Configure AD authentication in a multi domain environment

Hi,

We have a BO XI3.1 Sp3 server configured with windows AD authentication. This setup was done in 2011.

The BO server is in one domain and the serviceaccount and the user group is in a different domain.

The following are the SPNs run on the DC

setspn -A BOBJCentralMS/ADDX135 DIR\SAPBOService-INT

setspn -A HTTP/ADDX135.ddns.XYZ.com DIR\SAPBOService-INT

ADDX135 : is the name of the BOBJ server

DIR\SAPBOService-INT : is the service account

The domain is DIR.ABC.COM

The BOBJ server and AD Domain controller domains are in 1 way external trust. SAP says they need to be in 2 way forest trust to support. but this is already working on the existing server.

Now i am trying to configure BOBJ on a different server which in the same domain like the existing BOBJ server. i am using the same service account.

Ran the below SPNs

setspn -A BOBJCentralMS/ADDX136 DIR\SAPBOService-INT

setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT

After i run these commands, i go the CMC AD authentication page and try to add the AD Administration name and click on UPDATE.

I get a error : " The domain DIR.ABC.COM doesnot exist or not accessible"

Then i deleted the SPNs and ran the below

setspn -A BOBJCentralMS/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT

setspn -A HTTP/ADDX136.ddns.XYZ.com DIR\SAPBOService-INT

This time i am able to add the AD administration name in the CMC.

When i add the group as DIR\BO_Users and give the kerberos SPN as BOBJCentralMS/ADDX136.ddns.XYZ.com then i get an error: "The secwinAD plugin failed to look up the account for the group "DIR\BO_Users". Please enter non local groups as DomainName\GroupName  and local groups as \\servername\GroupName"

This is a production issue, i have a golive on this coming weekend. Raised a ticket with SAP support and they ask me to have a 2 way forest trust between the domains and which is not possible for security reasons in my organization.

Will be very thankful, if someone can give me a solution...

I have configured AD for many clients for servers and DC's in same domain. i follow Tim Ziemba's document for configuring AD

Regards