BusinessObjects Board

Any issues with Windows 11 and SSO?

Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) is usually working fine with configured sso,
some users with windows 11 and Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) report that sso is no longer working…

any thoughts?

  • Wobi

hi, aha… I thought it was related to 4.3 because SSO on 4.2.9 with win11 worked. but does not work on 4.3.4. I just cowardly disabled the SSO for now and had no time/power yet… until other issues are solved. BR T.

would be interresting what is the main cause for your issue - also the kb5.ini encryption had to be adapted for 4.3+ since the old settings where too old… I have a colleague with windows 11 still working well with sso - and one where it is not working …

eg: KRB5 change to: default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

wobi

We haven’t encountered any issues with Business Objects 4.3 and Windows 11.
I’m not sure what differences there might be between that and Edge though.

1 Like

Is this the Credential Guard issue and Unconstrained Kerberos delegation?

Windows 11, version 22H2 and later have Credential Guard enabled. Per SAP Note 2485300 (https://me.sap.com/notes/0002485300) (see attached sapNote2485300.pdf):

There is a new security feature in Windows 10 for IE 11 named " Credential Guard " which does not allow unconstrained Kerberos delegation read more about the credential guard requirements here :

Credential Guard can be disabled on the users computer by setting two registry entry values to 0, then restarting the device:

Setting
Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0

Per:

More info: What is Microsoft Windows Credential Guard? | Definition from TechTarget

As a workaround, the user can try logging into this link with your windows username and password, authentication box should be set to Windows AD.

http://boeserver:8080/BOE/BI/logonNoSso.jsp

After logging in with above, then try the report links again.

cmd /c REG QUERY “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” | findstr DisplayVersion && pause

thank you for the info - I will get it checked from the admins…

Wobi

Moderator Note:
Attachment removed, copywrite material is not allowed to be posted. Use links instead.

Thank you for your input - the colleagues checked and said that is not the problem here… I told them to check the communication between browser and AD since they are handling the SSO in detail…

  • Wobi_
    PS: obviously the colleagues did not check good enough - look below… it is really related to thatSetting

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard

New thesis: Windows11 defender may restrict the kerberos communications…

but it seems it is the same as the already checked credential guard thingy…

  • Wobi

ive just noticed sap note 3461125 - related to patch 4.3.4.500

  • Vintela tracing for Windows AD SSO in 4.3 SP03+ is not generated, and if configured, breaks the SSO workflow
    maybe our case…
1 Like

I got answers from core IT:
‘Device Guard has to be specifically disabled on native Win11 clients. for Win10 and in-place upgraded Win11 clients the option “not configured” is enough’

that explains the differences in some deployments - some where upgraded some new installed ones…

  • Wobi
1 Like