SAP Knowledge Base Article - Preview

3118389 - SSO failing for all users suddenly server error is Message stream modified

Symptom

  • SSO suddenly starts failing for all users, and they are left at a login screen
  • In the stderr with -Dcjsi.kerberos.debug=true we see "com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)" To note this error is very generic, the ones below can verify the issue better
  • Web application logs (following KBA 1613472) show the error below
  • NEW! to have your web application logs deciphered automatically for you please upload them to the new Support Log Assistant (SLA

"LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Message stream modified
Error code: 41
Server name: BICMS/SPN
Server realm: EXAMPLEREALM.COM

  • Vintela logs contain no errors following KBA 2684843
  • Client packet scans contain no errors following KBA 1969914
  • Packet scans on the web application server will show KRB Error: KRB5 KRB_AP_ERR_MODIFIED on TGS request for the CMC service principal name 
  • this error is also mentioned in KBA 2820819 but so far the previous solutions have failed
  • Manual logon is working for all users both in client tools and web applications


Read more...

Environment

  • SAP BusinessObjects Business Intelligence Platform 4.2 (all SPs) probably will affect 4.3 as well
  • Windows server version 2012, 2016, and 2019 all supported server versions
  • Important to note the issue is being caused by domain controllers not BI servers 

Product

SAP BusinessObjects Business Intelligence platform all versions

Keywords

bip bi 4.x 4.* 4.2 4.3 bi4.x bi4.* bi4.2 bi4.3  vintela ventila vintella ventela set up Active Directory single sign on sign-on slient automatic opendocument error fail Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure that you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) (FWM 00005)  jcsi.kerberos: Could not decrypt service ticket with Key type ##, KVNO ##, Principal "HTTP/XXX.YYY.ZZZ" using key:Principal username@REALM.COM - delegation error secwinad winad  , KBA , BI-BIP-AUT , Authentication, ActiveDirectory, LDAP, SSO, Vintela , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.