cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BPC 10.0 MS authentication does not work an Apache Reverse Proxy

Go to solution
former_member17272
Advisor
Advisor

on ‎12-17-2012 10:16 AM

0 Kudos

Dear Gurus,

We are using BPC 10.0 MS in a multiserver environment (1web/appl + 1 db/olap servers).

We have  configured Windows Authentication (nor Kerberos neither BO CMS).

We use a reverse-proxy to address incoming connections from intranet end from external (i.e. internet).

We did some tests and we found the following:

Different client sessions  are ‘overlapping’  when trying to access to the server web page passing through the reverse-proxy ( Apache on Linux. to be more precise apache2.2  - httpd-2.2.3-65.el5_8  on  rhel5)

It means that user A log-on to the BPC web site from  workstation A, and everything is ok. Then user A log-off correctly.

Then client B log-on to the BPC web site from another workstation B, log-on process goes well.. but client B find himself with the credentials of client A.

It means that user B log-on correctly (no errors during the authentication process), but in the home page he finds “welcome user A”…crazy.

It Seems that the reverse proxy is causing problem. In fact, bypassing reverse-proxy, we do not have user overlapping.

But, for security policy, we have to use the reverse proxy.

other useful informations:

- Proxy is NOT asking authentication, as explained in the installation guide.

- We added BPC servers into exceptions (server level) and configured correctly IE client options.

- We also correctly defined external address for BPC Server into Server Manager.

- R-proxy do not use cookies or session. R-proxy do not add them.


we traced the logon process of a BPC client  with httpwatch and we found that it uses NTLM protocol.

it seems that sometimes NTLM protocol is not well managed by reverse proxy servers, but customer assured us that they already have other web applications with NTLM authentication passing through R-proxy: they modified keep-alive parameters and the authenticationo of the others web applications are working correctly.

What do you think about it? Have you ever seen something similar? How is it possible ?

BR

Dario

Show replies
Show replies
Answer
View Entire Topic
former_member17272
Advisor
Advisor
‎12-19-2012 4:34 PM
0 Kudos

Hi John,

thanks for your answer.

So, the customer tested the r-proxy parameter ’ disablereuse ON’, but unfortunately the result was KO:

Accessing through web client they receive “401 Unauthorized: access is denied due to invalid credentials”

In the meantime, we discussed with the customer about this known issue:  https://issues.apache.org/bugzilla/show_bug.cgi?id=47167

The issue described in the link seems to be the ‘mirror’ of our issue (overlapping users). In the same link there are 2 possible solutions:

1)    1)  Switching the Authentication to BASIC

2)     2) Upgrading to apache httpd 2.2.6 (customer has 2.2.3 with the latest patch level)

First solution is not applicable, because BPC does not work anymore with BASIC authentication only. As per installation guide, with IIS 7.x you have to enable WINDOWS and BASIC authentication. we tried to disable WINDOWS authentication (leaving only BASIC authentication) and then system was unavailable, so we had to restore it.

Second solution is also not applicable: 2.2.6 is an intermediate release and with  more recent releases (i.e. 2.2.8, 2.2.9, 2.2.11) problem appears again. So customer would be ‘blocked’ with 2.2.6..not a solution.

any other suggestions about apache?

maybe switching the authentication from 'Windows' to BO CMS ? (no more NTLM..)

thanks and BR

Dario

Show replies
Show replies
Ask a Question