Showing results for 
Search instead for 
Did you mean: 

Enabling Keytab File For SSO - SBOP 4.2 SP2 - com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)

Former Member
0 Kudos

Hi All,

I am trying to set up a clean SAP BusinessObjects 4.2 SP2 environment.  Everything is set up and working ok from an Windows AD and SSO perspective, except for when I try to use the keytab file.  When I have the password hard coded in either the Java options of tomcat (-Dcom.wedgetail.idm.sso.password=PASSWORD), or in the file using idm.password=PASSWORD everything works perfectly and SSO logins to BI Launchpad are fine.  As soon as I comment out the idm.password line however, and uncomment the idm.keytab line,


# idm.password=PASSWORD

I get the following errors in the tomcat stderr.log when attempting an SSO login

com.crystaldecisions.sdk.exception.SDKException$InvalidArg: The argument has an invalid value null (FWM 02024)

at org.apache.catalina.valves.ErrorReportValve.invoke(

I have tried rebooting the server after making the change.

Confirmed that the following is still appearing in the tomcat logs on startup after applying the keytab file:

jcsi.kerberos: ** credentials obtained .. **

Everything else seems to be working ok when the password is passed via idm.password in

The SPN is set as follows in the


I have confirmed this matches the UPN on the account


And the same SPN exists too (in addition to all the other HTTP SPN's for the host names - short and FQDNs).

I can test the keytab from the server successfully by running

kinit -k -t C:\Windows\bodev.keytab BICMS/ServiceAccount.Name.BUSINESS.DOMAIN.COM

And I get a

New ticket is stored in cache file C:\Users\graeme.smith\krb5cc_graeme.smith

This SPN is the same one that is set up in the CMS -> Authentication -> Windows AD -> SPN

Use Kerberos Authentication is enabled. 

Cache security context is not enabled.

Enable SSO is enabled.

I think I have read just about every SAP note and post on the web about this area, but cannot find much on this specific error message.  

Any help or ideas would be greatly appreciated (I'm about to jump out a window!).

Thanks and Regards,


View Entire Topic
0 Kudos

Hi Graeme,

You could also have your AD admin check for duplicate SPN's for your service account.

Strong possibility i suppose.



Former Member
0 Kudos

Hi Nagendra,

I checked for duplicate SPN's already using setspn -x, but there are none.

Thanks for the suggestion though.