Symptom
- From the client perspective there are no errors, SSO is setup, but clients receive a logon page (as if SSO wasn't setup)
- Even though SSO is failing, all standard tests from KBA 2629070 succeed (credentials obtained in std.err, clients are prompted fror SSO, client tickets are received in wireshark logs or packet scans)
- tomcat stderr.log snipet (error is very misleading) this error is only generated when a client attempts SSO and fails (not during tomcat startup when the credentials obtained is generated)
com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.decodeSerializedSession(SecuritySession.java:907)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.makeSessionHelper(SecuritySession.java:983)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.makeSession(SecuritySession.java:975)
at com.crystaldecisions.sdk.occa.security.internal.SecurityFactory.makeSecuritySession(SecurityFactory.java:143)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.getSession(SecurityMgr.java:191)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.getSession_aroundBody14(SessionMgr.java:
- A strong hint that also appears in the log (not as an error) (requires -Djcsi.kerberos.debug=true setting in java options)
[DEBUG] jcsi.kerberos: Not forwarding a TGT for delegation because...
[DEBUG] jcsi.kerberos: OK-AS-DELEGATE not in svc tkt
what we should to see instead is something like (ticket flags: forwardable ok-as-delegate preauthent)
- If web/app (bilaunchpad) logs are enabled in the CMC, you can find this much better error.
com.businessobjects.bip.core.web.logon.internal.sso.VintelaServlet||Single Sign On failed. The service account may not be trusted for delegation. Exception: The argument has an invalid value [credential is null] (FWM 02024)
- Important to note manual AD to client tools and web/apps will probably work fine which would seem to indicate that everythign is properly configured.
- No other SSO errors appear in wireshark logs, packet scan, tomcat, or anywhere
Read more...
Environment
SAP BusinessObjects Business Intelligence Platform 4.2 (this is probably possible in any BI 4.x platform support pack or patch as the vintela libraries are the same in all of them)
Product
Keywords
emkba biauth zie emkb single sign on sign-on automatic logon silent , KBA , directory , active , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.