Hi - I am trying to figure out why some of my user base started getting an error while leaving this box checked? They now have to uncheck this box to put their username and password instead of leaving this box checked. Leaving the box checked has been working for years. Now over the past several months, users need to uncheck this box to put in their AD username and password. Not all user, not a lot of users at the same time. Not all new users, not all old users. Not all same version of AFO. Seems to be slowly going through the user base over time. Once they start having to do this, they always have to do it. I believe it to be a client setting, but not sure. Anyhow, Microsoft and I need more information about what happens under the covers when this box is checked. Any links or diagrams showing what happens when checked would be great. Version 2.7.3 and 2.8.13 of AFO and 4.2 SP9 P5 of BOE. PCs are mostly Windows 10 Pro. Screenshot of logon screen and error below:
All users are a member of the same valid mapped group:
Most of what happens will occur in the OS via Microsoft APIs
When SSO is enable the URL which would normally respond with a 200 (OK) will now respond with a 401 (unauthorized) this response iniaties a Microsoft process called spnego in which the client OS will contact AD (per local DNS) and request a ticket.
The BI service account will delegate that ticket to the CMS (when it works correctly)
The closest thing I have written like a diagram is in this AD tracing KBA
The checkbox forces spnego from aoffice client
In order to use that configuration BI has to be setup with KBA https://userapps.support.sap.com/sap/support/knowledge/en/2629070 and web services SSO must be setup per KBA https://userapps.support.sap.com/sap/support/knowledge/en/1646920
If if any users are working with that config it means SSO is fine, but there are issues
I can see in your screenshot the web services URL is throwing a yellow exclamation (this means it's not resolved) The issue typically are not actually SSO but some sort of client settings.
Following this KBA could help https://userapps.support.sap.com/sap/support/knowledge/en/2710261
Also there has been a rash or Microsoft fixes released lately that are affecting BI and other products
see KBA https://userapps.support.sap.com/sap/support/knowledge/en/3273086 to see if any client or server DC's are affected. The out of band fix is also linked but this has to be done on AD domain controllers if affected.