cancel
Showing results for 
Search instead for 
Did you mean: 

What happens when "Enable Single Sign On for Windows Active Directory" is selected in AFO?

kelly_stone1
Participant
0 Kudos

Hi - I am trying to figure out why some of my user base started getting an error while leaving this box checked? They now have to uncheck this box to put their username and password instead of leaving this box checked. Leaving the box checked has been working for years. Now over the past several months, users need to uncheck this box to put in their AD username and password. Not all user, not a lot of users at the same time. Not all new users, not all old users. Not all same version of AFO. Seems to be slowly going through the user base over time. Once they start having to do this, they always have to do it. I believe it to be a client setting, but not sure. Anyhow, Microsoft and I need more information about what happens under the covers when this box is checked. Any links or diagrams showing what happens when checked would be great. Version 2.7.3 and 2.8.13 of AFO and 4.2 SP9 P5 of BOE. PCs are mostly Windows 10 Pro. Screenshot of logon screen and error below:

All users are a member of the same valid mapped group:

Kind regards,

Kelly

Accepted Solutions (0)

Answers (2)

Answers (2)

BasicTek
Active Contributor
0 Kudos

Most of what happens will occur in the OS via Microsoft APIs

When SSO is enable the URL which would normally respond with a 200 (OK) will now respond with a 401 (unauthorized) this response iniaties a Microsoft process called spnego in which the client OS will contact AD (per local DNS) and request a ticket.

The BI service account will delegate that ticket to the CMS (when it works correctly)

The closest thing I have written like a diagram is in this AD tracing KBA

https://userapps.support.sap.com/sap/support/knowledge/en/2543957

BasicTek
Active Contributor
0 Kudos

The checkbox forces spnego from aoffice client

In order to use that configuration BI has to be setup with KBA https://userapps.support.sap.com/sap/support/knowledge/en/2629070 and web services SSO must be setup per KBA https://userapps.support.sap.com/sap/support/knowledge/en/1646920

If if any users are working with that config it means SSO is fine, but there are issues

I can see in your screenshot the web services URL is throwing a yellow exclamation (this means it's not resolved) The issue typically are not actually SSO but some sort of client settings.

Following this KBA could help https://userapps.support.sap.com/sap/support/knowledge/en/2710261

Also there has been a rash or Microsoft fixes released lately that are affecting BI and other products

see KBA https://userapps.support.sap.com/sap/support/knowledge/en/3273086 to see if any client or server DC's are affected. The out of band fix is also linked but this has to be done on AD domain controllers if affected.

kelly_stone1
Participant
0 Kudos

Thanks for your response, Tim.

Yes, SSO is working for several users, so from a BI perspective, config must be good.

This particular yellow exclamation in AFO logon notes that the HTTP connection is unsecure, not that it is not resolving. New in 2.8 AFO.

This has been happening since April 2022, and slowly happening to more people. I notice the links are as of November.

I am working with my Active Directory team here, but I still don't have anything to give them as far as a flow diagram or what clicking that box actually enables or what happens when it is clicked. Does it send different requests to DC? Does it cache something? Does it look at local PC settings? I am not sure how to get this from BOE setup specific documentation. I am sure there are some Tomcat doings as well.