SAP BusinessObjects 4.0/4.1 Single Sign On
On our BI platform we had the problem that Windows AD SSO didn't work for some specific users, they just saw the error message "Internet Explorer cannot display the webpage" when trying to access Launch Pad.
After some research we found out that those users are members in a very large number of Windows AD groups, which are sent in the HTTP header when using Sindle Sign On.
The first step to fix that is well documented in the SAP guides.
You have to include the maxHttpHeaderSize="65536" in the 8080 Connector Port tag of your E:\Program Files (x86)\SAP BusinessObjects\Tomcat6\conf\server.xml- file.
But there might be another configuration necessary too. There is the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize" - parameter in the Windows registry, which must be set on every involved client - so this should be done via group policy.
If the max. token size is still too small, you should reduce the number of groups.
thx, the error message was misleading, was looking for a solution for hours
ReplyDelete