Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) is usually working fine with configured sso,
some users with windows 11 and Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) report that sso is no longer working…
any thoughts?
- Wobi
Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) is usually working fine with configured sso,
some users with windows 11 and Edge Version 126.0.2592.87 (Offizielles Build) (64-Bit) report that sso is no longer working…
any thoughts?
hi, aha… I thought it was related to 4.3 because SSO on 4.2.9 with win11 worked. but does not work on 4.3.4. I just cowardly disabled the SSO for now and had no time/power yet… until other issues are solved. BR T.
would be interresting what is the main cause for your issue - also the kb5.ini encryption had to be adapted for 4.3+ since the old settings where too old… I have a colleague with windows 11 still working well with sso - and one where it is not working …
eg: KRB5 change to: default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
wobi
We haven’t encountered any issues with Business Objects 4.3 and Windows 11.
I’m not sure what differences there might be between that and Edge though.
Is this the Credential Guard issue and Unconstrained Kerberos delegation?
Windows 11, version 22H2 and later have Credential Guard enabled. Per SAP Note 2485300 (https://me.sap.com/notes/0002485300) (see attached sapNote2485300.pdf):
There is a new security feature in Windows 10 for IE 11 named " Credential Guard " which does not allow unconstrained Kerberos delegation read more about the credential guard requirements here :
Credential Guard can be disabled on the users computer by setting two registry entry values to 0, then restarting the device:
Setting
Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
Key name: LsaCfgFlags
Type: REG_DWORD
Value: 0
Per:
More info: What is Microsoft Windows Credential Guard? | Definition from TechTarget
As a workaround, the user can try logging into this link with your windows username and password, authentication box should be set to Windows AD.
http://boeserver:8080/BOE/BI/logonNoSso.jsp
After logging in with above, then try the report links again.
cmd /c REG QUERY “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion” | findstr DisplayVersion && pause
thank you for the info - I will get it checked from the admins…
Wobi
Moderator Note:
Attachment removed, copywrite material is not allowed to be posted. Use links instead.
Thank you for your input - the colleagues checked and said that is not the problem here… I told them to check the communication between browser and AD since they are handling the SSO in detail…
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
New thesis: Windows11 defender may restrict the kerberos communications…
but it seems it is the same as the already checked credential guard thingy…
ive just noticed sap note 3461125 - related to patch 4.3.4.500
I got answers from core IT:
‘Device Guard has to be specifically disabled on native Win11 clients. for Win10 and in-place upgraded Win11 clients the option “not configured” is enough’
that explains the differences in some deployments - some where upgraded some new installed ones…