3205694 - SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources fail due to the private network access (PNA) specification using Google Chrome and Microsoft Edge versions 104 and later

Symptom

Note: The information below is based on updates from the Chromium Development team and is subject to change. Please refer to the resources below for further details;

SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources provide a warning due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 104 and later.
SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources fail due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 107 and later.
See the rollout plan listed here to confirm when and how this change will take effect: https://developer.chrome.com/blog/private-network-access-preflight/#rollout-plan. Up to now, Google Chrome plan to enable this in version 115. See more details: https://chromestatus.com/feature/5737414355058688
Access to the live data sources below will be blocked after upgrading Google Chrome and Microsoft Edge versions 107 (or later) when using a DIRECT/CORS live data connection in SAP Analytics Cloud (SAC):

SAP Business Warehouse (BW),
SAP BW/4HANA,
SAP S/4HANA on-premise,
SAP HANA on-premise
SAP HANA Extended Application Service Advance Model (XS advanced),
BPC Embedded.

The following error occurs in charts and tables in a story:

Unable to retrieve data from the data source. [Destination host is unreachable]

The following errors also appear in the Google Chrome and Microsoft Edge browser developer tools:

Access to XMLHttpRequest at '<>' from origin '<>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Private-Network' header was present in the preflight response for this private network request targeting the `local` address space.
net::ERR_FAILED

Environment

SAP Analytics Cloud Enterprise and Embedded (OEM)
Google Chrome and Microsoft Edge version 104 and later

Cause

Private network access (PNA) specification implemented in Google Chrome and Microsoft Edge.

Resolution

Google Chrome and Microsoft Edge has disabled the PNA feature as of version 102 but it will be re-enabled with warnings in version 104 and will fully block private requests in version 107 (at the earliest).
Please see the following blog for more information on the rollout plan: Private Network Access: introducing preflights Rollout plan.
SAP Analytics Cloud development is aware of the changes coming in Google Chrome and Microsoft Edge version 107 documented here:

Chrome will send Private Network Access preflights for subresources as early as Chrome 104.

There are two solutions available for live BW, S/4HANA, BPC and HANA connections:

Option 1 - Server Side Solution (Recommended)

Handle preflight requests server-side to prevent the blocking of private preflight requests (recommended):

NOTE: Please work with your consulting partner and/or IT department to update the new rules and test the updated configuration.

For SAP Business Warehouse (BW), SAP BW/4HANA, SAP S/4HANA on-premise, BPC Embedded:

Apply the service pack versions defined in SAP Note 3166410 - Enabling Private Network Access in CORS-Framework.
Please make sure the checkbox "Allow Private Network Access" is enabled. This can be found by accessing the UCONCOCKPIT transaction in BW, and editing the whitelist entry for /sap/bw/ina.

OR
Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):
```
if %{HEADER:Access-Control-Request-Private-Network} stricmp true
```
```
begin
```
```
SetResponseHeader Access-Control-Allow-Private-Network true
```
```
end
```
Note: This can be added to the end of the file but please avoid embedding it into other if blocks.

For SAP HANA and SAP HANA extended application services, advanced model (XS advanced):

Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):
```
if %{HEADER:Access-Control-Request-Private-Network} stricmp true
```
```
begin
```
```
SetResponseHeader Access-Control-Allow-Private-Network true
```
```
end
```
Note: This can be added to the end of the file but please avoid embedding it into other if blocks.

See the following SAP Note on how to add / update / append rewrite rules: 3127829 - How to configure rewriting rules in SAP Web Dispatcher and Internet Communication Manager (ICM).

Option 2 - Browser Side Solution

NOTE: This solution should only be considered as a temporary workaround, as Microsoft and Google Chrome may remove the flags from future releases of Microsoft Edge and Chrome browsers

Disable PNA checks in your browser with enterprise policies:

Google Chrome:

See Chrome Enterprise and Education Release Notes and the “Chrome sends Private Network Access preflights for subresources” section.
Disable Private Network Access (PNA) checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
Additionally, you can disable the following flags; #private-network-access-send-preflights and #private-network-access-respect-preflight-results

Microsoft Edge:

See Private Network Request Settings policies - InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls

Information about Live Data Connection to SAP Universes and Web Intelligence Documents:

Customers using Live Data Connect (LDC) will be also impacted by this change.
SAP is working a new LDC version that will address and fix the issue.
We will update this KBA as soon as this new version is available.
In case of any issues “Option 2 - Browser Side Solution” (mentioned above) has to be applied to fix the problem until the new LDC version is released.

Information about Live data Connection to HANA Cloud Environments

Customers using Live Data Connections to HANA Cloud Environments will not be impacted
If you wish to test this, you can temporarily enable PNA requests via the Chrome and Edge flags below, where you will observe the Connection to SAP HANA Cloud can still be created and consumed successfully;

#private-network-access-send-preflights
#private-network-access-respect-preflight-results

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, SAC - BW Live connection faild on Chrome 102 (Beta), In Chrome 102, released, authentication fails when connecting to SAC-BW Live data, authenticated without any problems in the same environment. issue check, fails failed failure prechecks, BW Live CORS: Solution for Preflight request -> Allow Private Network Access not fully documented?, Live Connections not working SAC upgrade, SAC - BW Live connection faild on Chrome 102 (Beta) fails failure failed, Live connectivity failures due to private network authentication (PNA) with Chrome / Edge version 102 and later How to Enable CORS on SAP NetWeaver Platform , KBA , chrome chromium browsers , access-control-request-private-network , pna pre flights , sends a cors preflight request ahead , private network access , pna , "allow private network access" , cors-rfc1918 , 3205694 , (failed)net::err_timed_out , sac cors chrome 102 , config chagne changes changed change , chrome 102 cross origin sac kba , sac kba cors 102 , allow private network access not fully , bw live cors: solution for preflight req , preflights chrome 102 sac kba , headers icf rule icm cors , pna edge v105 warning , rewrte rules rewrite rule , sac & chrome v102, , private network access specification , http 401 unauthorized , planned chromium changes affecting live , live connections in sap analytics cloud , via webdispatcher , sap btp - hana cloud prd , hana onpremise prd tst , sap btp - hana cloud dev , sac live private preflights kba , sac+unable to retrieve data from the , data source. destination host is unreach , sac+unable to retrieve data from the dat , "unable to retrieve data from the data s , source , destination host is unreachable , sac+unable , LOD-ANA-LDC , SAC Live Data Connection , LOD-ANA-ADM , SAC Administration , LOD-ANA-LDC-BW , SAC Live Data Connection BW , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-LDC-UNV , SAC Live Data Connection Universe , Problem

Product

SAP Analytics Cloud 1.0