Showing results for 
Search instead for 
Did you mean: 

SSO error in multiple domain - SAP BusinessObjects - Only the primary domain works in SSO

0 Kudos


I have a problem in Single-Sign-On on SAP Business Object 4.3 SP4 across multiple domains.
Single-sign-on works on the primary domain but not on others.
Manual login works for all domains.
I have set the following SPNs:

HTTP/ serviceaccount
HTTP/hostname serviceaccount
BICMS/ serviceaccount

In the CMC, in Windows Active Directory, Service principal name is: BICMS/

In I set:
idm.realm=DOMAIN.COM (in ALL CAPS)

The Keytab file was created as follows: ktpass -out bosso.keytab -princ serviceaccount@DOMAIN.COM -pass "complexpassword" -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto ALL

SSO test with kinit works for all domains from the Command Prompt:
Response: New ticket is stored in cache file...

When I try to log in to SSO with secondary domain users, I am redirected to the BI Launchpad logon page and there are no errors in stderr.log.
In Wireshark I find the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Server Intelligence Agent is running with: DOMAIN\serviceaccount

For the configurations I followed the guide note 2629070.

Do you have any suggestions for resolution?

Thank you

View Entire Topic
Active Contributor
0 Kudos

Here's a similar but somewhat opposite issue:  The information about configuring the krb5.ini file might be helpful.