Currently we are set up for SAP SSO using MS Kerberos exactly as described in SAP's guide at: http://help.sap.com/saphelp_nw70/helpdata/EN/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm
Please think of the following scenario:
1) The SAP application server belongs to CORPORATE domain. The service account for SAP is also in the same domain such as CORPORATE\SAPService<SID>
2) In RZ10, the snc/identity/as parameter is set up like p:SAPService<SID>@CORPORATE for the SSO to work.
3) The SPNs are also defined in the CORPORATE domain controller such as SETSPN -A SAPService<SID>/dontcare CORPORATE\SAPService<SID>
4) Users install the appropriate gsskrb5.dll file into their system32 folder and then create a new SSO-enabled entry for the SAP server in their SAPGUI, by activating the SNC and entering the SNC Name: p:SAPService<SID>
The scenario above works very well for us for authenticating the CORPORATE domain users. My extended scenario (and hence the question) is as follows:
5) Let's assume we have SAP users from another domain called ADVISORS as well. There is a trust relationship between the CORPORATE and ADVISORS domains at the OS level, so the ADVISORS users can reach files/folders/servers/applications in CORPORATE domain and vice versa.
6) If we would like to set the ADVISORS users with Kerberos SSO authentication to our SAP server in CORPORATE domain, what should we do?
I have tried changing the user mapping on /SU01 for a user coming in from ADVISORS domain but it didn't work.
Is it possible to have multi-domain Kerberos SSO authentication to the same SAP server?
Thank you in advance for your reply.