Skip to Content
Author's profile photo Patrick Perrier

Warning: Patching your SAP BI 4.0 to SAP BI 4.1 will break your AD SSO!

Symptom

Patching to SAP BI 4.1 will indeed break your Active Directory Single Sign On in one or two places if your Web Application Server is Apache Tomcat.

Environment

  • SAP BusinessObjects Business Intelligence Suite 4.0
  • Apache Tomcat


Solutions

Don’t worry, the solution(s) are simple!

1: Your .properties files

It is widely documented that when you patch, the content of the webapps folder will redeployed therefore all customisations will be lost.

The solution is to of course either manually re-apply the changes you have made or better, from SAP BI 4.0 you can save the updated .properties in a folder and they will get redeployed automatically.

See SAP Note 1615492

2: Your Apache Tomcat server.xml

This one was a bit trickier!  The problem is that manual authentication is still working and Silent SSO is working for some of the users.  The others receive a HTTP error.

Turns out patching from SAP BI 4.0 to SAP BI 4.0 will also install a new version of Apache Tomcat (From Tomcat 6 to Tomcat 7).  The installation folder is a bit different too:

  • Old Location: C:\Program Files (x86)\SAP BusinessObjects\Tomcat6\
  • New Location: C:\Program Files (x86)\SAP BusinessObjects\tomcat\

Doing so, the content of your server.xml has been lost.  Simply edit the new server.xml and make sure to re-apply the

maxHttpHeaderSize=”65536″ value in the Connector Port.

More details about this: SAP Note 1631734

Hope it helps!

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Great info! Keep it coming, Patrick. Sure you have loads more in you!

      Author's profile photo Former Member
      Former Member

      Patrick, thanks for the information. With regard to the customization of the .properties files.  As noted in SAP Note 1615492 if you make sure that the custom .properties files are copied to <BOE_HOME>\SAP BusinessObjects Enterprise XI 4.0\warfiles\webapps\BOE\WEB-INF\config prior to the update you will find that the files will exist in the new environment after the patch. This is because when the patch is run it will update the contents of the warfiles folder and then perform a WDeploy into the new Tomcat folder which will bring the custom .properties files with the deployment.

      Also, if you are currently supporting cross-domain AD authentiaction you will also need to add the domain to the username stated in the SPN section of the AD auth plugin.  Ex. if the SPN was BI4_service and the domain is FOOBAR.COM then the SPN would now be shown as "BI4_service@FOOBAR.COM" instead of "BI4_service". Apparently this was due to a change they made under the hood. 😉

      Author's profile photo Patrick Perrier
      Patrick Perrier
      Blog Post Author

      I have already quoted this article in my original post!?

      Author's profile photo Former Member
      Former Member

      Sorry, you caught me between edits.  I apologize if it sounded like I was correcting you.  I was only saying that if we implement this prior to the update we will not only protect the custom settings from the 4.0 to 4.1 update but also from all future patches as well.

      I apologize for any confusion.

      Author's profile photo Patrick Perrier
      Patrick Perrier
      Blog Post Author

      The main point of this article is that the server.xml will get overwritten as SAP BI 4.1 includes a new version of Tomcat (Solution 2 above).  This can't be avoided.

      The rest about .properties (Solution 1) has largely been discussed in many other posts.

      Author's profile photo Former Member
      Former Member

      Very true. It would be nice if they would go ahead and set the server.xml to support SSO in Tomcat7, but for now we must all remember to replace it.

      Author's profile photo Noel Scheaffer
      Noel Scheaffer

      We upgraded from 4.0 SP06 to 4.1 SP01 Patch 2 on November 2nd.  We had some (not all) users having problems getting logged into BOBJ.  Since it was affecting only some users we thought it had something to do with our load balancing environment.  I came across this blog post and thought item #2 might make a difference.  So I made the changes last night and it did the trick.

      Thanks!

      Author's profile photo Patrick Perrier
      Patrick Perrier
      Blog Post Author

      Hi Noel,

      Thank you for feedback.  I'm glad it helped.  I certainly scratched my head for a little while when I had that issue!

      Author's profile photo Former Member
      Former Member

      We are using WebLogic as our application server, So any specific configurations needs to be done for this ?

      Author's profile photo Patrick Perrier
      Patrick Perrier
      Blog Post Author

      Hi Satheesh,

      This specific issue is not applicable to you in this case.  Only for people using Apache Tomcat.

      However, make sure you verify the Supported Platform (PAM) of SAP BI 4.1 against your version of WebLogic.

      Link here: http://scn.sap.com/community/bi-platform/blog/2013/11/22/sap-businessobjects-business-intelligence-suite-41-sp02-released

      Author's profile photo Manikandan Elumalai
      Manikandan Elumalai

      Thanks for Sharing Patrick. I am sure this will be useful for many others.

      Author's profile photo Former Member
      Former Member

      I have a question.  I had a client that wanted me to install Explorer 4.0 to test out, and it broke their SSO.  Are these the main spots to check to reconfigure SSO and what do I reset?  The settings appear correct in the CMS, but we're not sure about Tomcat as the biservice would not create a ticket when running in the Command Prompt.

      Thanks