worndful post with us. Were you able to do multiple forest or just a single forest with multiple domain. The reason I am asking is you mentioned you are on 3.0 and as per BO, you have to be on 3.1 to do the multi forest arrangement.
Turns out for us we only have users in two domains…our main one which I’ll call the BO domain since the server is in it…and the other domain which is different forest but non-transitive due to mixed mode aka different versions of AD. So I guess the answer is no, I haven’t done multi domain different forest, or multi domain same forest even. But I believe you’re correct, in 3.1 you can supposedly go across domains of a diff forest but only if 100% certain two way transitive trust is in place. To do so I believe you’d have to modify the KRB5 file to inlcude the multiple realms and domain controllers.
I tried cross forest authentication with a 1 way selective trust and it didn’t work for me. BO wouldn’t recognise any users or groups in the other domain.
I agree with ccermak. Advice I have from SAP is it’s a 2 way transitive trust or nothing if the domains are in different forests. As 2 way transitive trust is unlikely to happen in my environment, the most likely ‘solution’ for me will be to move the BO server to the domain with the most users and use AD auth there, and run Enterprise auth for everyone else.
(BOB member since 2006-11-02)
(BOB member since 2007-03-23)