SAP Knowledge Base Article - Preview

2483974 - Windows AD SSO using AES encryption not working in Business Intelligence Platform

Symptom

  • BI Launchpad logon page is reached instead of being automatically logged in (SSO fails)
  • Tomcat or vintela logs could show the following type of error message: (NOTE: Key Type 18 is for AES)

    jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 4, Principal "HTTP/XXX.YYY.ZZZ" using key:
     Principal: [1] SERVICEACCOUNT@REALM.COM
      KVNO: -1
      EncType: 18
      Key: 32 bytes, fingerprint = [f2 5d e2 71 df 84 33 95 ca 8e 1 b9 ff 53 bd 48]
    Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different;  this may or may not be a problem]
    [Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

  • Wireshark logs from server show the following:

         ETYPE-INFO2-ENTRY
         etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
         salt: REALM.COMserviceaccount

  • Another error that could be observed in the tomcat std.err

com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental


Read more...

Environment

  • Windows Server Operating System
  • SAP BusinessObjects Business Intelligence Platform 4.x

 

Product

SAP BusinessObjects Business Intelligence platform 4.0 ; SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2

Keywords

htkba biauth windows ad, ActiveDirectory, WinAD, secWinAD, krb5, krb5.ini, global.properties, idm.princ, case-sensitive, casing sensitive, aes, aes-encryption, encryption, sso failing, failed sso, single-sign-on, single sign-on, single signon, manual authenticaiton, automatic authentication, automatic sso, service acount, domain, realm, bi4, bi 4.x, bobj, 4.1, 4.2, 4.0, auth, , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.