Skip to Content

Issuer of SSO ticket is not authorized - on Webi only, works with Analysis Edition for OLAP

I created an OLAP SSO connection to BW and could see that the connection worked when attempting to point to a cube/query. However, I left it as-is, without pointing to any specific cube. It works when I build an Analysis web report, but for a Webi I get the following error upon selecting the connection:

[[error.openSapBwBrowsingSessionFailed] 0] <<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ConnectionString>  <Properties>  <Initial Catalog />  <Language>en_US</Language>  <Data Source>myhost.mydomain.com</Data Source>  <Cube Type>Unknown</Cube Type>  <SaveLanguage>true</SaveLanguage>  <Initial Cube />  <TargetProvider>SAPNETWEAVER7X</TargetProvider>  <MaxParallelQueries>4</MaxParallelQueries>  <NetworkLayer>SAPBW_BICS</NetworkLayer>  <Authentication Mode>2</Authentication Mode>  </Properties>  <ExtendedProperties>  <JCO_MSHOST>myhost.mydomain.com</JCO_MSHOST>  <SapLoginMode>1</SapLoginMode>  <JCO_R3NAME>BID</JCO_R3NAME>  <JCO_GROUP>MYGROUP</JCO_GROUP>  <ManagedMode>SERVER</ManagedMode>  <JCO_CLIENT>100</JCO_CLIENT>  <JCO_LANG>EN</JCO_LANG>  </ExtendedProperties></ConnectionString>>,<com.sap.conn.jco.JCoException: (103) JCO_ERROR_LOGON_FAILURE: Initialization of destination custom_d89baf8f-44f4-4b33-a2cc-b666e9cf69ef_144 failed: Issuer of SSO ticket is not authorized on BID mshost myhost.mydomain.com>

This implies that the PSE/ACL certificate import and keystore import in CMC were correctly implemented, doesn't it? Otherwise, the connection wouldn't have worked for the Analysis report. Does anyone have any suggestions on where else to check? Many thanks in advance.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Jul 05, 2018 at 11:13 AM

    To test STS you can use This KBA https://apps.support.sap.com/sap/support/knowledge/preview/en/1767629 test a working workflow with a new enterprise user ID. To note in most current versions of BI SNC is used to encrypt STS so you may also want to test with SNC disabled if it fails to see if the problem is actually STS or SNC. When attempting to connect via SSO there are always 2 ways the connection can succeed via cached SAP credentials or via certificate, this test will verify if the STS certificates are working.


    If you confirm STS is working as well as SNC then the issue might be a workflow problem and would be better suited to ask the webi team. In that case, if you make the same connection without choosing a specific cube using predefined credentials does everything work ok?



    -Tim

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 19 at 06:48 AM

    Phuong Stecker I am having the same issue and just wrote this question https://answers.sap.com/questions/12666574/webi-sso-olap-connection-problem.html

    Please shed some light on this .

    Add comment
    10|10000 characters needed characters exceeded