Hi All,
I am facing duplicate IDs issue on SAP Portal 7.4 pointing to multiple domains and using SPNego for SSO as per windows integrated authentication.
Our portal is pointing to two different ADs in different domains domain1 and domain2 by defining one of them on Portal UME page and other defining from inside the datasource config xml file. The portal is in a separate domain domain3. The unique field from user attribute I am using is sAMAccountName. The connection is non-SSL by using port 3268 between portal and AD. I also configured SPNego using Kerberos so our windows users from all domains are getting into the portal without going through the portal login page. All windows users logged into the windows OS using sAMAccountName. domain1 and domain3 are in forestA and domain2 is in forestB and there is a 2 way trust between them.
By defining domain2 AD connection properties on portal UME page and domain1 AD connection properties in datasource config xml file (by duplicating the datasource tag and defining the parameters in private section) I was able to configure both domain ADs so users from both domains can get into the portal with SSO.
SPNego is configured using kerberos in a way that I ran SPN command on domain1 AD for service user residing in domain1 and created a realm on portal using keytab file received from domain1 AD. I used SPNego wizard and selected "Principal only" with Source as "Logon ID". I didn't run any SPN command on domain2 AD so no second realm creation was happened too and SPNego just worked fine for all domain2 users. RC4-HMAC is the key type. Configuration file krb5.conf was also updated onm portal under /etc folder accordingly and showing only DOMAIN1.com entry.
Now there are few users with having their IDs (exact same sAMAcountName) in both domains 1 & 2 that are duplicate to the portal so they can't log into the portal. Their sAMAccountName attribute is same in both ADs so I changed it to userPrincipalName by changing the datasource config file (replacing sAMAccountName by userPrinciaplName) and defining it in portal UME page too using that checkbox for "Use unique attribute for UME unique ID". userPrincipalName is having the values as sAMAccountName@domain1.com or sAMAccountName@domain2.com. There are 2 problems with that;
1) I had to use user mapping for backend system integration by defining our GRC system as a reference system. All the backend systems are using the same ID and it is exactly as sAMAccountName. So on searching the duplicate user under Useradmin tab it throws warning that the system user is having duplicate ID.
2) Major issue is with SPNego as it stopped working as I have been unable to map it correctly on spnego wizard screen. I tried selecting almost all of the possible entries but unable to make it work. For e.g. if I select mapping mode as Principal@REALM and source as login Alias then what value I should define for login alias in my datasource file? The authentication log file shows KPN value as myuser@DOMAIN1.COM and it complains that no such user is found.
Would anybody please advise how to address this kind of situation and make my user mapping worked for SPNego wizard by using UPN to avoid duplicate ID issue.
Thanks in advance.
Navaid