SAP Knowledge Base Article - Public

3205694 - SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources fail due to the private network access (PNA) specification using Google Chrome and Microsoft Edge versions 104 and later

Symptom

Note: The information below is based on updates from the Chromium Development team and is subject to change. Please refer to the resources below for further details;

  • SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources provide a warning due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 104 and later.
  • SAP Analytics Cloud (SAC) stories (charts and tables) connected to live data sources fail due to the private network authentication (PNA) specification with Google Chrome and Microsoft Edge versions 107 and later.
  • See the rollout plan listed here to confirm when and how this change will take effecthttps://developer.chrome.com/blog/private-network-access-preflight/#rollout-planUp to now, Google Chrome plan to enable this in version 115. See more details: https://chromestatus.com/feature/5737414355058688
  • Access to the live data sources below will be blocked after upgrading Google Chrome and Microsoft Edge versions 107 (or later) when using a DIRECT/CORS live data connection in SAP Analytics Cloud (SAC):
    • SAP Business Warehouse (BW),
    • SAP BW/4HANA,
    • SAP S/4HANA on-premise,
    • SAP HANA on-premise
    • SAP HANA Extended Application Service Advance Model (XS advanced),
    • BPC Embedded.
  • The following error occurs in charts and tables in a story:
    • Unable to retrieve data from the data source. [Destination host is unreachable]
  • The following errors also appear in the Google Chrome and Microsoft Edge browser developer tools:
    • Access to XMLHttpRequest at '<>' from origin '<>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Private-Network' header was present in the preflight response for this private network request targeting the `local` address space.
    • net::ERR_FAILED

Environment

  • SAP Analytics Cloud Enterprise and Embedded (OEM)
  • Google Chrome and Microsoft Edge version 104 and later

Cause

Private network access (PNA) specification implemented in Google Chrome and Microsoft Edge.

Resolution

There are two solutions available for live BW, S/4HANA, BPC and HANA connections:

Option 1 - Server Side Solution (Recommended)

Handle preflight requests server-side to prevent the blocking of private preflight requests (recommended):

NOTE: Please work with your consulting partner and/or IT department to update the new rules and test the updated configuration.

For SAP Business Warehouse (BW), SAP BW/4HANA, SAP S/4HANA on-premise, BPC Embedded:

      • Apply the service pack versions defined in SAP Note 3166410 - Enabling Private Network Access in CORS-Framework.
      • Please make sure the checkbox "Allow Private Network Access" is enabled. This can be found by accessing the UCONCOCKPIT transaction in BW, and editing the whitelist entry for /sap/bw/ina.

        OR
      • Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):


        if %{HEADER:Access-Control-Request-Private-Network} stricmp true
        begin
        SetResponseHeader Access-Control-Allow-Private-Network true
        end


      • Note: This can be added to the end of the file but please avoid embedding it into other if blocks.

For SAP HANA and SAP HANA extended application services, advanced model (XS advanced):

      • Add the following line to the HTTP response rewrite rule file (rewrite.txt / filter_rules.txt) in the SAP Web Dispatcher or Internet Communication Manager (ICM):

        if %{HEADER:Access-Control-Request-Private-Network} stricmp true
        begin
        SetResponseHeader Access-Control-Allow-Private-Network true
        end
        
        
      • Note: This can be added to the end of the file but please avoid embedding it into other if blocks.

    • See the following SAP Note on how to add / update / append rewrite rules: 3127829 - How to configure rewriting rules in SAP Web Dispatcher and Internet Communication Manager (ICM).

Option 2 - Browser Side Solution

NOTE: This solution should only be considered as a temporary workaround, as Microsoft and Google Chrome may remove the flags from future releases of Microsoft Edge and Chrome browsers

Disable PNA checks in your browser with enterprise policies:

    • Google Chrome:

      1. See Chrome Enterprise and Education Release Notes and the “Chrome sends Private Network Access preflights for subresources” section.
      2. Disable Private Network Access (PNA) checks using the InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls enterprise policies.
      3. Additionally, you can disable the following flags; #private-network-access-send-preflights and #private-network-access-respect-preflight-results
    • Microsoft Edge:
      1. See Private Network Request Settings policies - InsecurePrivateNetworkRequestsAllowed and InsecurePrivateNetworkRequestsAllowedForUrls

    Information about Live Data Connection to SAP Universes and Web Intelligence Documents:

    • Customers using Live Data Connect (LDC) will be also impacted by this change.
    • SAP is working a new LDC version that will address and fix the issue.
      We will update this KBA as soon as this new version is available. 
    • In case of any issues “Option 2 - Browser Side Solution” (mentioned above) has to be applied to fix the problem until the new LDC version is released.

    Information about Live data Connection to HANA Cloud Environments

    • Customers using Live Data Connections to HANA Cloud Environments will not be impacted
    • If you wish to test this, you can temporarily enable PNA requests via the Chrome and Edge flags below, where you will observe the Connection to SAP HANA Cloud can still be created and consumed successfully;
      • #private-network-access-send-preflights

      • #private-network-access-respect-preflight-results

    See Also

    Your feedback is important to help us improve our knowledge base.

    Keywords

    SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, SAC - BW Live connection faild on Chrome 102 (Beta), In Chrome 102, released, authentication fails when connecting to SAC-BW Live data, authenticated without any problems in the same environment. issue check, fails failed failure prechecks, BW Live CORS: Solution for Preflight request -> Allow Private Network Access not fully documented?, Live Connections not working SAC upgrade, SAC - BW Live connection faild on Chrome 102 (Beta) fails failure failed, Live connectivity failures due to private network authentication (PNA) with Chrome / Edge version 102 and later How to Enable CORS on SAP NetWeaver Platform , KBA , private network access specification , http 401 unauthorized , via webdispatcher , pna pre flights , sends a cors preflight request ahead , private network access , pna , sac cors chrome 102 , sac kba cors 102 , preflights chrome 102 sac kba , pna edge v105 warning , rewrte rules rewrite rule , sac & chrome v102, , planned chromium changes affecting live , sap btp - hana cloud prd , sap btp - hana cloud dev , sac live private preflights kba , chrome chromium browsers , access-control-request-private-network , "allow private network access" , cors-rfc1918 , 3205694 , (failed)net::err_timed_out , config chagne changes changed change , chrome 102 cross origin sac kba , allow private network access not fully , bw live cors: solution for preflight req , headers icf rule icm cors , live connections in sap analytics cloud , hana onpremise prd tst , sac+unable to retrieve data from the dat , sac+unable to retrieve data from the , data source. destination host is unreach , "unable to retrieve data from the data s , source , destination host is unreachable , sac+unable , LOD-ANA-LDC , SAC Live Data Connection , LOD-ANA-ADM , SAC Administration , LOD-ANA-LDC-BW , SAC Live Data Connection BW , LOD-ANA-LDC-HAN , SAC Live Data Connection HANA , LOD-ANA-AUT , SAC Authentication / Login , LOD-ANA-LDC-UNV , SAC Live Data Connection Universe , Problem

    Product

    SAP Analytics Cloud 1.0