BI 4.1 - Kerberos+AD with SSO2DB Oracle

Hello fellow BOers!

We are at the moment trying to configure SSO2DB on our BI platform.

Here is the global configuration:

• Server : Windows 2008 R2
• SAP BI : 4.1 SP3
• Oracle clients 32b and 64b : Version 11.2.0.1.0
• SSO configured for Launchpad with Vintela, Kerberos, and AD

And here is the thing :

Let's say we have :

• ReportSSO : a WebI report based on a universe using an Oracle connection configured for SSO
• ReportClassic : a WebI report based on a universe using an Oracle connection with hardcoded username/password

1 - SSO to the platform (Vintela step) => Everything is OK

• SSO through the launchpad is working fine, the AD credentials of the user's session are used to connect to launchpad.
• SSO for WebI Rich Client is also working fine.

2 - Refreshing reports (SSO2DB) :

• Both reports refresh on WebI Rich Client after connecting in SSO mode => OK
• In Launchpad, users can refresh ReportClassic (Report not using SSO2DB) => OK
• In Launchpad, users cannot refresh ReportSSO (Report using SSO2DB) => KO
  • The error is the following, when refreshing a report :
  • Database error: (CS) "Error on Connect". (IES 10901) (Error: INF)

The error clearly shows there is something wrong with the ConnectionServers.

We tried to set the log level at the maximum for the CS, but nothing interesting here. The error is traced, but no information about the cause or any warning or error before).

Here are all the things we tried or checked:

• sqlnet.ora and tnsnames.ora are shared between users' computers and the server, so Oracle client config is not involved
• Kerberos tickets are forwardable
• "Cache security context" is checked on the CMC
• SSO is enabled in Oracle SBO files
• The service account running the SIA is trusted for delegation in AD
• The SPN seems to be working fine because it is working for the platform.

And one last "not-related to BO" thing:

• I can open an SSO session to the database with sqlplus after creating a ticket with a my credentials from the BO server
• Once my manual ticket is created between BO server and the DB, all users can refresh the report but they are connected to the DB with my user, which is not a good thing at all!

Does any of you have an idea of what could be going wrong?

Thank you, this is a pain for weeks now...