We are using BPC 10.0 MS in a multiserver environment (1web/appl + 1 db/olap servers).
We have configured Windows Authentication (nor Kerberos neither BO CMS).
We use a reverse-proxy to address incoming connections from intranet end from external (i.e. internet).
We did some tests and we found the following:
Different client sessions are ‘overlapping’ when trying to access to the server web page passing through the reverse-proxy ( Apache on Linux. to be more precise apache2.2 - httpd-2.2.3-65.el5_8 on rhel5)
It means that user A log-on to the BPC web site from workstation A, and everything is ok. Then user A log-off correctly.
Then client B log-on to the BPC web site from another workstation B, log-on process goes well.. but client B find himself with the credentials of client A.
It means that user B log-on correctly (no errors during the authentication process), but in the home page he finds “welcome user A”…crazy.
It Seems that the reverse proxy is causing problem. In fact, bypassing reverse-proxy, we do not have user overlapping.
But, for security policy, we have to use the reverse proxy.
other useful informations:
- Proxy is NOT asking authentication, as explained in the installation guide.
- We added BPC servers into exceptions (server level) and configured correctly IE client options.
- We also correctly defined external address for BPC Server into Server Manager.
we traced the logon process of a BPC client with httpwatch and we found that it uses NTLM protocol.
it seems that sometimes NTLM protocol is not well managed by reverse proxy servers, but customer assured us that they already have other web applications with NTLM authentication passing through R-proxy: they modified keep-alive parameters and the authenticationo of the others web applications are working correctly.
What do you think about it? Have you ever seen something similar? How is it possible ?