Multiple Forests SSO with BO Edge 3.1

I have to setup and configure SSO on a 3.1 Edge with multiple forests. The setup looks like this right now.
BO Servers (call it BOXIServer) are in one forest (call it BODomain.top.local)
AD users and groups on another forest (call it UsersDomain.bottom.local)
My plan is to create 2 service accounts. One service account to integrate the AD and start up SIA (Call it ADServiceSSO) and the Second service account to implement the Vintela (call it VintelaServiceSSO) as I used to do it on the single domain setup.
The questions are:
1.     Is it possible to get SSO to work with this type of configuration (I think I read somewhere that u201CWhen operating with multiple forests, the users must be created on the domain in which the BOE server residesu201D which is not what I have here!)?
2.     Should I create the 2 service accounts on the forest where the BO server is (BODomain.top.local), or where the Users and groups are (UsersDomain.bottom.local)?
3.     How would I formulate the setspn and ktpass commands on this type of configuration?
Would it be true that I can create the 2 services account on BO Servers Forest (BODomain.top.local) and the commands would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ BOXIServer.BODomain.top.local
Or I can create the 2 services account on users and groups forest (UsersDomain.bottom.local) and the command would look like this:
setspn.exe u2013A BOBJCentralMS/BOXIServer.BODomain.top.local ADServiceSSO @ UsersDomain.bottom.local
Ktpass.exe u2013princ HTTP/BOXIServer.BODomain.top.local@ BODomain.top.local   u2013mapuser VintelaServiceSSO@ UsersDomain.bottom.local
Thank for your help
Aws

MF requires a 2-way transitive trust, so with this enabled there is no need to span forests with service accounts. 1 account in the same forest as the BO server is fine and straight forward to configure, although you are free to add more as you like.
Everything else is dependent on the 2 way trust as DNS will have certain records for each other forest that will allow the CMS to query remote forest users and MF users to access the CMS resources. Which is what we want.
The rules on groups is to put MF users in groups from their own forest and then map into BO, adding all users from multi forests int a single forest group may not work properly in our internal tests.
The last piece seems to be a Microsoft limitation, but when accessing an SSO URL from a remote forest the FQDN must be used for SPN recognition. When the host name or IP is used the request for SPN is sent to the wrong forest and SSO fails.
Regards,
Tim

Similar Messages

  • Vintela SSO with BOE Edge 3.1 -  Document

    Hi All,
    Can anybody help me to find the Document in SAP Notes.
    SAP Notes "1328135: How to configure vintela Single Sign-On with BusinessObjects Edge 3.1"
    When I searched the 'SAP Notes search' with 1328135 it says 'Document Not release'
    Thanks
    Ranjit Krishnan.

    Unfortunately I think you need to remove Edge and reinstall choosing tomcat. There are other reasons customers are doing this (SAP integration kit compatibility, to get query builder back) and the installer does not allow the adding/removing of tomcat. If not installed on tomcat I'm not aware of any steps that have been created to add it manually. Make sure the backup your FRS and CMS DB if you have any system info/reports/folders/etc to preserve.
    EDIT: I've just received an email and apparently Edge SP3 may be out sooner than I expected. Edge 3.1 and SP2 were 7-8 months behind XI 3.1 SP1 and SP2 but I'm reading that SP3 may be out at the end of this month or shortly after. At which point the releases may be synchronized and BOE patches will also work on Edge. I'll wait for Edge SP3 release notes to be certain of this but Good news if it's accurate.
    Regards,
    Tim

  • ADFS single sign-on with office 365 and multiple forests

    I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
    to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
    to achieve single sign-on?

    Hi,
    Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
    Multi-forest and Multi-tenant scenarios with Office 365
    http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
    Hybrid Deployment Prerequisites
    http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
    SupportMultipleDomain switch, when managing SSO to Office 365
    http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
    For more information about Office 365, I suggest you refer to Office 365 community below:
    http://community.office365.com/en-us/f/default.aspx
    Best Regards,
    Amy

  • LDAP Synchronisation with CUCM with multiple forest

    Hello,
    We have CUCM 10.5.
    We want to add in CUCM multiple forest (we have multiple company with different domain name) using LDAP authentification so all the user/password sync with CUCM.
    We have as distinguished name CN=xxxx,CN=Users,DC=xxx,DC=local and for search base CN=xxxx,CN=Users,DC=xxx,DC=local.
    Can we add in the distinguished name and search base the information for multiple forest using the same username/password?
    If it not possible is there an easy way to achieve that?
    Any help would be appreciate.
    Thank you

    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html#pgfId-1133454

  • People Picker search order with multiple forest domains

    I had customer with multiple forest domain environment. Now the problem is that all users from one domain synced to the resource domain(Domain A) where sharepoint is installed.
    The peoplepicker is now finding at first the user in Domain A where sharepoint is installed. My Solution is now to specify the order of searching in People Picker that first all users in Domain B will return and if there is noting will return Domain A.
    All SharePoint Server(s) had Network Access to the other Domains. And there are two-way-trust konfigured.
    Any Solution for that?
    Thanks for your feedback!
    P.

    Regardless of search order, you would get both results returned. Have you tried using the UserAccountDirectoryPath property on the Site Collection to specify DC=domainB,DC=com?
    Trevor Seward
    Follow or contact me at...
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Nice to now that i can set it up per site collection. But it do not work in my case, it indeed returned users from Domain B but Domain A, C, D and F(Examples) are excluded from People Picker.

  • Bursting with BO EDGE ?

    How can we do bursting with BO EDGE? 
    I have a Crystal Report(2008) which is extract data from SAP through the SAP integration kit.  I also have BO EDGE 3.0 and I would like to publish this report to many sales rep with their own data.  Then, I know with BO Enterprise there a publication feature that allow to do that but I cannot see it in EDGE.   Could you explain step by step how to do bursting with Edge 3.0 and Crystal Report 2008 ?
    thanks in advance.

    In the document "Crystal Reports 2008 User's Guide" I can read;
    "Advanced report publishing
    Also known as report bursting, this new advanced-publishing feature is a
    platform for the mass distribution of personalized content. Multiple reports
    can be created based on different data sources, combined into one desired
    file format (for example, PDF), loaded with personalized content, and then
    sent to a dynamic list of recipientsu2014all in one action. The content can be
    archived, printed, or emailed in separate actions, or simultaneously. This
    feature makes scheduling much faster and easier, and provides the ability
    to conduct cost effective one-on-one marketing campaigns and other
    personalized high-volume reporting.
    Note: This feature is available only with a BusinessObjects Enterprise
    Release 3 server environment.
    Then, I repeat my question because we don't have BO Enterprise:  Can we do Bursting with BO Edge Series 3.0 or 3.1?
    I'm asking because even though there's a note, sometime it's confuse between Enterprise and Edge.

  • Localhost issue with Adobe Edge Inspect on iPhone

    I'm synching up multiple devices to use Adobe Edge Inspect.
    I downloaded and installed:
    Chrome extension.
    Adobe Edge Inspect on Android (on a Samsung Galaxy Tablet)
    Adobe Edge Inspect on iPhone 4
    I am using a Windows 64bit OS.
    When I inspect online websites, both the tablet and iPhone synch.
    I have a local instance of Tomcat.
    I have a very simple index.html (Hello World in it).
    When I use in my chrome browser localhost:8080 my Android tablet is synched
    The iPhone does not synch, and I get a request timeout.
    I also attempted using the IP Address instead of localhost with the same result.
    The iPhone is synching with sites that I access that are hosted on the web.
    How can I get it to synch using Tomcat so that I can use my localhost instance?
    Thanks

    This is pretty strange. I think you should try making sure Windows Firewall and any other firewall or virus protection software is off and try again to see if you get a different result with your local apache server.
    Let us know if that helps. If not we'll see if we can come up with any other ideas.
    Mark

  • Did you know the tablets are now available with the Edge program?

    While tablets are now able to be purchased with the Edge, the Device Payment Plan has been discontinued. So, if you want to pay over 12 months, to keep unlimited data, you are out of luck. Either full price, or lose it and use Edge.
    Just another way for Verizon to get rid of unlimited.

    I would check again. The problem is when you went to a corporate store and that is the only way to get it. The stores were telling customers that Verizon's device payment plan was only for tablets.
    That is the first lie on their parts. The second thing the store would tell customers that if you used the plan you would still lose unlimited data, lie two.
    You could not grandfather in a plan such as the device payment plan. Grandfathered to whom? Those who already choose it and are on it?  Those who got grandfathered in how? Maybe a wrong choice of word in your post.
    Like Ann154 the plan is still showing on the Verizon wireless site.
    I also called my former account executive at Verizon and he said he knew of no discontinuance of the program.
    So unless you have advance information via working for Verizon wireless I would wait for the news release.
    In your case I would go to a corporate store and insist on them honoring the Device Payment Plan. Maybe mention your attorney, or a state regulatory agency etc.
    Good Luck

  • 10g - how to configure sso with iis-

    hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
    but I always meet this message.
    Not Logged In
    You are not currently logged in to the Oracle BI Server.
    If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
    what steps are missing?
    how to check?

    hi, experts,
    I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
    at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
    however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
    any setup on IIS are wrong? thank you very much!
    =========================================================================================
    Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
    Type: Error
    Severity: 40
    Time: Thu Feb 17 14:48:46 2011
    File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
    Properties: ConnId-1,1;ThreadID-1796
    Location:
         saw.odbc.connection.open
         saw.connectionPool.getConnection
         saw.subsystem.security.checkAuthenticationImpl
         saw.threadPool
         saw.threads
    Odbc driver returned an error (SQLDriverConnectW).
    State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
    [nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
    Type: Error
    Severity: 42
    Time: Thu Feb 17 14:48:46 2011
    File: project/webconnect/connection.cpp Line: 276
    Properties: ThreadID-1796
    Location:
         saw.connectionPool.getConnection
         saw.subsystem.security.checkAuthenticationImpl
         saw.threadPool
         saw.threads
    Authentication Failure.
    Odbc driver returned an error (SQLDriverConnectW).
    ---------------------------------------

  • SSO with Logon Ticket to non-SAP Unix based application

    Hi all,
    Anyone has implemented SSO with Logon Ticket to a Unix box ?
    We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
    We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
    From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
    -> Are there any Java libraries that are available to both:
    . verify the logon ticket with the deployed Portal public key
    . decrypt/extract the authenticated username from this ticket ??
    I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
    Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
    I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
    Any hint is very much appreciated.
    Thanks a lot
    Olivier

    Check these links for reference regarding AIX and Apache using X.509 certificates:
    http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
    And just using cookies -
    http://forums.devshed.com/archive/t-105611 (perl based)
    You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
    The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
    Nick
    Nick

  • SSO with KRB/ADS on Enterprise Portal 7

    Dear All
    while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
    i have attched the trace file extract for  your advice..
    Regards
    Buddhike
    #1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
    sap.com/com.sap.security.core.admin
    #com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
    #0#0#Error#1#/System/Security/Authentication#Plain###
    LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
    *Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
    #1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
    [EXCEPTION]
    #1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
         at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
         at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
         at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
    Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
         at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
         at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
         ... 9 more
    Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
         at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
         ... 23 more

    Hi,
    please check if the options defined in the KRB5LoginModule are correct.
    First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
    This error often occurs if you provided a wrong value for option prinicpal
    Cheers

  • SSO with ITS & Webenabling WEBGui

    Hello,
    We have configured SSO with R/3 system. It works fine.
    The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
    We are able to do both on developement environment where both R/3 and portal has got the same host names.
    But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
    Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
    Regards,
    Rukmani

    Hi all,
    it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
    My suggestion is: do not skip even simple steps, sometimes problem appears there
    Regards,
    Pavol

  • SSO with EP 6.0 and R/3 as backened not working

    Hi , 
        I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
    I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
    What are the setting to be done in ITS for SSO towork. I have set the parameter
    msapcomusesso2cookie = 1 in the global.svrc file.
    I do not know what is wrong. Please help.
    Regards,
    Ramesh

    Hi,
      I am using a standalone ITS for a R/3 4.7 system.
    How should I maintain a FQDN for ITS?
    You are right,
    now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
    But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
    can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
    Regards,
    Ramesh

  • SSO with SAP logon tickets to non-SAP web app

    I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
    Cindy

    Hi Cindy,
    If it is EP6 SP2 probably you can checkout the following document.
    http://service.sap.com/ep60
    Go to Documentation Help>How-To-Guides>Current How To Guides section.
    checkout the following how to guide.
    Perform Cross Domain SSO with SAP Logon tickets zip file.
    If you want the zip file please send an e-mail to
    [email protected]
    Regards
    -Venkat Malempati

  • SSO with XI 3.1

    I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
    I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
    Thanks.

    What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
    Regards,
    Tim

Maybe you are looking for

  • [Windows Server 2008 R2] [Windows Server Backup] How to remove an old backup set

    Hello,     long time ago I made a backup of some files of a server on a network location running manually a command like this one: "wbadmin start backup -backupTarget:\\Server1\Backup\MyServer\wbadmin_Effe -include:F: -user:DOMAIN\myself -password:**

  • Qosmio G30: No Sound in Live TV - Media Center 2005

    For two months I have been using a Qosmio G30.The sound is good from all the functions on the PC except Live TV in the Media Center Edition 2005. The picture is good except there is no sound..I have checked all the forums and cannot find a solution t

  • Firefox failed today and will not reinstall nor run in any way

    FF stopped working entirely. I uninsalled 13 and reinstalled 14.0.1. That did not solve the problem. I get msg that FF is already running but it is not running and does not show up in the Task Manager as an active process. Scan of machine for viruses

  • Reboot message

    I am getting the rebot message to run Firefox but every time I reboot I get the sam message. I can't remove and re-install the software withou getting the same message.

  • Output type for transfer order (LT31)

    Hi Friends, could you please give me a hand with this. I would like to know what is the output type for transfer order (T code LT31). Wher can i find this? I looked for in "NACE" but i did't find. Thank you for help. Kasia.