SSO stopped working

Hi

All of a sudden SSO stopped working. It was fine until previous day. Launchpad started giving logon page, if we give userid and pwd with windows AD authentication it is working.
SSO is working for client tools.

I have trued kinit command and it is working, no errors. The service account password has special characters, to eliminate that we have changed the password, updated it in active directory, regenerated the keytab file.
Tested kinit command again and its fine, no errors.

Anything that I am missing to check ?

Please can anybody help ?

Thanks
Asmita

There are too many items to check and you give very little information on your Business Objects version and configuration.

If you are on BI4.x, are on SAP Support and have a web site log in, you should go through this KBA to help you trouble shoot: 2629070 - How to Securely Integrate BI 4.x with Windows Active Directory and SSO in Distributed Environments - Best Practice

What is your web server? Whatever it is you should turn up the logging level.

I just worked through an SSO issue in our environment. After setting these values in Tomcat to “true” we were able to identify our issue. Perhaps that will help you too.

image426×505 10.4 KB

Thank you nscheaffer, I will turn the logging on as you suggested and if it helps. sorry I am farly new to admin side and still learning. so once I turn this logging on, where I need to check for info ? I mean which log , I can see a lot of log files :(. please can you help.

Thanks
Asmitha

Hi JohnBClark

Thank you. Sorry, here are the details. We are using BI 4.2, SP7 patch 8. we dont have cluster envt. just one node in production. we havent done any changes , just one morning the SSO stopped working and users are seeing a login page for lauchpad. when we enter userid , pwd in winad mode its working, so no isues with win ad authentication.

we use edge, chrome for business objects webi.

Thanks
Asmitha

I have just tried to enable logging but all I see are 2 tabs. I cant see Java tab or other tabs like the ones on your screenshot. Please can you help.

image818×225 11.4 KB

You are looking at the Tomcat properties from the Central Configuration Manager. you need to look at the properties for the actual Tomcat. In Programs → Tomcat → Tomcat Configuration.

The log file entries will be in the Tomcat log files. TomcatDir → logs. You will want to look at stderr.log and stdout.log.

Thanks a lot John. This really helps. will enable logging and post here if I find any.

Just got a notification from the uCern Community that there is a known issue with SSO caused by Windows Updates. Here’s a snippet from that post:

We found out that there’s a known issue in a recent Microsoft Windows Update - November 9, 2021 - KB5007192 (OS Build 14393.4770) for Windows Server 2016[1] or November 9, 2021 - KB5007206 (OS Build 17763.2300) for Windows Server 2019 [2] - that may break SAP BusinessObjects SSO with Windows ActiveDirectory if the KB5007192 update is applied to the Windows Domain Controller. Fortunately, Microsoft released a new Windows Update - November 14, 2021 - KB5008601 (OS Build 14393.4771) Out-of-band for Windows Server 2016 [3] or November 14, 2021 - KB5008602 (OS Build 17763.2305) Out-of-band for Windows Server 2019 [4] - that resolves the SAP BI SSO authentication issue with Windows ActiveDirectory.

If you find a previously working SAP BO/DA2 WinAD SSO broke all the sudden, please check if KB5007192 or KB5007206 is the latest update to the Windows Domain Controller. If so, applying KB5008601 or KB5008602 should be able to fix the issue. Below is the known issue excerpted from KB5007192 and KB5007206:

After installing the November security updates, released November 9, 2021 on your Domain Controllers (DC) that are running a version of Windows Server, you might have authentication failures on servers relating to Kerberos Tickets acquired via S4u2self. The authentication failures are a result of Kerberos Tickets acquired via S4u2self and used as evidence tickets for protocol transition to delegate to backend services which fail signature validation. Kerberos authentication will fail on Kerberos delegation scenarios that rely on the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service. Important Kerberos delegation scenarios where a Kerberos client provides the front-end service with an evidence ticket are not impacted. Pure Azure Active Directory environments are not impacted by this issue.

End users in your environment might be unable to sign into services or applications using Single Sign On (SSO) using Active Directory on-premises or in a hybrid Azure Active Directory environment. Updates installed on the client Windows devices will not cause or affect this issue.

Affected environments might be using the following:

• Azure Active Directory (AAD) Application Proxy Integrated Windows Authentication (IWA) using Kerberos Constrained Delegation (KCD)
• Web Application Proxy (WAP) Integrated Windows Authentication (IWA) Single Sign On (SSO)
• Active Directory Federated Services (ADFS)
• Microsoft SQL Server
• Internet Information Services (IIS) using Integrated Windows Authentication (IWA)
• Intermediate devices including Load Balancers performing delegated authentication

[1] November 9, 2021—KB5007192 (OS Build 14393.4770)

[2] November 9, 2021—KB5007206 (OS Build 17763.2300)

[3] November 14, 2021—KB5008601 (OS Build 14393.4771) Out-of-band

[4] November 14, 2021—KB5008602(OS Build 17763.2305) Out-of-band

Thanks for this information @dtolley.
SAP has released a Knowledge Base Article on this topic as well (SAP S-ID log required.)
3118389 - SSO failing for all users suddenly server error is Message stream modified
It looks there are other versions of Windows Server that are impacted.