SAP Knowledge Base Article - Preview

2483974 - Windows AD SSO using AES encryption not working in Business Intelligence Platform

Symptom

  • BI Launchpad logon page is reached instead of being automatically logged in (SSO fails)
  • Tomcat or vintela logs could show the following type of error message: (NOTE: Key Type 18 is for AES)

    jcsi.kerberos: Could not decrypt service ticket with Key type 18, KVNO 4, Principal "HTTP/XXX.YYY.ZZZ" using key:
     Principal: [1] SERVICEACCOUNT@REALM.COM
      KVNO: -1
      EncType: 18
      Key: 32 bytes, fingerprint = [f2 5d e2 71 df 84 33 95 ca 8e 1 b9 ff 53 bd 48]
    Exception for this key was:  com.dstc.security.kerberos.CryptoException: Integrity check failure[Note:  principal names are different;  this may or may not be a problem]
    [Note:  KVNO used wildcard match, not exact match;  perhaps the password used to generate this key is not the most recent password?]

  • Wireshark logs from server show the following:

         ETYPE-INFO2-ENTRY
         etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
         salt: REALM.COMserviceaccount

  • Another error that could be observed in the tomcat std.err

com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental


Read more...

Environment

  • Windows Server Operating System
  • SAP BusinessObjects Business Intelligence Platform 4.x

 

Product

SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Business Intelligence platform 4.3

Keywords

htkba biauth windows ad, ActiveDirectory, WinAD, secWinAD, krb5, krb5.ini, global.properties, idm.princ, case-sensitive, casing sensitive, aes, aes-encryption, encryption, sso failing, failed sso, single-sign-on, single sign-on, single signon, manual authenticaiton, automatic authentication, automatic sso, service acount, domain, realm, bi4, bi 4.x, bobj, 4.1, 4.2, 4.3, 4.0, auth , KBA , bo , kerberos , aes , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.