Hi Guys
We are facing an SSO issue. We are in the situation where we are implemenring a new domain, but in parallel we are implementing SAP portal for which we need SSO. Let's call the old domain global.old-domain.com and the new domain new-domain.com. There is a two-way forest trust between the two domains. The portal server is running in the new domain, ume is setup to connect to AD in new-domain.com, service users have been created in both domains just as SPNs HTTP/portal.new-domain.com have been created in both domains, SPNEGO is configured with realm for new-domain.com and global.old-domain.com using the service users and user mapping is set to "Principal only" mapping to login id, so user KPNs from both domains will map to samaccountname in AD of new-domain.com.
The issue is that SSO only works with a PC and user in new-domain.com. When I try to logon with a user and PC in the old domain, I am simple presented with the standard portal login prompt.
I have attached output from troubleshooting wizard after tracing both the successful from and the failed authentication. It seems the spnego token is never sent, when it fails....?
Can anybody give some hints on what we are missing?
A couple of questions:
1. Does the service user for creating SPNs and realms have to be the user running the portal service (SAPService<SID>)?
2. Does anybody know of any other good ways to trace and debug SPNEGO issues? So I can try and find out why an SPNEGO token is not received on the portal server.
Hoping someone can help.
Remember the attached files are just zip-files with an added ".txt" at the end, which means that if you want to unzip it, you will have to remove the .txt extension.
/Jacob 