We are running into a problem specifically with Windows 7, Internet Explorer 8 and Microsoft Patch KB2618444 on our systems. If we then try to invoke a transaction in SAP that will use SSO to attach to the JAVA instance (for example, MOPZ and BI transaction RSPLAN), we get an SSO error.

We initially discovered this because one of our users was unable to start RSPLAN -> Start Modeler in Windows 7 / IE 8.

We are running BW NW 7.0 EhP1, SPS 10. We have the system set up for SSO between the Java stack and itself. The Java stack is running NW 7.0 EhP1, SPS 10.

If we are using a PC running Windows 7, IE 8 (we cannot upgrade IE to the next level at this time), when we execute the transaction RSPLAN -> Start Modeler, IE opens and attempts to log into the URL http://<fqdn_BW-server>:8042/sap/publich/myssocntl. It then fails to fully connect giving us the page u201CInternet Explorer cannot display the webpageu201D.

If we do this on a MAC using FireFox, it successfully gets to the BI webpage. FireFox ignores certificates and prompts for a username login / password. Once the user logs in, they get into the BI webpages.

We did increase traces on the BW work processes and captured the message:

N *** ERROR => System ID and client from ticket are not the same than mine. [ssoxxkrn.c 1065]

N Data from ticket: sysid=<BW_SID> , client=<default client>

N My system data: sysid=<BW_SID> , client=000

N *** ERROR => Neither was ticket issued by myself nor can I find issuer in TWPSSO2ACL (see note 1055856). [ssoxxkrn.c 1071]

N dy_signi_ext: ticket issuer not trusted

No other changes were made on our configuration and this process worked in December. We did attempt to change the service myssocntl to direct it to always use the default client. We also added the <BW_SID> certificate to the STRUSTSSO2 ACL listing (and could see it in table TWPSSO2ACL, We do know that additional security measures / restrictions were recently updated on IE 8.

Steps for Reconstruction

On a Windows 7 PC, IE 8 with the latest IE 8 security patches. Log into a BW system where SSO is configured and use transaction RSPLAN. Click on the button "Start Modeler" and execute.

IE 8 on your PC should start. It should attempt to use page myssocntl on the BW system.

We have determined that the recent Microsoft update, KB2618444, has created the problem. It was applied to our systems in December. We were able to uninstall the patch from one of our Windows 7 PCs with IE 8. Once uninstalled, we were able to successfully launch the RSPLAN -> Start Modeler without any additional changes.

We then tried to run MOPZ on a Windows 7 system with the patch KB2618444 installed. Again, we got SSO errors when trying to create the session.

We have logged an SAP message about this and are asking for them to please determine the necessary work-around steps to have the transactions work appropriately with Windows 7, IE 8 and patch KB2618444 applied.

We wanted to share this with SDN in case someone else is seeing a similar problem. When we get a response to our message, I will try to post pointers to the fix here.

Deb Nugent.