cancel
Showing results for 
Search instead for 
Did you mean: 

Error when refreshing WEBI report with Universe Connection Type "SSO"

Former Member
0 Kudos

Hi Experts:

We are trying to refresh the Webi report in Infoview with Universe Connection set as "Use Single Sign On when refreshing the report at view time", so that we can leverage SAP OLAP authorization variable from Bex Query which the Universe is built on.

However got the error of "incomplete logon data" after all the configurations done following below blogs:

SNC Part 1

/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2

SNC Part 2

/people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2

We already have Win AD SSO to SAP setup, and in BO CMC, Win AD user is mapped to SAP user ID.

The SNC settings are:

- AD Account: service.test.bobj (all lower-letters)

- 32-bit gsslib on the BO server, and 64 bit on the BW server side.

- SNC0: p:service.test.bobj at DOMAIN

- SU01 --> BO_Service ; SNC: p:service.test.bobj at DOMAIN

- Entitlement system tab --> username: BO_Service

SNC Name: p:service.test.bobj at DOMAIN

- SNC settings tab:

SNC Lib: c:\winnt\gsskrb5.dll

Mutual Authentication settings: p:SAPServiceBP0 at DOMAIN

In CMC, the role can be imported if "RFC activated" option unchecked in SNC0.

I found a few threads on the same topic, but they are all not answered:

Can you please provide details of the solution if you have impleted a same scenario successsfully, or any thoughts to help the investigation?

Thanks in advance!

Regards,

Jonathan

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Finally we make this works, by Client Side SNC only. It turns out that we should use SNCGSS32.DLL as libarary file.

Former Member
0 Kudos

Hi Ji

Can you please post the detailed steps you did to make this work. We are facing exactly same issue now. Does Client Side SNC mean making the SAP GUI login as SSO type. Do we need to do this setting on local user machine or on the BW server or on BO server?

Thanks

Mani.

IngoH
Active Contributor
0 Kudos

Hi,

first of all the blog outlines a configuration for client side SNC. Could you explain what the reasons are to have client side SNC implemented as part of your deployment ?

ingo

Former Member
0 Kudos

Hi Ingo,

Appreciate your prompt reply!

We want to achieve the SSO connection between Universe and BW Query, so that we can utilize the SAP BI Authorization Variable in the Query which the Universe is built on.

1. First, we setup Windows AD SSO to Infoview, so that end user can refresh report using SSO.

2. An Universe is built on a BW Query, and the connection wasn't set as SSO. When refreshing the report, BW sent all data w/o authorization check.

3. Then we setup SAP Authentication in BO CMC. Imported role and user, using a service account and password in the "Entitlement Systems" tab, then we mapped Windows AD user with SAP user ID.

4. We logon to Universe Builder using SAP credentials, changed the same Universe built on top of the SAP BEx Query, the connection type is "Use SSO when refeshing the report at view time".

5. When we were trying to use Windows AD user ID logon Infoview to refresh the report, we got the error of "incomplete logon data".

6. Then we setup client side SNC, SNC is OK; but still got the same error when refreshing the report.

That is the whole story, hope above can provide you the backgroud of our SNC issue.

Thanks and regards,

Jonathan

IngoH
Active Contributor
0 Kudos

Hi,

1. First, we setup Windows AD SSO to Infoview, so that end user can refresh report using SSO.

2. An Universe is built on a BW Query, and the connection wasn't set as SSO. When refreshing the report, BW sent all data w/o authorization check.

>> Item #2 is the consequence from Item #1 as you are missing the SAP Credentials

3. Then we setup SAP Authentication in BO CMC. Imported role and user, using a service account and password in the "Entitlement Systems" tab, then we mapped Windows AD user with SAP user ID.

>> Item #3 can only work assuming complete server side trust has been configured.

4. We logon to Universe Builder using SAP credentials, changed the same Universe built on top of the SAP BEx Query, the connection type is "Use SSO when refeshing the report at view time".

5. When we were trying to use Windows AD user ID logon Infoview to refresh the report, we got the error of "incomplete logon data".

6. Then we setup client side SNC, SNC is OK; but still got the same error when refreshing the report.

>> CLIENT side SNC in this scenario means for you what exactly ? THICK client applications or THIN Client applications ?

The blog you pointing out is about THICK client applications and I would first of all like to clarify what exactly you are trying to achieve as client side SNC and server side SNC are very different items and require very different steps in the configuration.

ingo

Former Member
0 Kudos

Hi Ingo,

Our goal is to have the SAP BW Query Authorization variable work in BO Webi report, so that the Webi report can show different set of data for different users based on their SAP authorization object values, when using Windows AD account for infoview. That is the reason we set universe connection type as SSO. Please advise if we are on the right track, thanks!

I assume now you understand what exactly we want to achieve, so could you please let us know what is the solution (in details) for the same? Client Side SNC or Server Side Trust? Or sth else? Please ignore what we have configured.

Thanks and regards,

Jonathan

IngoH
Active Contributor
0 Kudos

Hi,

if you want to use the data level security from BW - that means you need to use the SAP Authentication to get SSO.

if you want to combine your Windows AD with SAP Credentials for InfoView - which is a THIN CLIENT app - then we are talking about Server side trust here and NOT client side SNC.

Server side trust is documented as part of the installation guide for the SAP Integration Kit

Ingo

Former Member
0 Kudos

Hi Ingo,

Thanks for the answer!

Before we give it a try, I checked the intergration guide Chapter 6, and noticed that it is using CRYPTO Lib; since we have SAP on Unix server and BO on Windows NT 2003, plus we are using Kerberos, do you think we can follow below SAP notes to config:

1446067 - How to configure Server Side SNC for Business Objects XI 3.1 using Kerberos / Windows AD :

https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sno/ui_entry/entry.htm?param=69765F6D6F6465...

I also found in below post, you mentioned that "Kerberos does not need PSE files to establish server side trust.", can you please confirm the same?

Currently we are using GSS-API Lib of "snckrb5.so" in RZ10 for the SSO of Windows AD to SAP, can we still use the same lib and parameter in this case?

Thanks and regards,

Jonathan

IngoH
Active Contributor
0 Kudos

HI Jonathan,

just to be clear here - we are still talking about server side trust as we discussed previously ?

If you are already using a configuration then you need to check (a) which software is used and assuming it is not the SAP Crypto Lib then (b) you need to check with the software vendor if the library supports the scenario.

ingo

Former Member
0 Kudos

Hi Ingo,

Sorry for taking so long to reply, we are trying to set up server side trust and enable SSO; but we still couldn't success.

What we did is:

1. We followed installation guide chapter 6, generate certificate and PSE, etc. All looks good.

2. Then we still have the "incomplete logon data" error when refreshing webi report after logon using Windows AD user ID.

3. Then we trace the PFC connection, the log is as below. We checked several BO notes, e.g. 1500150, 1461247.. The part bothers us is that we even don't have URI displayed in the log when system trying to use SNC, and we couldn't get more info on this which make us very difficult to diagnosis.

Can you please help? Thanks a lot!

Thu Mar 31 10:54:46.857 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Authentication model for SAP connectivity is SSO

Thu Mar 31 10:54:46.857 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Determining if we can connect using SNC. Calling CanAuthenticate...

Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Unable to authenticate using SNC because the URI does not meet the minimum connection requirements.

Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Determining if we can connect using SSO. Calling CanAuthenticate...

Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Authentication model for SAP connectivity is SSO

Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: The SAP SSO authentication process will fail because the SAP secondary credential are not properly updated and the password is blank.

Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Trying to connect to SAP using this URI : occa:sap://;PROVIDER=sapbw_bapi,R3NAME=PB0,GROUP=BI_Group1,MSHOST=sapaupdb04,LANG=en,CLIENT=100,CATALOG="ZSPUM602",CUBE="ZSPUM602/ZSPUM602_Q50"

Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Calling m_pRfcWrapper->RfcOpenEx() ...

Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: RfcOpenEx(...) returned 0

Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Call to m_pRfcWrapper->RfcOpenEx() took 0.141 seconds

Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: SAPAuthenticationService::~SAPAuthenticationService

IngoH
Active Contributor
0 Kudos

Hi,

why do you want to setup server side trust ? what is the reason for it ?

for SSO there is no need for Server Side trust

Ingo

Former Member
0 Kudos

Hi Ingo,

We can refresh infoview when logon using SAP credentials with Universe set as SSO connection.

But we want end user to logon Infoview with their Windows AD account ID and password, and utilise the SSO connection; since they are using their Windows Accounts to run BO reports now.

This is the reason, and I explained in earlier post. And then you replied on 25 March, quoted as below:

"if you want to use the data level security from BW - that means you need to use the SAP Authentication to get SSO.

if you want to combine your Windows AD with SAP Credentials for InfoView - which is a THIN CLIENT app - then we are talking about Server side trust here and NOT client side SNC.

Server side trust is documented as part of the installation guide for the SAP Integration Kit"

We do want to combine your Windows AD with SAP Credentials for InfoView. So we follow the document and try to setup Server Side Trust.

Hope you are clear with our requirement now.

Thanks and regards,

Jonathan Ji