cancel
Showing results for 
Search instead for 
Did you mean: 

AFO using SSO going through BOE 4.1 on Windows 2012 and a load balancer

kelly_stone1
Participant
0 Kudos

Hi - I am having an issue with Analysis for Office 1.4.8 using SSO going through BOE 4.1 on Windows 2012 when using 2 web servers (default Tomcat/Apache) using an F5 load balancer.    I get an error when opening up Analysis for Office and then clicking on Open workbook from SAP BusinessObjects BI platform.  The error that I get is: The HTTP request is unauthorized with client authentication scheme ‘Anonymous’. The authentication header received from the server was ‘Negotiate’.  The remote server returned an error: (401) Unauthorized.: Login exception (Error: WSE 99999)

The thing is...the login box stays and the error slowly disappears and I can click on OK to the login box a second, or third, or fourth time and it eventually works.

----------------

Here is the Analysis for Office debug trace:

- Information:    Use SSO?:           True       | 2014-10-20T15:21:42    | com.sap.ip.bi.pioneer.core.boe.CrBoeSessionServiceBase.LoginEx() ()

- Error:  Exception when trying to logon to BOE server

General .NET Exception:

Login exception (Error: WSE 99999)

   at BusinessObjects.DSWS.Session.Session.Login(Credential credential)

   at com.sap.ip.bi.pioneer.core.boe.CrBoeSessionServiceBase.LoginEx(String user, String pw, Boolean iUseSso, String iLogonToken)

                | 2014-10-20T15:21:43    | com.sap.ip.bi.pioneer.core.boe.CrBoeSessionServiceBase.LoginEx() ()

- Error:  Cause of exception: The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate'.             | 2014-10-20T15:21:43    | com.sap.ip.bi.pioneer.core.boe.CrBoeSessionServiceBase.LoginEx() ()

----------------

Some scenarios (all of these are opening up Analysis for Office and then clicking on Open workbook from SAP BusinessObjects BI platform):

With both webservers up and going directly to the webserver URL it works fine.

With one webserver up and going directly to the webserver URL it works fine.

With one webserver up and going through the load balancer URL it works fine.

With both webservers up and going through the load balancer URL it fails.

Here are the SPNs.

HTTP/xxxxx                            < loadbalancer

HTTP/xxxxx.domain.com                 < loadbalancer

HTTP/xxxxxx31.domain.com              < webserver1

HTTP/xxxxxx31                         < webserver1

HTTP/xxxxxx32.domain.com              < webserver2

HTTP/xxxxxx32                         < webserver2

BICMS/xxxxxxx.domain.com              < service account

I had two environments with dual webservers on BOE 4.0 running Windows 2008 going through the same load balancer that worked with both webservers up for well over a year.

Kind regards,

Kelly

Accepted Solutions (1)

Accepted Solutions (1)

kelly_stone1
Participant
0 Kudos

Hi - does anyone know what type of persistence (sticky session) to use on a load balancer (F5) for Tomcat/Apache 7?

kelly_stone1
Participant
0 Kudos

Answer - we were using Cookie persistence and when changed to Source persistence on the F5 load balancer...it worked.

Kind regards,

Kelly

Answers (1)

Answers (1)

former_member189884
Contributor
0 Kudos

Since it only happens going to through the load balancer I would suggest ensuring 'sticky sessions' are enabled on the LB. Also you can use wireshark to trace the login attempt through the LB to see if there are Kerberos requests being made, which need to be addressed.

-Josh

kelly_stone1
Participant
0 Kudos

Sticky session is enabled on LB as it was when it worked with BOE 4.0/Tomcat6/Windows2008.  I have not read too many WireShark traces...

Kind regards,

Kelly

kelly_stone1
Participant
0 Kudos

I am getting some kerberos errors - KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED.  Not finding anything concrete with Google.  I'll continue to search.

former_member189884
Contributor
0 Kudos

preauth errors are pretty normal in Kerberos. you can filter wireshark on Kerberos. It is a problem clearly with the Load Balancer.