Skip to Content
avatar image
Former Member

SAP BI 4.1 Load Balance URL - SSO not working

lb-trace.pngHello Experts,

We are trying to make F5 load Balancer work on top of two Tomcats (both are clustered and SSO working as expected). When tried the LB URL following error pops up. For last few days searching for solution on the forum but couldn't find matching scenario.

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 6, Principal "HTTP/bi41.domain.com@ABC.DOMAIN.COM" using key: Principal: [1] SSOACOUNT@ABC.DOMAIN.COM TimeStamp: Wed May 03 10:47:11 EDT 2017 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [e7 55 40 ed 86 e5 b a 39 36 36 71 f0 bf 77 26] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

When packet captured done following information was revealed

1.Accessing the site via chrome without proxy

  • We can see the TCP handshake is completed between the host and F5, we see an initial “401 unauthorized” request coming from the tomcat server towards F5 which was transferred to the source unaltered. Though later we see a “302 Found” request from the tomcat server towards the F5 and later the communication is fluent and access works.

2.Accessing the site via chrome with Proxy

  • We can see the TCP handshake is completed between the host and F5, we see an initial “401 unauthorized” request coming from the tomcat server towards F5 which was transferred to the source unaltered. Though later we see “500 Internal server error” coming in from the tomcat server itself which seems to be causing this issue.

Attached is the Trace where "500 internal Server Error" shows.

Env: BI 4.1 SP8 on windows server 2012 R2

Thanks,

Mohammad

lb-trace.png (60.6 kB)
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    May 17, 2017 at 02:44 PM

    Test the load balancer URL using http://loadbalancerurl/BOE/BI/logonNoSso.jsp

    If that works (not the SSO but the page, the the load balancer is probably ok

    Then SSO works based on SPN's as notes above and in KBA 1631734

    If you setspn -s http/loadbalancerurl domain\global.propertiesserviceaccount (idm.princ)

    and setspn -s http/loadbalancerFQDNurl domain\global.propertiesserviceaccount (idm.princ)

    Then SSO should work, if not packet scan the failure (we usually use wireshark) perform a klist purge prior and verify the HTTP SPN that is being requested. Sometimes the URL in the browser does not match the URL in DNS and only packet scanning will usually show that but most times the URL in the browser (hostname and FQDN) is fine for setting the SPNs

    Regards,

    Tim

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Tim for the response.

      We found out that it was actually issue with DNS name (improper domain)

      SPN was using different domain (i.e server.domain.com and DNS had server.domain1.com)

      As soon as network guys changed the DNS that matched with SPN, Load Balancer url start working and users are routed as per Round Robin approach.

      Thank You again,

      Mohammad

  • avatar image
    Former Member
    May 08, 2017 at 04:07 PM

    Much appreciate your response Dennis and Joe!

    We went thru many trials and errors in last few days...

    ...4.1 SP08 was recently installed with new servers, while keeping the old server names (Same IP).

    Old system had three Tomcats. We drop one BI Launchpad URL out of three (previous Version) URLs.

    Then Error was resolved however LB urls (both FQDN and IP) still asks for LOGIN credentials.

    Next step...We are asking to create a C record for FQDN url (by DNS team).

    We are still working on it. I appreciate if there are more suggestions.

    Mohammad

    Add comment
    10|10000 characters needed characters exceeded