Skip to Content
0
Nov 25, 2009 at 01:12 PM

IE choose NTLM instead of kerberos when trying to perform SSO to InfoView

79 Views

Hi Guys

We have configured Vintela SSO for BusinessObjects XI 3.1 (InfoView) according to the guide "Configuring Vintela SSO in distributed Environments - Complete guide".

The configuration seems ok, while this SSO actually works from one pool of workstations and everything looks fine in the tomcat log, where kerberos trace has been activated.

However from other workstations* the SSO does not work: The normal logon screen appears instead.

We have executed a network trace with netmon and it shows that the BO server actually respons with a:

"HTTP 401 Negotiate", however the IE response with a "HTTP GET" with "NLMP: NTLM NEGOTIATE MESSAGE" instead of "GssapiKrb5".

The result is no kerberos and therefore a logon screen appears instead of silent SSO.

In tests we have used the same AD USER, for whom SSO works from other workstation.

The workstations not working are running XP SP2 and IE 6.0.2900.2180. We have applied hotfix 885887 and followed SAP note 934138.

We found that the workstations not working belongs to one windows domain "acb.dk", while the users and the BusinessObjects server belongs to another domain "xyz.local". The whole Vintela/kerberos configuration is using the "xyz.local" domain/realm where the users and BusinessObjects belongs.

Any ideas why workstation/IE does not want to talk kerberos?

BR

Tom Bo

Edited by: Tom Bo Larsen on Nov 25, 2009 8:42 PM