Hi,
We are trying to troubleshoting failure of Silent SSO Mode after deploying Vintella on BO XI 3.1 SP4 (Tomcat as App server) following Tim Ziemba guide (TN-1483762) . I have carefully reading previous post on same topic (mark as anwered).
My situation is practically the same:
(1) Silent SSO (this is, logon into InfoView withou having to type manually AD credentials) fails.
25-10-11 17:03:36:903 - {ERROR} [/InfoViewApp].[action] Thread [http-80-Processor25]; Servlet.service() for servlet action threw exception
java.lang.IllegalStateException
at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge(AbstractAuthenticator.java:1936)
at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:147)
at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1444)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly(AbstractAuthenticator.java:1330)
at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:1139)
at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:148)
(2) Manual AD logon in InfoView works properly
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: gonzaal @ F4E.ORG
Acquire TGT using AS Exchange
Principal is gonzaal @ F4E.ORG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: BA 55 0B 99 A1 4A A1 8F 48 68 F5 0D F7 86 54 FD .U...J..Hh....T.
Commit Succeeded
(3) Following previous posts recommendations we have engaged a kerbtray & packet scanning in the client machine (TN-1370926) with the following results
1554 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:AS Request Cname: gonzaal Realm: F4E Sname: krbtgt/F4E {UDP:333, IPv4:16}
1555 16:17:48 25/10/2011 239.8711155 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:AS Response Ticket[Realm: F4E.ORG, Sname: krbtgt/F4E.ORG] {UDP:333, IPv4:16}
1556 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/es-w08-bobapp1.f4e.org {UDP:334, IPv4:16}
1557 16:17:48 25/10/2011 239.8711155 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:KRB_ERROR - KRB_ERR_RESPONSE_TOO_BIG (52) {UDP:334, IPv4:16}
1561 16:17:48 25/10/2011 239.8711155 10.201.71.24 10.201.0.5 KerberosV5 KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/es-w08-bobapp1.f4e.org {TCP:335, IPv4:16}
1564 16:17:48 25/10/2011 239.8867405 10.201.0.5 10.201.71.24 KerberosV5 KerberosV5:TGS Response Cname: gonzaal {TCP:335, IPv4:16}
In the aforementioned thread it was mentioned that "3 ticket requests should occur (as request for the user, tgs for the user, and tgs for the http/fqdnurl.
Microsoft kerbtray alone will usually verify this but the packet scan will allow us to view the errors
if it's failing. If you need help open a case with support - authentication team". In agreement with packet scanning I'm not sure if this is really ocurring.
Any idea?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.