SSO AD Only Working using Server IP

server administration XI Server Discussion
1

Hi,

We have just built a new environment BOXI 3.1 SP6 on Windows 2008 R2 servers with TomCat 7

We have got AD SSO working from the client XP/7 but only by using the server IP address from the web browser. If we use the FQDN it just prompts to login.

This is really strange and we had the same issue before upgrading to SP6 and Tomcat 7. It seems that kerberos does not pass the login information when using the FQDN!

Has anyone else had a similar issue?

Thanks Mark

m.stone (BOB member since 2010-02-12)

2

[Moderator Note: Moved from General Discussion to XI Server Discussion]

Marek Chladny :slovakia: (BOB member since 2003-11-27)

3

Did you run a setspn command on the FQDN? If I remember the instructions correctly, you need to run the command on the short name, IP Address, and FQDN to cover all your bases.

ChrisW1204 :us: (BOB member since 2011-04-21)

4

Hi,

Yes ran setspn against IP, servername and server FQDN.

We have four entries:

http://xxx.xx.xx.xxx
BOBJCMS/webserver.domain.net
HTTP://webserver.domain.net
HTTP://webserver

This matches our live environment and all works so seems to rule out any strange GPO policy affecting access.

m.stone (BOB member since 2010-02-12)

5

I have just raised a call to SAP with the same problem at exactly the same stage.
Are you getting the wedgetail Bad tag encountered 78 error?
We have added a maxHttpHeaderSize=“65536” to server xml.
Of course this is now using Tomcat 7 as the SP06 install provided

nwdb :uk: (BOB member since 2005-10-26)

6

Not getting an error but when you click the link it appears to sign in and then stops and asks for the credentials.

Windows XP and IE6/8 just logs in.

We had http header in Tomcat 55 but entry does not exist in 7 so not added it.

I did have a call logged with SAP and there solutions was to just use the IP address. I would just like to understand why the name does not work, DNS checks out fine.

m.stone (BOB member since 2010-02-12)

7

Is there evidence of the SSO attempt in the Tomcat log file? Also, I’ve had experiences where the browser was just being flaky. What happens if you hit refresh in IE after it displays the login page? Sometimes I’ve seen that SSO and from then on it worked properly on that machine. Have you cleared the browser cache?

ChrisW1204 :us: (BOB member since 2011-04-21)

8

Hi,

I have tried connecting from a new Windows 7 terminal this morning still no joy even when F5 a few times.

The Tomcat 7 log below states sso=false which seems odd!

xxx.xx.xx.xx - - [08/Nov/2013:09:05:44 +0000] “GET /InfoViewApp/logon/logonForm.do?sso=false&loc=en HTTP/1.1” 200 963

m.stone (BOB member since 2010-02-12)

9

We’ve got to camps here. Those that can’t live without SSO and those that value the the performance and don’t want it. That said, I send two different URLs to new Users based on which camp their Business Unit is in. The URL is basically the same but for non-SSO, it adds

?sso=false

to the URL. Are you sure that’s not in your URL somehow? Maybe a page forwarding to it?

ChrisW1204 :us: (BOB member since 2011-04-21)

10

Just upgraded from 4.0 SP7 to 4.1 SP1, having exactly the same issue.
using IE10 I can’t even SSO automatically with the servers ip address, let alone the fqdn/server name. setspn entries look fine. can manually login via AD.

AD SSO and Bus Obs are always such fun, every upgrade :hb:

EDIT Schoolboy error, my global.properties was set with SSO false! now fixed and all working

spoons :uk: (BOB member since 2012-06-26)