BOE-XI (R2) : Sporadic Page/Cache Error - "Not a valid logon token"

[MJRBIM]

Four BOE-XI (R2) PREMIUM servers in a cluster.
Patched with SP-1, MHF-1, and CHF-15

Getting a Sporadic Page/Cache "Not a valid logon token" errors [EVENT IDs = 34501 and 35208].

These errors only happen a couple of times per month and only in the evening hours (after 5 PM).

Normally not an issue, but as we are getting closer to Fiscal Year end - I have more staff staying late and they are reporting the issue much more often.

I had thirteen of these errors on Friday night (March 9th)alone.

Because it only happens in the evenings, I am wondering if there is somesort of network process that could be the trigger.

Anyone seen this before - Thanks in advance for the advice!

 

[MJRBIM]

This issue was reported again tonight and I was able to get more detail from some of my own testing...

When the issue is being reported, it it normally being reported from within a custom .Net application that is using the SDK for access to BOE-XI (R2)

I was able to logon and test from both the .Net application and CMC side-by-side.

With both methods running under the same "ENTERPRISE" user account the .Net application reports were failing within the application with the "Not A Valid Logon Token" error - but working OK when Previewed in the CMC.

I also bounce the Page/Cache services on BOE-XI [PROD] (one at a time) - but that had no effect on the functionality from within the .Net application.

Could the .Net application server be caching the "logon token" that we are getting the error about...?

Any ideas would be appeciated. BOBJ support isn't making much progress.

Thanks!

 

[Turkbear]

Hi,
The CMC does not use the same kind of authentication - Logon Tokens are stored as cookies usually and, depending on the domains accessed by your apps and your network settings and security, it may not be passed correctly..
Try using a Session variable to store it..





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[MJRBIM]

Our .Net developers are going to try that on the next build (Friday) so it will be next week before we can test.

Thanks for the suggestion.

 

[MJRBIM]

Turkbear -

Is there a good document anywhere on the web that describes the "Correct" use of Logon Tokens for .Net applications connecting to BOE-XI (R2).

Can't seem to find anything on the BOBJ site...

Thanks!

 

[Turkbear]

Hi,
Not that I can find...We use trial and error..( and not always to great sucess)..

Try looking at som eof the examples in

bexi_vbnet_samples.zip

from the BusinessObjects support site..It is R1 based, but the examples of using a Token may still apply..





To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[hilfy]

Turkbear,
You can get to R2 sample code at:

http://devlibrary.businessobjects.com/BusinessObjectsXIR2/en/devsuite.htm

----------
Have either of you tried setting up and using Trusted Authentication? That's how we handle this kind of thing. Once a user has logged in to our portal. Since our users come in through the public internet and our web servers are in the DMZ outside of our enterprise network, our Enterprise IT has rolled their one SSO system. This means we can't user AD or integrated Windows authentication.

To set up Trusted Authentication, you set a key phrase in the CMC under Authentication, Enterprise, Shared Secret. Then, on the web server you add a file called TrustedPrincipal.conf to the \Program Files\Business Objects\BusinessObjects Enterprise 11.5\win32_x86\plugins\auth\secEnterprise folder. This contains the following: SharedSecret=<key phrase>. My one complaint is that this file is not encrypted - I've got an ADAPT number where I've made this request, but a bunch of folks have to request it to get it to happen....

Once you done this configuration, doing authentication is fairly easy. Here's the C# code I use:

if (CanAuthenticate(ref TokenFromAnotherApp, ref userName))
      {
        try
        {
          // Do any additional app specific SSO work here, note userName has login name for user
          SessionMgr sess = new SessionMgr();
          TrustedPrincipal tp = sess.CreateTrustedPrincipal(userName, ConfigurationManager.AppSettings["CMS"]);
          EnterpriseSession esess = sess.LogonTrustedPrincipal(tp);
          CrystalDecisions.Enterprise.WebControls.Identity ident = new CrystalDecisions.Enterprise.WebControls.Identity();
          ident.EnterpriseSession = esess;

          string token = ident.GetToken();
          HttpCookie identCookie = new HttpCookie("IdentityCookie", token);
          identCookie.Domain = "ourdomain.com";
          Response.Cookies.Add(identCookie);
        }
        finally
        {
          // Redirect the user to the main page
          Response.Redirect(ConfigurationManager.AppSettings["WCA"], true);
        }
      }

I haven't had any problems with this not working when everything's configured correctly. (Note: CanAuthenticate is a method we use to make sure that the user has a valid session through our SSO before trying to log in.)

-Dell

A computer only does what you actually told it to do - not what you thought you told it to do.