SAP Knowledge Base Article - Preview

3118389 - SSO failing for all users suddenly server error is Message stream modified

Symptom

  • SSO suddenly starts failing for all users, and they are left at a login screen
  • In the stderr with -Dcjsi.kerberos.debug=true we see "com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)" To note this error is very generic, the ones below can verify the issue better
  • Web application logs (following KBA 1613472) show the error below
  • NEW! to have your web application logs deciphered automatically for you please upload them to the new Support Log Assistant (SLA

"LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified
Error code: 41
Server name: BICMS/SPN
Server realm: EXAMPLEREALM.COM

  • Vintela logs contain no errors following KBA 2684843
  • Client packet scans contain no errors following KBA 1969914
  • Packet scans on the web application server will show KRB Error: KRB5 KRB_AP_ERR_MODIFIED on TGS request for the CMC service principal name 
  • this error is also mentioned in KBA 2820819 but so far the previous solutions have failed
  • Manual logon is working for all users both in client tools and web applications


Read more...

Environment

  • SAP BusinessObjects Business Intelligence Platform 4.2 (all SPs) probably will affect 4.3 as well
  • Windows server version 2012, 2016, and 2019 all supported server versions
  • Important to note the issue is being caused by domain controllers not BI servers 

Keywords

bip bi 4.x 4.* 4.2 4.3 bi4.x bi4.* bi4.2 bi4.3  vintela ventila vintella ventela set up Active Directory single sign on sign-on slient automatic opendocument error fail Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) (FWM 00005)  jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM - delegation error secwinad winad  , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.