Showing results for 
Search instead for 
Did you mean: 

SSO Silent Mode fails: BO XI 3.1 SP4 + Tomcat

Former Member
0 Kudos


We are trying to troubleshoting failure of Silent SSO Mode after deploying Vintella on BO XI 3.1 SP4 (Tomcat as App server) following Tim Ziemba guide (TN-1483762) . I have carefully reading previous post on same topic (mark as anwered).

My situation is practically the same:

(1) Silent SSO (this is, logon into InfoView withou having to type manually AD credentials) fails.

25-10-11 17:03:36:903 - {ERROR} [/InfoViewApp].[action] Thread [http-80-Processor25];  Servlet.service() for servlet action threw exception 
   at org.apache.catalina.connector.ResponseFacade.sendError( 
   at javax.servlet.http.HttpServletResponseWrapper.sendError( 
   at com.businessobjects.sdk.credential.WrappedServletResponse.sendError( 
   at com.wedgetail.idm.sso.AbstractAuthenticator.writeAuthenticationChallenge( 
   at com.wedgetail.idm.sso.MechChecker.authenticate( 
   at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate( 
   at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthenticationOnly( 
   at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication( 
   at com.wedgetail.idm.sso.AuthFilter.doFilter( 

(2) Manual AD logon in InfoView works properly

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false 
      [Krb5LoginModule] user entered username: gonzaal @ F4E.ORG 

     Acquire TGT using AS Exchange 
     Principal is gonzaal @ F4E.ORG 
     EncryptionKey: keyType=23 keyBytes (hex dump)=0000: BA 55 0B 99 A1 4A A1 8F   48 68 F5 0D F7 86 54 FD  .U...J..Hh....T. 
     Commit Succeeded

(3) Following previous posts recommendations we have engaged a kerbtray & packet scanning in the client machine (TN-1370926) with the following results

1554   16:17:48 25/10/2011   239.8711155   KerberosV5   KerberosV5:AS Request Cname: gonzaal Realm: F4E Sname: krbtgt/F4E    {UDP:333, IPv4:16} 
    1555   16:17:48 25/10/2011   239.8711155   KerberosV5   KerberosV5:AS Response Ticket[Realm: F4E.ORG, Sname: krbtgt/F4E.ORG]    {UDP:333, IPv4:16} 
    1556   16:17:48 25/10/2011   239.8711155   KerberosV5   KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/    {UDP:334, IPv4:16} 
    1557   16:17:48 25/10/2011   239.8711155   KerberosV5   KerberosV5:KRB_ERROR  - KRB_ERR_RESPONSE_TOO_BIG (52)   {UDP:334, IPv4:16} 
    1561   16:17:48 25/10/2011   239.8711155   KerberosV5   KerberosV5:TGS Request Realm: F4E.ORG Sname: HTTP/    {TCP:335, IPv4:16} 
    1564   16:17:48 25/10/2011   239.8867405   KerberosV5   KerberosV5:TGS Response Cname: gonzaal    {TCP:335, IPv4:16}

In the aforementioned thread it was mentioned that "3 ticket requests should occur (as request for the user, tgs for the user, and tgs for the http/fqdnurl.

Microsoft kerbtray alone will usually verify this but the packet scan will allow us to view the errors

if it's failing. If you need help open a case with support - authentication team". In agreement with packet scanning I'm not sure if this is really ocurring.

Any idea?

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos


I would recommend you to keep it as simple as possible.

So as manual AD works but not SSO, then you should try to bypass the keytab file and specify the password for the service account in tomcat (mentioned in the guide).

Check also your SPNs. For SSO, you need 3 SPNs with the format




Check also that you are using Internet Explorer as Firefox needs extra steps to configure.

I hope this will help you