Kerberos based Single Sign-On fails for some but not all users

Technote (troubleshooting)


Problem(Abstract)

Kerberos based SSO to IBM Cognos BI deployed to Apache Tomcat via an IIS deployed Gateway reproducingly fails for some, but not all users. The same was working for older versions of IBM Cognos BI (8.4.x) in the same environment.
The issue can occur due to a change in the Tomcat server configuration introduced as of IBM Cognos BI 10.x. The same is potentially applicable to IBM Cognos BI deployed to other Application Servers as well.

Symptom

Kerberos based SSO to IBM Cognos BI deployed to Apache Tomcat via an IIS deployed Gateway reproducingly fails for some, but not all users.

The affected users get "HTTP 400 Bad Request" error in Browser
or even
"The IBM Cognos gateway is unable to connect to the IBM Cognos BI server. The server may be unavailable or the gateway may not be correctly configured."

  • Without SSO the affected users can authenticate without issue.
  • The SSO was working for older versions of IBM Cognos BI ( 8.4.x ) in the very same environment.
  • The affected users are members of many groups/roles in the AD.


Cause

For Kerberos based SSO the IBM Cognos BI runs through a Kerberos delegation protocol. During this process the user's Kerberos token is eventually transmitted between the IBM Cognos BI Gateway component and the IBM Cognos BI Content Manager component as a protected HTTP header. If a user belongs to many AD groups that Kerberos token may become large in size and further adds to the size of the HTTP headers which then potentially exceed the configured maximum HTTP header size configured for the Application server.

Due to code changes in IBM Cognos 10 BI the requests exchanged during the SSO handshake internally have grown in size. A large Kerberos token makes them exceed the threshold configured.


Environment

IBM Cognos BI 10.x Gateway deployed to Microsoft Internet Information Services.
IBM Cognos BI 10.x configured for Authentication using an Active Directory Namespace configured for Kerberos based SSO (default)

IBM Cognos BI deployed to Apache Tomcat (or any other supported Application server) which enforces a limit to the HTTP header size.


Diagnosing the problem

Ensure the affected users can authenticate without error without SSO (disabling SSO or hitting Dispatcher URI directly)

  • Enable Gateway trace and scan logs for something like:

    ERROR t:6688 HTTPException. details: <Exception "The IBM Cognos Gatew"The IBM Cognos Gateway is "ay is "
    Name="HTTPException" Error="1009" Severity="Error"><Messages><Message
    Name="CCLMessage" File="" Severity="Error" Nesting="0"
    ><MessageText><Message Name="CCLMessage" File="" Severity="Error"
    Nesting="0" ><MessageComponents  ID="0000"
    ></MessageComponents></Message></MessageText></Message></Messages><Trace
    Info><Trace Text="httpclient.cpp(168): HTTPException: CCL_THROW: int
    HTTPClient::readHTTPResponseLine(IBJBufferedInputStream &is,
    CSTD_STD_NAME::string& sResponseLine )" /></TraceInfo></Exception>
    19:30:37.152 - 4984 ERROR t:6688 HTTPException in
    communicateWithDispatcher()

Resolving the problem

For IBM Cognos BI Application Tier Components and Content Manager deployed to Apache Tomcat:

  • Stop IBM Cognos BI
  • Create backup of <COG_ROOT>\tomcat\conf\server.xml.
  • Open the file in editor, locate the Connector element:
    <Connector port="19300" protocol="HTTP/1.1" maxThreads="500"
    enableLookups="true" acceptCount="500" debug="0"
    connectionTimeout="60000"
    disableUploadTimeout="true"
    maxHttpHeaderSize="16384"
    maxProcessors="500"
    minProcessors="5" useURIValidationHack="false"/>
  • Change the maxHttpHeaderSize to 32768 and save
  • Restart IBM Cognos BI

For IBM Cognos BI Application Tier Components and Content Manager deployed to other application servers, consult the documentation to identify the parameter controlling the HTTP header size.
  • Stop IBM Cognos BI
  • Increase the identified parameter to 32768.
  • Restart IBM Cognos BI

Related information

Cognos Upgrade Central

Rate this page:

(0 users)Average rating

Document information


More support for:

Cognos Business Intelligence
Install and Config

Software version:

10.1, 10.1.1, 10.2, 10.2.1

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

1516226

Modified date:

2013-06-18

Translate my page

Machine Translation

Content navigation