Symptom
Note: The information below is based on updates from the Chromium Development team and is subject to change. Please refer to the resources below for further details;
- SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources provide a warning due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 104 and later.
- SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources fail due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 107 and later.
- See the rollout plan listed here to confirm when and how this change will take effect: https://developer.chrome.com/blog/private-network-access-preflight/#rollout-plan. Up to now, Google Chrome plan to enable this in version 115. See more details: https://chromestatus.com/feature/5737414355058688
- Access to the live data sources below will be blocked after upgrading Google Chrome and Microsoft Edge versions 107 (or later) when using a DIRECT/CORS live data connection in SAP Analytics Cloud (SAC):
- SAP Business Warehouse (BW),
- SAP BW/4HANA,
- SAP S/4HANA on-premise,
- SAP HANA on-premise
- SAP HANA Extended Application Service Advance Model (XS advanced),
- BPC Embedded.
- The following error occurs in charts and tables in a story:
- Unable to retrieve data from the data source. [Destination host is unreachable]
- The following errors also appear in the Google Chrome and Microsoft Edge browser developer tools:
- Access to XMLHttpRequest at '<>' from origin '<>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Private-Network' header was present in the preflight response for this private network request targeting the `local` address space.
- net::ERR_FAILED
Environment
- SAP Analytics Cloud Enterprise and Embedded (OEM)
- Google Chrome and Microsoft Edge version 104 and later
Cause
Private network access (PNA) specification implemented in Google Chrome and Microsoft Edge.
Resolution
- Google Chrome and Microsoft Edge has disabled the PNA feature as of version 102 but it will be re-enabled with warnings in version 104 and will fully block private requests in version 107 (at the earliest).
- Please see the following blog for more information on the rollout plan: Private Network Access: introducing preflights Rollout plan.
- SAP Analytics Cloud development is aware of the changes coming in Google Chrome and Microsoft Edge version 107 documented here:
There are two solutions available for live BW, S/4HANA, BPC and HANA connections:
Option 1 - Server Side Solution (Recommended)
Handle preflight requests server-side to prevent the blocking of private preflight requests (recommended):
NOTE: Please work with your consulting partner and/or IT department to update the new rules and test the updated configuration.
For SAP Business Warehouse (BW), SAP BW/4HANA, SAP S/4HANA on-premise, BPC Embedded:
- Apply the service pack versions defined in SAP Note 3166410 - Enabling Private Network Access in CORS-Framework.
- Please make sure the checkbox "Allow Private Network Access" is enabled. This can be found by accessing the UCONCOCKPIT transaction in BW, and editing the whitelist entry for /sap/bw/ina.
OR -
Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):
if %{HEADER:Access-Control-Request-Private-Network} stricmp truebegin
SetResponseHeader Access-Control-Allow-Private-Network true
end
- Note: This can be added to the end of the file but please avoid embedding it into other if blocks.
For SAP HANA and SAP HANA extended application services, advanced model (XS advanced):
- Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):
if %{HEADER:Access-Control-Request-Private-Network} stricmp true
begin
SetResponseHeader Access-Control-Allow-Private-Network true
end
- Note: This can be added to the end of the file but please avoid embedding it into other if blocks.
- See the following SAP Note on how to add / update / append rewrite rules: 3127829 - How to configure rewriting rules in SAP Web Dispatcher and Internet Communication Manager (ICM).
Option 2 - Browser Side Solution
NOTE: This solution should only be considered as a temporary workaround, as Microsoft and Google Chrome may remove the flags from future releases of Microsoft Edge and Chrome browsers
Disable PNA checks in your browser with enterprise policies:
-
Google Chrome:
- See Chrome Enterprise and Education Release Notes and the “Chrome sends Private Network Access preflights for subresources” section.
- Disable Private Network Access (PNA) checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
- Additionally, you can disable the following flags; #private-network-access-send-preflights and #private-network-access-respect-preflight-results
- Microsoft Edge:
Information about Live Data Connection to SAP Universes and Web Intelligence Documents:
- Customers using Live Data Connect (LDC) will be also impacted by this change.
- SAP is working a new LDC version that will address and fix the issue.
We will update this KBA as soon as this new version is available. - In case of any issues “Option 2 - Browser Side Solution” (mentioned above) has to be applied to fix the problem until the new LDC version is released.
Information about Live data Connection to HANA Cloud Environments
- Customers using Live Data Connections to HANA Cloud Environments will not be impacted
- If you wish to test this, you can temporarily enable PNA requests via the Chrome and Edge flags below, where you will observe the Connection to SAP HANA Cloud can still be created and consumed successfully;
-
#private-network-access-send-preflights
-
#private-network-access-respect-preflight-results
See Also
- How to Enable CORS on SAP NetWeaver Platform (See update from May 26, 2022)
- Chrome 102 and SAP Analytics Cloud Live connections to on-premise data sources
- 3166410 - Enabling Private Network Access in CORS-Framework
- 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
- Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
- 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
- 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
- Search for SAP Analytics Cloud content using Google or Bing:
- https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
- https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
- Note: Add relevant text or warning/error messages to the text search field to filter results.
- SAP Analytics Cloud Connection Guide
- Getting Started with SAP Analytics Cloud Expert Community page
- SAP Analytics Cloud Get More Help and SAP Support
- Need More Help? Contact Support or visit the solution finder today!
Your feedback is important to help us improve our knowledge base.
Keywords
SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, SAC - BW Live connection faild on Chrome 102 (Beta), In Chrome 102, released, authentication fails when connecting to SAC-BW Live data, authenticated without any problems in the same environment. issue check, fails failed failure prechecks, BW Live CORS: Solution for Preflight request -> Allow Private Network Access not fully documented?, Live Connections not working SAC upgrade, SAC - BW Live connection faild on Chrome 102 (Beta) fails failure failed, Live connectivity failures due to private network authentication (PNA) with Chrome / Edge version 102 and later How to Enable CORS on SAP NetWeaver Platform , KBA , private network access specification , http 401 unauthorized , via webdispatcher , pna pre flights , sends a cors preflight request ahead , private network access , pna , sac cors chrome 102 , sac kba cors 102 , preflights chrome 102 sac kba , pna edge v105 warning , rewrte rules rewrite rule , sac & chrome v102, , planned chromium changes affecting live , sap btp - hana cloud prd , sap btp - hana cloud dev , sac live private preflights kba , chrome chromium browsers , access-control-request-private-network , "allow private network access" , cors-rfc1918 , 3205694 , (failed)net::err_timed_out , config chagne changes changed change , chrome 102 cross origin sac kba , allow private network access not fully , bw live cors: solution for preflight req , headers icf rule icm cors , live connections in sap analytics cloud , hana onpremise prd tst , sac+unable to retrieve data from the dat , sac+unable to retrieve data from the , data source. destination host is unreach , "unable to retrieve data from the data s , source , destination host is unreachable , sac+unable , LOD-ANA-LDC , SAC Live Data Connection , LOD-ANA-ADM , SAC Administration , LOD-ANA-LDC-BW , SAC Live Data Connection BW , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-LDC-UNV , SAC Live Data Connection Universe , Problem