SSO - Vintela does not always work - BI 4.1 SP5 patch 6

I have inherited a BO landscape which is currently a mystery when in comes to SSO and I have been confirmed from SAP that it is the first case. Please keep in mind that both SAP and MS are supporting me on the troubleshooting and I would like to find out if anyone out there has experienced the same type of issue.

Symptom:

8/10 single sign on works sporadically.

Issue can be replicated by disconnecting and reconnecting. If SSO does not work, after a few refreshes (F5), the user magically logs on.

Network has been ruled out since we are currently testing (client) in the same physical network as the server and domain controller (no firewall/proxies). We've also tried specifying 1 domain controller through "idm.kdc" and the issue is persistent in both DC1 and DC2.

From Wireshark and Fiddler trace the one thing that everyone (SAP/MS) agrees upon is the request is missing a piece:

Putting the logs side by side there are cookies and jsessions that are different but we don't know who is causing this.

This difference is visible from the first request that is being sent. Please check the highlighted differences:

Bad:

  Frame: Number = 868, Captured Frame Length = 593, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 19419, Total IP Length = 579

+ Tcp: Flags=...AP..., SrcPort=55953, DstPort=HTTP Alternate(8080), PayloadLen=539, Seq=4161700648 - 4161701187, Ack=2173894430, Win=256 (scale factor 0x8) = 65536

- Http: Request, GET /BOE/BI

    Command: GET

  + URI: /BOE/BI

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

    Accept-Language:  it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    Connection:  Keep-Alive

    HeaderEnd: CRLF

Good:

  Frame: Number = 416, Captured Frame Length = 510, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 20029, Total IP Length = 496

+ Tcp: Flags=...AP..., SrcPort=55958, DstPort=HTTP Alternate(8080), PayloadLen=456, Seq=3830817431 - 3830817887, Ack=3835511968, Win=256 (scale factor 0x8) = 65536

- Http: Request, GET /BOE/BI

    Command: GET

  + URI: /BOE/BI

    ProtocolVersion: HTTP/1.1

    Accept:  */*

    Accept-Language:  it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    Connection:  Keep-Alive

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; VINTELASSO=true; InfoViewPLATFORMSVC_COOKIE_TOKEN=

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

VINTELASSO: true

InfoViewPLATFORMSVC_COOKIE_TOKEN:

    HeaderEnd: CRLF

Bad:

  Frame: Number = 869, Captured Frame Length = 728, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-88-71-AF],SourceAddress:[00-50-56-A4-00-67]

+ Ipv4: Src = 172.26.11.31, Dest = 172.26.11.133, Next Protocol = TCP, Packet ID = 24878, Total IP Length = 714

- Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=55953, PayloadLen=674, Seq=2173894430 - 2173895104, Ack=4161701187, Win=256 (scale factor 0x8) = 65536

    SrcPort: HTTP Alternate(8080)

DstPort: 55953

SequenceNumber: 2173894430 (0x8192FF1E)

AcknowledgementNumber: 4161701187 (0xF80E8543)

  + DataOffset: 80 (0x50)

  + Flags: ...AP...

    Window: 256 (scale factor 0x8) = 65536

    Checksum: 0x422A, Good

    UrgentPointer: 0 (0x0)

    TCPPayload: SourcePort = 8080, DestinationPort = 55953

- Http: Response, HTTP/1.1, Status: Ok, URL: /BOE/BI

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Server:  Apache-Coyote/1.1

    Set-Cookie: JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; Path=/BOE/; HttpOnly

  + ContentType:  text/html;charset=UTF-8

    TransferEncoding:  chunked

    ContentEncoding:  gzip

    Vary:  Accept-Encoding

    Date:  Wed, 17 Jun 2015 12:38:11 GMT

    HeaderEnd: CRLF

  + chunkSize: 10

  + ChunkPayload: HttpContentType =  text/html;charset=UTF-8

    FooterEnd: CRLF

  + chunkSize: 376

    ChunkPayloadContinuation: Binary Large Object (376 Bytes)

    FooterEnd: CRLF

Good:

  Frame: Number = 419, Captured Frame Length = 649, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-88-71-AF],SourceAddress:[00-50-56-A4-00-67]

+ Ipv4: Src = 172.26.11.31, Dest = 172.26.11.133, Next Protocol = TCP, Packet ID = 9202, Total IP Length = 635

- Tcp: Flags=...AP..., SrcPort=HTTP Alternate(8080), DstPort=55958, PayloadLen=595, Seq=3835511968 - 3835512563, Ack=3830817887, Win=256 (scale factor 0x8) = 65536

    SrcPort: HTTP Alternate(8080)

    DstPort: 55958

    SequenceNumber: 3835511968 (0xE49D44A0)

    AcknowledgementNumber: 3830817887 (0xE455A45F)

  + DataOffset: 80 (0x50)

  + Flags: ...AP...

    Window: 256 (scale factor 0x8) = 65536

    Checksum: 0x637D, Good

    UrgentPointer: 0 (0x0)

    TCPPayload: SourcePort = 8080, DestinationPort = 55958

- Http: Response, HTTP/1.1, Status: Ok, URL: /BOE/BI

    ProtocolVersion: HTTP/1.1

    StatusCode: 200, Ok

    Reason: OK

    Server:  Apache-Coyote/1.1

  - ContentType:  text/html;charset=UTF-8

   + MediaType:  text/html;charset=UTF-8

    TransferEncoding:  chunked

    ContentEncoding:  gzip

    Vary:  Accept-Encoding

    Date:  Wed, 17 Jun 2015 12:38:51 GMT

    HeaderEnd: CRLF

  + chunkSize: 10

  - ChunkPayload: HttpContentType =  text/html;charset=UTF-8

     HtmlElement: ‹

    FooterEnd: CRLF

  - chunkSize: 376

     Size: 376

    ChunkPayloadContinuation: Binary Large Object (376 Bytes)

    FooterEnd: CRLF

This behavior continues later in the communication as well

Bad:

  Frame: Number = 962, Captured Frame Length = 966, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 19456, Total IP Length = 952

+ Tcp: Flags=...AP..., SrcPort=55954, DstPort=HTTP Alternate(8080), PayloadLen=912, Seq=2664738444 - 2664739356, Ack=646603644, Win=256 (scale factor 0x8) = 65536

- Http: Request, POST /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet, Query:vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    Command: POST

  + URI: /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet?vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer:  http://bmi-boq.emea.bracco.priv:8080/BOE/portal/1506152044/InfoView/logon.faces

Accept-Language: it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

  + ContentType:  application/x-www-form-urlencoded

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    ContentLength:  27

    Connection:  Keep-Alive

    Cache-Control:  no-cache

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

    HeaderEnd: CRLF

  - payload: HttpContentType = application/x-www-form-urlencoded

     vint_cms: BMI-2K8-BOQ%3A6400

Good:

  Frame: Number = 481, Captured Frame Length = 2974, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-50-56-A4-00-67],SourceAddress:[00-50-56-88-71-AF]

+ Ipv4: Src = 172.26.11.133, Dest = 172.26.11.31, Next Protocol = TCP, Packet ID = 20053, Total IP Length = 2960

+ Tcp: Flags=...A...., SrcPort=55961, DstPort=HTTP Alternate(8080), PayloadLen=2920, Seq=3476442964 - 3476445884, Ack=772423036, Win=256 (scale factor 0x8) = 65536

- Http: Request, POST /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet, Query:vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400, Using GSS-API Authorization

    Command: POST

  + URI: /BOE/portal/1506152044/BIPCoreWeb/VintelaServlet?vint_backURL=%2FInfoView%2Flogon.faces&vint_cms=BMI-2K8-BOQ%3A6400

    ProtocolVersion: HTTP/1.1

    Accept:  image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer:  http://bmi-boq.emea.bracco.priv:8080/BOE/portal/1506152044/InfoView/logon.faces

Accept-Language: it-IT

    UserAgent:  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)

  + ContentType:  application/x-www-form-urlencoded

    Accept-Encoding:  gzip, deflate

    Host:  bmi-boq.emea.bracco.priv:8080

    ContentLength:  27

    Connection:  Keep-Alive

    Cache-Control:  no-cache

  - Cookie:  JSESSIONID=7056E0775339CDEC06EFDDA4F2671DEE; VINTELASSO=true; InfoViewPLATFORMSVC_COOKIE_TOKEN=

JSESSIONID: 7056E0775339CDEC06EFDDA4F2671DEE

VINTELASSO: true

InfoViewPLATFORMSVC_COOKIE_TOKEN:

  + Authorization: Negotiate

Any suggestions could help.

Thanks.