SAP Knowledge Base Article - Preview

2386283 - Receive error (FWM 02024) in tomcat logs when attempting SSO (configuration appears correct)

Symptom

  • From the client perspective there are no errors, SSO is setup, but clients receive a logon page (as if SSO wasn't setup) 
  • Even though SSO is failing, all standard tests from KBA 2629070 succeed (credentials obtained in std.err, clients are prompted fror SSO, client tickets are received in wireshark logs or packet scans)
  • tomcat stderr.log snipet (error is very misleading) this error is only generated when a client attempts SSO and fails (not during tomcat startup when the credentials obtained is generated) 

com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.decodeSerializedSession(SecuritySession.java:907)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.makeSessionHelper(SecuritySession.java:983)
at com.crystaldecisions.sdk.occa.security.internal.SecuritySession.makeSession(SecuritySession.java:975)
at com.crystaldecisions.sdk.occa.security.internal.SecurityFactory.makeSecuritySession(SecurityFactory.java:143)
at com.crystaldecisions.sdk.occa.security.internal.SecurityMgr.getSession(SecurityMgr.java:191)
at com.crystaldecisions.sdk.framework.internal.SessionMgr.getSession_aroundBody14(SessionMgr.java:

  • A strong hint that also appears in the log (not as an error) (requires -Djcsi.kerberos.debug=true setting in java options)

[DEBUG]  jcsi.kerberos: Not forwarding a TGT for delegation because...
[DEBUG]  jcsi.kerberos: OK-AS-DELEGATE not in svc tkt

what we should to see instead is something like (ticket flags: forwardable ok-as-delegate preauthent)

  • If web/app (bilaunchpad) logs are enabled in the CMC, you can find this much better error.

com.businessobjects.bip.core.web.logon.internal.sso.VintelaServlet||Single Sign On failed. The service account may not be trusted for delegation. Exception: The argument has an invalid value [credential is null] (FWM 02024)

  • Important to note manual AD to client tools and web/apps will probably work fine which would seem to indicate that everythign is properly configured.
  • No other SSO errors appear in wireshark logs, packet scan, tomcat, or anywhere


Read more...

Environment

SAP BusinessObjects Business Intelligence Platform 4.2 (this is probably possible in any BI 4.x platform support pack or patch as the vintela libraries are the same in all of them)

Product

SAP BusinessObjects Business Intelligence platform 4.2

Keywords

emkba biauth zie emkb single sign on sign-on automatic logon silent , KBA , directory , active , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.