We are currently running BOE 4.0 SP6 with a BW 7.3 backend. Most reporting is implemented via WebI on top of BEx. We have configured WindowAD authentication and SSO, which is working well in all cases for all users on our intranet. We have also implemented an Apache reverse proxy to enable access from outside our firewall (again with WindowsAD and SSO). This works well for most users. Our BOBJ servers are referenced by bi.insidedomain.com from inside the firewall. They are reached via the reverse proxy from either inside our outside the firewall using bi.outsidedomain.com
For users with Windows machines that are members of insidedomain.com:
- When in the office or over VPN, https://bi.insidedomain.com/BOE/BI takes the user directly to the Launchpad with no login prompt
- When in the office or over VPN, https://bi.outsidedomain.com/BOE/BI takes the user directly to the Launchpad with no login prompt
- When outside the office and with no VPN connected, https://bi.insidedomain.com/BOE/BI doesn't work (which is what we expect)
- When outside the office and with no VPN connected, https://bi.outsidedomain.com/BOE/BI takes the user directly to the Launchpad with no login prompt
We also have users (external employees) who have their own machines that are *not* members of insidedomain.com
- When visiting our office or over VPN, https://bi.insidedomain.com/BOE/BI prompts the user via Windows Security popup. User enters WindowsAD credentials here and goes directly to the Launchpad
- When visiting our office or over VPN, https://bi.outsidedomain.com/BOE/BI prompts the user via Windows Security popup. User enters WindowsAD credentials here and goes directly to the Launchpad
- When outside the office and with no VPN connected, https://bi.insidedomain.com/BOE/BI doesn't work (which is what we expect)
- When outside the office and with no VPN connected, https://bi.outsidedomain.com/BOE/BI prompts the user via Windows Security popup. User enters WindowsAD credentials here, but then is immediately presented with BOBJ "Log On to BI launch pad" screen. This is not expected
For the last bullet point, I would expect the credentials entered in the popup window to be accepted, just as when the user is in the office or on VPN. This may seem like only a minor annoyance, but we are also linking directly into our BI system via OpenDocument from another system. The popup window is fine, but the fallback to launch pad logon creates navigation issues. For all other scenarios, Tomcat stdout shows successful "credentials obtained" messages. In the last case, there is no log at all in Tomcat stdout. It looks as though the popup authorization request never gets passed to the server.
I'm sure there is some tiny detail we have missed. Has anyone run across this before?
