cancel
Showing results for 
Search instead for 
Did you mean: 

SSO - Vintela does not always work - BI 4.1 SP5 patch 6

0 Kudos

I have inherited a BO landscape which is currently a mystery when in comes to SSO and I have been confirmed from SAP that it is the first case. Please keep in mind that both SAP and MS are supporting me on the troubleshooting and I would like to find out if anyone out there has experienced the same type of issue.

Symptom:

8/10 single sign on works sporadically.

Issue can be replicated by disconnecting and reconnecting. If SSO does not work, after a few refreshes (F5), the user magically logs on.

Network has been ruled out since we are currently testing (client) in the same physical network as the server and domain controller (no firewall/proxies). We've also tried specifying 1 domain controller through "idm.kdc" and the issue is persistent in both DC1 and DC2.

From Wireshark and Fiddler trace the one thing that everyone (SAP/MS) agrees upon is the request is missing a piece:

Putting the logs side by side there are cookies and jsessions that are different but we don't know who is causing this.

This difference is visible from the first request that is being sent. Please check the highlighted differences:

Bad:

  Frame: Number = 868, Captured Frame Length = 593, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 19419, Total IP Length = 579

+ Tcp: Flags=...AP..., SrcPort=55953, DstPort=HTTP Alternate(8080), PayloadLen=539, Seq=4161700648 - 4161701187, Ack=2173894430, Win=256 (scale factor 0x8) = 65536

- Http: Request, GET /BOE/BI

    Command: GET

  + URI: /BOE/BI

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

    Accept-Language:  it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    Connection:  Keep-Alive

    HeaderEnd: CRLF

Good:

  Frame: Number = 416, Captured Frame Length = 510, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 20029, Total IP Length = 496

+ Tcp: Flags=...AP..., SrcPort=55958, DstPort=HTTP Alternate(8080), PayloadLen=456, Seq=3830817431 - 3830817887, Ack=3835511968, Win=256 (scale factor 0x8) = 65536

- Http: Request, GET /BOE/BI

    Command: GET

  + URI: /BOE/BI

    ProtocolVersion: HTTP/1.1

    Accept:  */*

    Accept-Language:  it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    Connection:  Keep-Alive

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; VINTELASSO=true; InfoViewPLATFORMSVC_COOKIE_TOKEN=

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

VINTELASSO: true

InfoViewPLATFORMSVC_COOKIE_TOKEN:

    HeaderEnd: CRLF

Bad:

  Frame: Number = 869, Captured Frame Length = 728, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-88-71-AF],SourceAddress:[00-50-56-A4-00-67]

+ Ipv4: Src = 172.26.11.31, Dest = 172.26.11.133, Next Protocol = TCP, Packet ID = 24878, Total IP Length = 714

- Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=55953, PayloadLen=674, Seq=2173894430 - 2173895104, Ack=4161701187, Win=256 (scale factor 0x8) = 65536

    SrcPort: HTTP Alternate(8080)

DstPort: 55953

SequenceNumber: 2173894430 (0x8192FF1E)

AcknowledgementNumber: 4161701187 (0xF80E8543)

  + DataOffset: 80 (0x50)

  + Flags: ...AP...

    Window: 256 (scale factor 0x8) = 65536

    Checksum: 0x422A, Good

    UrgentPointer: 0 (0x0)

    TCPPayload: SourcePort = 8080, DestinationPort = 55953

- Http: Response, HTTP/1.1, Status: Ok, URL: /BOE/BI

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Server:  Apache-Coyote/1.1

    Set-Cookie: JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; Path=/BOE/; HttpOnly

  + ContentType:  text/html;charset=UTF-8

    TransferEncoding:  chunked

    ContentEncoding:  gzip

    Vary:  Accept-Encoding

    Date:  Wed, 17 Jun 2015 12:38:11 GMT

    HeaderEnd: CRLF

  + chunkSize: 10

  + ChunkPayload: HttpContentType =  text/html;charset=UTF-8

    FooterEnd: CRLF

  + chunkSize: 376

    ChunkPayloadContinuation: Binary Large Object (376 Bytes)

    FooterEnd: CRLF

Good:

  Frame: Number = 419, Captured Frame Length = 649, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-88-71-AF],SourceAddress:[00-50-56-A4-00-67]

+ Ipv4: Src = 172.26.11.31, Dest = 172.26.11.133, Next Protocol = TCP, Packet ID = 9202, Total IP Length = 635

- Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=55958, PayloadLen=595, Seq=3835511968 - 3835512563, Ack=3830817887, Win=256 (scale factor 0x8) = 65536

    SrcPort: HTTP Alternate(8080)

    DstPort: 55958

    SequenceNumber: 3835511968 (0xE49D44A0)

    AcknowledgementNumber: 3830817887 (0xE455A45F)

  + DataOffset: 80 (0x50)

  + Flags: ...AP...

    Window: 256 (scale factor 0x8) = 65536

    Checksum: 0x637D, Good

    UrgentPointer: 0 (0x0)

    TCPPayload: SourcePort = 8080, DestinationPort = 55958

- Http: Response, HTTP/1.1, Status: Ok, URL: /BOE/BI

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Server:  Apache-Coyote/1.1

  - ContentType:  text/html;charset=UTF-8

   + MediaType:  text/html;charset=UTF-8

    TransferEncoding:  chunked

    ContentEncoding:  gzip

    Vary:  Accept-Encoding

    Date:  Wed, 17 Jun 2015 12:38:51 GMT

    HeaderEnd: CRLF

  + chunkSize: 10

  - ChunkPayload: HttpContentType =  text/html;charset=UTF-8

     HtmlElement: ­‹

    FooterEnd: CRLF

  - chunkSize: 376

     Size: 376

    ChunkPayloadContinuation: Binary Large Object (376 Bytes)

    FooterEnd: CRLF

This behavior continues later in the communication as well

Bad:

  Frame: Number = 962, Captured Frame Length = 966, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 19456, Total IP Length = 952

+ Tcp: Flags=...AP..., SrcPort=55954, DstPort=HTTP Alternate(8080), PayloadLen=912, Seq=2664738444 - 2664739356, Ack=646603644, Win=256 (scale factor 0x8) = 65536

- Http: Request, POST /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet, Query:vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    Command: POST

  + URI: /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet?vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer:  http://bmi-boq.emea.bracco.priv:8080/BOE/portal/1506152044/InfoView/logon.faces

Accept-Language: it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

  + ContentType:  application/x-www-form-urlencoded

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    ContentLength:  27

    Connection:  Keep-Alive

    Cache-Control:  no-cache

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

    HeaderEnd: CRLF

  - payload: HttpContentType = application/x-www-form-urlencoded

     vint_cms: BMI-2K8-BOQ%3A6400

Good:

  Frame: Number = 481, Captured Frame Length = 2974, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 20053, Total IP Length = 2960

+ Tcp: Flags=...A...., SrcPort=55961, DstPort=HTTP Alternate(8080), PayloadLen=2920, Seq=3476442964 - 3476445884, Ack=772423036, Win=256 (scale factor 0x8) = 65536

- Http: Request, POST /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet, Query:vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400, Using GSS-API Authorization

    Command: POST

  + URI: /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet?vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer:  http://bmi-boq.emea.bracco.priv:8080/BOE/portal/1506152044/InfoView/logon.faces

Accept-Language: it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

  + ContentType:  application/x-www-form-urlencoded

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    ContentLength:  27

    Connection:  Keep-Alive

    Cache-Control:  no-cache

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; VINTELASSO=true; InfoViewPLATFORMSVC_COOKIE_TOKEN=

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

VINTELASSO: true

InfoViewPLATFORMSVC_COOKIE_TOKEN:

  + Authorization: Negotiate


Any suggestions could help.


Thanks.

View Entire Topic
0 Kudos

Hello Luca,

we face same issue.

same here: http://scn.sap.com/thread/3778512 .

same in sap note 2193656, no solution.

requested sap for support, but no solution.

best regards,

Denis Gottschalk

0 Kudos

Hi Denis,

We resolved the issue. In our case it was the additional node that was causing the problem. Once turning off the Central Management Server on the second node the single sign on started working 10/10. Under "core Services", how many central management servers are running and enabled?

Hope I can help.

Best Regards,

Luca

0 Kudos

Dear Luca,

in this case: unfortunately there is only one node. i'll keep looking for solutions.

regards, denis.

Former Member
0 Kudos

Hi Luca,

We have similar kind of issue and we are having 4 nodes of which only node CMS is running currently. Rest of nodes , CMSs are stopped. But still the issue occurring in users machine intermittently.

Regards,

Kishan

0 Kudos

Hi Denis,

What did SAP say when closing the message?

Best Regards,

Luca

0 Kudos

Dear Denis and Kishan,

I'd like to help both of you with your issues since I know how frustrating it can get. Could you please post your logs? Wireshark or fiddler as I did to see if your cookie requests are incomplete as they were for me.

Best Regards,

Luca

0 Kudos

Dear luca,

request at sap is still open. since june we try to find solutions together. we checked installation, network, sso-config, domain controllers, DNS, client Parameters, other IE-versions. so far without success.

Best regards,

denis

0 Kudos

Dear Denis,

From the network trace (wireshark) are you getting my same errors in the good and bad scenario?

BAD:

- Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE


GOOD:


Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; VINTELASSO=true; InfoViewPLATFORMSVC_COOKIE_TOKEN=

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

VINTELASSO: true

InfoViewPLATFORMSVC_COOKIE_TOKEN:


One of the key steps that we tried was pointing directly to one of the Domain controller with user and password of the service account, has this been already done?


Is the CMS database (audit + repository) on an external server?



What are the next steps in the message. My request that I had opened with SAP took months (nearly a year). If you have time, please share with us what tests have been done and any errors or clues.

Mine were (as far as I remember):

Browser setting

network card setting

Service account recreation

Check duplicate spn in Active Directory

testing SSO on each Domain controller

Network trace client <->BO server<->DB repository

BO parameters

Activation BO trace

Best Regards,

Luca