cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos SSO of BO on Windows without direct AD Integration

Former Member
0 Kudos

Hello

I am facing the problem to implement Kerberos SSO on a BO system which is running on a windows server.

For some technical reasons, the server is not part of a AD domain.

In general, I found documentation to implement Kerberos SSO for a scenario, when the windows server is running in the same damain as the endusers.

In our scenario, it is not possible to integrate the server in the domain.

Therefore, I can noch implement all steps of the Howto guide (AD plugin Configuration is not possible)

I managed to implement LDAP authentication.

But then, users still need to login with the AD account.

Is there an other possibility for an SSO scenario, which does not require direct AD integratio or the Login in an other SAP System (Portal) to get a SAP Logon Ticket.

Regards

Philipp Kiefer

Accepted Solutions (0)

Answers (1)

Answers (1)

0 Kudos

Hi,

please clarify this a Little bit more. Is the SAP BI Server not part of a Domain at all or is it just not part of the Domain where your enduser reside? Multiple Domain AD SSO is possible (If the prerequisites are met).

So it is possible that your Server is in the Domain "SERVERS.DOMAIN.COM" and your users are in the Domain "USERS.DOMAIN.COM". If the trust between the two subdomains is configured properly, this will work.

Regards

-Seb.

Former Member
0 Kudos

Hello Sebastian,

thank you for your answer.

The topic with the domains is, that there are two providers involved.

One provider is hosting the user domain and pc infrastructure and an other provider is hosting the sap servers. On the side of the sap servers, there is no domain available, because all servers are based on Linux except for the two BO systems which are running on windows with local accounts.

It was planned to create a Server Domain for the two windows servers, but the two providers did not agree so far on implementing the forest trust afterwards. Therefore, the domain has not been created yet.

Does this information help you understanding the scenario?

Regards

Philipp

0 Kudos

Hi,

yes it does. In that case it looks not so well. The Windows Servers need to be joined onto a Domain. That said you have two options

1. Wait for the providers until they sorted it out

2. The SAP BI Windows Servers get joined onto the User Windows AD Domain.

Otherwise SSO wont work with regards to Windows AD.

Regards

-Seb.

Former Member
0 Kudos

http://service.sap.com/sap/support/notes/1636349

Hello Sebastian

I was hoping, that there is workaround for the implementation.

I was trying to follow this guide (link at the first line of my answer).

It describes how to implement Kerberos SSO forLinux Plattform.

But I did not manage to make it work...

Do you see a chance to get it running?

Regards

Philipp

0 Kudos

Hello,

i know this solution and i am very unhappy with this. As you can see it is very complex and, by the way, not supported. You wont get any help from SAP Support.

Neither it is plain Kerberos. It is a mixture of the LDAP Plug- In and the Trusted Authentication. If you manage to get it work, it is only applicapable for the Web Applications such as the BI LaunchPad. It will not work for Front- End Clients such as Analysis for Office, etc.

At the end of the day i not recommend this solution to you.

As you can see in the note, when it comes to problems with the configuration, SAP Support cannot assist you, If you Need help you should contact your local SAP Rep. for Consulting Support.

Good luck!

-Seb.

Former Member
0 Kudos

Hello Sebastian,

thank you for this statement.

I can confirm the complexity of this solution 😞

I was not aware of the limitations of this solution

So the only possibility is a AD configuration.

Is there a limitation in the funktionality when we will have the servers in a server domain which is trusted to the Enduser domain compared to putting the server directly in to the enduser domain?

Best regards

Philipp

0 Kudos

Hi,

no, there is none and is saw this implementation quite often. As long as the trust is ok, you can go for that.

Regards

-Seb.

Former Member
0 Kudos

Hello Sebastian,

ok, thank you for your answers.

So I know the next steps.

Regards

Philipp