I have the following scenario:
I want to use just secure login client and secure login library using Kerberos tickets and Active Directory authentication to logon SAPGui users using SSO.
I am trying this with NW SSO 1.0 SP4.
The users are in two Active Directory domains:
DOMAINA.com
DOMAINB.com
I configured the server to have identity:
p:CN=SAP/KerberosCSS@DOMAINA.COM
I configured the keytabs for both domains:
snc crtkeytab -s SAP/KerberosCSS@DOMAINA.COM -p <pass>
snc crtkeytab -s SAP/KerberosCSS@DOMAINB.COM -p <pass>
The domains are NOT trusting each other, and cannot be, unfortunately, due to organisational constraints.
If I log on to a DOMAINA.COM user, I need to set the SNC Name in SAPGui (network tab) to p:CN=SAP/KerberosCSS@DOMAINA.COM
If I logon as a DOMAINB.COM user, I need to set the SNC Name in SAPGui (network tab) to p:CN=SAP/KerberosCSS@DOMAINB.COM
These then both work correctly from the appropriate PCs with the 'right' SNC name configured.
However, if I try to use a logon load balancing group, the SNC name is filled automatically with p:CN=SAP/KerberosCSS@DOMAINA.COM and is greyed out.
So this will only work for user in DOMAINA.COM, but NOT a user in DOMAINB.COM
Is there a way of resolving this, or am I just asking too much of 'simple' AD/SSO authentication??
Thanks, Andy.