BOB: Business Objects Board
Not endorsed by or affiliated with SAP

Register | Login 

Follow BOB on Twitter! 
Follow BOB on Twitter! (Opens a new window)  

General Notice: No events within the next 45 days.

SSO (Single Sign On) on BO XI - R2 with Tomcat and Vintela
1 members found this topic helpful

 
Search this topic... | Search XI Server Discussion... | Search Box
Register or Login to Post    Forum Index -> Server Administration, Installation, Upgrades -> XI Server Discussion  Previous TopicPrint TopicNext Topic
Author Message
smac
Forum Member
Forum Member



Joined: 04 Dec 2003

Posts: 22
Location: Santa Clara



PostPosted: Thu Jul 26, 2007 5:32 pm 
Post subject: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vintela

We were having problem on implementing the SSO. Apparently, there is a certain number of AD groups a user can belong to before SSO breaks. In other words, if a user belongs to a certain number of groups, then the user will not have access to Infoview. We are not certain that this is the reason a user cannot access Infoview via SSO, but so far, that is what seems to be happening….

For example,

If User1 is just a member of 2 groups (domain users, app-sgusers), most likely he will be able to login to Infoview using SSO. However, add in a few groups, and at some point, he will lose access to Infoview. I’ve seen where if a user belongs to 2 or 3 groups, most of the time SSO works fine…making the user a member of 5-10 groups, causes in- access to Infoview via SSO 50% of the time.

What is more perplexing is that one user can belong to a certain number of groups, and log in fine to Infoview using SSO, and add another user to the exact same groups, and that user will not have access to Infoview using SSO.

We tested a user that belonged to 5 or 6 groups, (these groups were brand new, with no security assigned to them) and adding them to this testuser caused the user to not have access to Infoview via SSO.

Solution:

when an user is authenticated, a Kerberos ticket is created. The Kerberos ticket contains, among other things, the Privilege Attribute Certificate (PAC), which contains the Security Identifier (SID) information for the user and the groups of which that user is a member. From the Kerberos ticket or NTLM authorization data, the workstation that you are using constructs an access token.

A Windows access token contains:

• The user's primary SID.

• Global and Universal group SIDs from the user's account, domain or forest.

• Domain local SIDs from the domain of the workstation (if they are different from the domain of the user).

• Privileges that are explicitly assigned to the user or derived from group membership

The more groups a user belongs to, the larger the PAC. I then cross referenced this with some research on Tomcat, and found out that Tomcat (4.* starting with 4.1.31, 5.* and 6.*) imposes a limit on the size of the entire header of each HTTP request. The default limit is either 4K or 8K (depending on the particular version of Tomcat). If the header of an HTTP request exceeds the limit, Tomcat pretty abruptly closes the TCP connection (it doesn't send an HTTP error response or anything like that). The fix was to increase the 'maxHttpHeaderSize' value from 16384 to 32768 in the server.xml file. The server.xml file is the main configuration file for Tomcat. Once I increased this, I was able to use all my test accounts and log on to Infoview just fine. I test a user that belonged to 29 security groups, and it worked. Before, this user had a limit of 12 before SSO would break.

Stewart
Back to top
Anita Craig
Forum Groupie
Forum Groupie



Joined: 17 Jun 2002

Posts: 8541
Location: Palo Alto, California, U.S.A.


flag
PostPosted: Thu Jul 26, 2007 5:56 pm 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

Thank you for posting the solution to your problem. thumbsup.gif

I'm sure this will be helpful to someone else in the future. icon_wink.gif

_________________
Anita Craig Image link
Institutional Research & Decision Support
Stanford University Image link
____________________
Search is Your Friend™
Back to top
substring
Forum Addict
Forum Addict



Joined: 16 Jan 2004
ASUG Icon
Posts: 4119
Location: Richardson Texas


flag
PostPosted: Thu Jul 26, 2007 9:15 pm 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

This thread also belongs to the XI Server forum.

Moderators, please move it. Thanks.

_________________
If you are using BusinessObjects, you should join ASUG.
Follow me on Twitter: @substring
Back to top
Dwayne Hoffpauir
Forum Groupie
Forum Groupie



Joined: 19 Sep 2002
ASUG Icon
medal_gold.gif*2speaker.gif*5medal_bronze.gif
Posts: 8644
Location: Plano, TX USA


flag
PostPosted: Fri Jul 27, 2007 9:15 am 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

substring wrote:
This thread also belongs to the XI Server forum.

Done ... it's a never-ending battle with the General Discussion forum.

_________________
Dwayne Hoffpauir
Image link
Back to top
rbrito
Senior Member
Senior Member



Joined: 06 Sep 2007

Posts: 77
Location: Miami


flag
PostPosted: Mon Sep 22, 2008 10:23 am 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

Hello All,

I am having an issue with enabling SSO with Vintela. The error some users get is: "Page cannot be displayed".

I increased the value of HttpMaxHeadersize to 65536 and these users still get the same error. I even tried with 131072 and this didn't fix the issue either.

Has anybody solved this issue so far? Any help would be greatly appreciated.

Thanks.

BOXI release 2 SP2; Windows 2003; Java SDK 1.5.0; Tomcat
Back to top
Skeygo
Principal Member
Principal Member



Joined: 01 Dec 2006

Posts: 101



PostPosted: Thu Oct 09, 2008 4:30 pm 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

Hi Rbrito...did you figure this out? I have exact same problem...works fine for some users but others get 'Page cannot be displayed'. Thanks
Back to top
rbrito
Senior Member
Senior Member



Joined: 06 Sep 2007

Posts: 77
Location: Miami


flag
PostPosted: Fri Oct 10, 2008 7:41 am 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

No, I still have the issue and I have been working with business objects support for6 weeks so far and they haven't figured out yet. Did you try increasing the HttpHeaderSize setting in your server.xml file?
Do the users that get the error belong to many AD groups?
Back to top
hsalem
Senior Member
Senior Member



Joined: 05 Jan 2006

Posts: 36



PostPosted: Fri Mar 06, 2009 8:46 am 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

I was wondering this was resolved by BO. We have a similar problem were business objects was not able to help us. We use Apache for https and BO finally said that the problem is with Apache were it cannot handle user belonging to too many groups. They said that they do not support Apache and the ticket should be closed. Any help would be appreciated. THX
Back to top
rbrito
Senior Member
Senior Member



Joined: 06 Sep 2007

Posts: 77
Location: Miami


flag
PostPosted: Fri Mar 06, 2009 8:57 am 
Post subject: Re: SSO (Single Sign On) on BO XI - R2 with Tomcat and Vinte

We resolved this issue by adding the following DWORD value on every client's machine that was having problems:

Path: \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\

DWORD Name: MaxTokenSize

DWORD Value: 65535 (Decimal)
Back to top
Display posts from previous:   
Register or Login to Post    Forum Index -> Server Administration, Installation, Upgrades -> XI Server Discussion  Previous TopicPrint TopicNext Topic
Page 1 of 1 All times are GMT - 5 Hours
 
Jump to:  

Index | About | FAQ | RAG | Privacy | Search |  Register |  Login 

Get community updates via Twitter:

Not endorsed by or affiliated with SAP
Powered by phpBB © phpBB Group
Generated in 0.0289 seconds using 17 queries. (SQL 0.0024 Parse 0.0009 Other 0.0256)
CCBot/2.0 (https://commoncrawl.org/faq/)
Hosted by ForumTopics.com | Terms of Service
phpBB Customizations by the phpBBDoctor.com
Shameless plug for MomentsOfLight.com Moments of Light Logo