BusinessObjects Board

SSO on Multiple Domain/Forest

server administration
#1

Hi All,

We have a question regarding the possibility to have the SSO on Multiple Domain/Forest…

Today we have a Domain DOM1, and we need to switch to a new Domain DOM2, and of course the SSO should be working for Both of them as the users will be members from both Domain.

I was able to find several KBs but it looks like that this is possible only if we have a 2-way Forest Trust, and unfortunately this is not our case (we have only 1 way trust between DOM2 and DOM1)

Any ideas, recommendations ? Did someone found a workaround ?

Thanks to all in advance for your help.

PS : Happy to see that BoB is Back !!! :slight_smile:

1 Like
#2

Hello @Eric.E, and welcome to the updated B :mrgreen: B site!

I’m assuming that your domains are not necessarily child domains so it is a little trickier to configure. KBA 1245178 - krb5.ini configuration options for java AD in BI applications talks about this but with child domains. I’m not sure how helpful that would be.

We currently have two domains configured for our single sign on. I honestly don’t know if there is a one-way or two-way trust between them.

If it helps any, here is the krb5.ini file that we are using:

[libdefaults]
default_realm = DOMAIN1.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac, aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96

[domain_realm]
.DOMAIN1.COM = DOMAIN1.COM
DOMAIN1.COM = DOMAIN1.COM

[realms]
DOMAIN1.COM = {
default_domain = DOMAIN1.COM
kdc = DOMAIN1DCHOST1.DOMAIN1.COM
kdc = DOMAIN1DCHOST2.DOMAIN1.COM
}
DOMAIN2.COM = {
kdc = DOMAIN2DCHOST1.DOMAIN2.COM
kdc = DOMAIN2DCHOST2.DOMAIN2.COM
default domain = DOMAIN2.COM
}

AD migration - keep BO working
#3

As per the official SAP documents it is required to have the two way trust between two domains.
The Krb5.ini mentioned by JohnBClark is right and helps enabling SSO.
In the same file you can mentioned CA Paths as well where you can define the Connectivity flow between 2 forest. But I guess having 2 way Forest trust is necessary for SSO.

#4

Hi Both,

Now it clear, without the 2 way Trust, the SSO on 2 Domain is not possible. Thanks both for your help.

Regards,
Eric