Solved

Windows KB3172605 knocks out https connection to SAP BusinessObjects but only for Internet Explorer

Posted on 2016-08-31
3
1,179 Views
Last Modified: 2016-09-07
We started getting "Page not found" when trying to connect to BusinessObjects XI 3.1 SP6 via https, only for Internet Explorer. We could make the connection via Chrome (but Chrome doesn't fully work with BO for editing reports).

I've narrowed it down to Windows KB3172605 - when this installed, we started getting "Page Not Found". I removed it and we connected. The same scenario is reported in my third link below. This was part of this set of updates:
Windows updates
The page not found error occurred on our development box (with a DOD cert, Sha-1) and on Prod (self-signed cert). So since it fails on both, my conclusion is that it's not the cert.

Here are a couple of links on KB3172605
- Microsoft yanks buggy speed-up patch KB 3161608, replaces it with KB 3172605 and 3172614 (it doesn't say all that much about KB3172605)

- Microsoft rollup announcement, July 2016 (it says it works with Sha-1)

- German blog with discussion on KB3172605, which basically says "don't install it"
     - Also, the third comment is our exact issue

So my questions are
- These KB things, they (often) only affect IE, not Chrome, is that right ?

- BusinessObjects XI 3.1 SP7 officially works with IE-11, but SP6 (which we have) does not support IE-11, but it worked fine until KB3172605. So my gut reaction is that upgrading to SP7 wouldn't solve the issue, it seems to me that KB3172605 is the issue. What do you think ?
0
Comment
Question by:Gadsden Consulting
  • 2
3 Comments
 

Author Comment

by:Gadsden Consulting
ID: 41778529
I'm being advised that the issue could be our cert which uses Sha-1 algorithm, which is deprecated.  However, all evidence points to KB3172605 being the issue.  

Our application (SAP BusinessObjects XI SP6) has worked well with IE-11 for a good while. BUT - IE 11 is not a supported browser (IE 10 is supported in SP6)

BUT - SAP BO XI SP-7 DOES support IE-11. So might this solve the problem, i.e., SP6 / IE-11 croaks with KB3172605, but magically SP7 / IE-11 works slick as a whistle ?
0
 
LVL 43

Accepted Solution

by:
Davis McCarn earned 500 total points
ID: 41779683
If you go here, there is a link near the bottom with a list of its files and it contains a major pile of replacements that replace numerous core parts of Windows.  Just one of them is the certificate services!
https://support.microsoft.com/en-us/kb/3172605

Its extensive enough to almost be considered a service pack rather than an update.  Figuring out why it breaks your existing SAP could be a major task; but, is probably rooted in the older version and how it negotiates SSL.
0
 

Author Comment

by:Gadsden Consulting
ID: 41786658
Davis,

thank you for the reply, and I apologize for the delay. That article is helpful and we are considering that in regards to removing KB3172605 from our updates.

In addition, we did successfully test a fix with KB3172605 applied, here. This fix updated Tomcat web.xml to add a list of specific ciphers to allow.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
How to record audio from input sources to your PC ā€“ connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 ā€“ both 32 bit & 64.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to ā€¦
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial sā€¦

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now