This discussion is archived
14 Replies Latest reply: Apr 4, 2013 1:18 AM by Srinath Menon RSS

External User roles are not retrieved the first time only

Jerome.Dubois Newbie
Currently Being Moderated
Hi people,



Working with WebCenter Content 11g, connected with an Microsoft AD with Weblogic for the management of security.

At the first time login, when a user is not yet created into Content 11g, the error message "The user does not have sufficient privileges" is displayed on the home page and the user has no roles (but he has in the AD). But right after that, after only doing a refresh of the page, the user is now able to access the system as he's supposed to and he has his correct roles.

After a logoff and a new logon with the same user, the user still has his correct roles and no error is displayed.

It's like the mapping of the roles is not done fast enough for a first time login.

Any ideas?



Thanks,

Jay.
  • 1. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi Jay ,

    Does the user login to UCM server first time and sees the issue ? Or is the user logging to an external application and the issue shows up ?

    What is the version of UCM server in this scenario ?

    Thanks,
    Srinath
  • 2. Re: External User roles are not retrieved the first time only
    ngsankar Journeyer
    Currently Being Moderated
    even we are also facing the same issue,
    we have an integration with IDM, for the first time if we login with external user into UCM Console, it is displaing the same error,
    we are using WCC 11.1.1.6,
  • 3. Re: External User roles are not retrieved the first time only
    TheNewBee Newbie
    Currently Being Moderated
    Hi Jerome,

    you are facing problem while displaying content on portal right?
    can u please elaborate ur scenario like,
    which security group(SG) your content are in and what role are mapped with what permission with that SG.
    if account is active please update those info also.

    once i faced same problem , what i tried was, a content mapped with secure SG and i dragged and dropped that content (from jDev connection) on home page.
    when i tried to access home page without login it says "user anonymous, The user does not have sufficient privileges". this also happened for first time login user. next login doesn't create any problem.
    now since our use case changed to have all content to have read permission for guest user we are not facing this problem.

    thanks
    -somesh
  • 4. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi ,

    IDM is identity management , right ? So in here are you using OAM - OID (or LDAP) for authentication with WCC ?

    Add the following trace sections :

    userstorage ,systemdatabase,jps*,requestaudit and enable full verbose tracing .

    Clear the server output logs .

    Login with a new user to UCM and once it is successful navigate to server output - refresh - copy the logs and update it here .


    Thanks,
    Srinath
  • 5. Re: External User roles are not retrieved the first time only
    Jerome.Dubois Newbie
    Currently Being Moderated
    More details.

    I think there's no problem with the mapping of the roles from AD to UCM. For a role in AD ("App_XX_Management" for example, it's correctly mapped to "XX_Man" in UCM but after the refresh of the page when the user log for the first time.

    Here's a recap:
    - The AD user tries to log for the first time into UCM (he is yet not available as a UCM user).
    - After a succesful logon (good user/password), he's redirected to the homepage but the message "does not have privileges" is displayed. When you look at the source code of the page, the role is defined to "#none".
    - After doing nothing else but a refresh of the page (F5-key), the homepage is refreshed, the user can accesses to the application like it should, there's no more error message and when you look at the source code of the page, the role is defined to "XX_Man".

    The version of UCM I use is 11.1.1.5.0.
  • 6. Re: External User roles are not retrieved the first time only
    Jerome.Dubois Newbie
    Currently Being Moderated
    Hi Srinath,


    Here's the log after setting my trace as you suggested.

    And we do not use IDM. We use a plain Microsoft AD, Weblogic and we access Content 11g directly by the application itself, no portal, no JDev implementation.


    Thanks,

    Jay.
    requestaudit/6     03.26 20:45:12.784     IdcServer-110     GET_DOC_PAGE [Page=HOME_PAGE][dUser=anonymous][StatusCode=-20][StatusMessage=System needs login authentication credentials.] 0.0068870000541210175(secs)
    (internal)/6     03.26 20:45:12.877     IdcServer-111     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:12.877     IdcServer-111     - ActAsAnonymous = 1
    (internal)/6     03.26 20:45:12.877     IdcServer-111     - IdcService = GET_LOGIN_FORM
    (internal)/6     03.26 20:45:12.877     IdcServer-111     - dUser = anonymous
    requestaudit/6     03.26 20:45:12.890     IdcServer-111     GET_LOGIN_FORM [dUser=anonymous] 0.013907000422477722(secs)
    systemdatabase/6     03.26 20:45:16.960     WebDAVUnlocker     begin tran - soft
    systemdatabase/7     03.26 20:45:16.961     WebDAVUnlocker     assigning connection
    systemdatabase/6     03.26 20:45:16.961     WebDAVUnlocker     Reusing connection retrieved from external pool.
    systemdatabase/6     03.26 20:45:16.961     WebDAVUnlocker     !csMonitorActiveDbConnections,1
    systemdatabase/6     03.26 20:45:16.961     WebDAVUnlocker     Connection with last id of IdcServer-107([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95 is added to active connections with key of 'WebDAVUnlocker'.
    systemdatabase/6     03.26 20:45:16.961     WebDAVUnlocker     Assigned connection to this thread, took 0.47 ms. connect
    systemdatabase/6     03.26 20:45:16.961     WebDAVUnlocker     Preparing connection for use, id initialized as WebDAVUnlocker.95
    systemdatabase/7     03.26 20:45:16.961     WebDAVUnlocker     (start) SELECT * FROM WebdavLock WHERE lExpirationDate <= {ts '2013-03-26 20:45:16.961'}
    systemdatabase/6     03.26 20:45:16.964     WebDAVUnlocker     2.84 ms. SELECT * FROM WebdavLock WHERE lExpirationDate <= {ts '2013-03-26 20:45:16.961'}[Executed. Returned row(s): false]
    systemdatabase/6     03.26 20:45:16.965     WebDAVUnlocker     Closing active result set
    systemdatabase/6     03.26 20:45:16.965     WebDAVUnlocker     Closing statement in closing internals
    systemdatabase/6     03.26 20:45:16.965     WebDAVUnlocker     commit called.
    systemdatabase/6     03.26 20:45:16.966     WebDAVUnlocker     tran committed
    systemdatabase/6     03.26 20:45:16.966     WebDAVUnlocker     !csMonitorActiveDbConnections,0
    systemdatabase/6     03.26 20:45:16.966     WebDAVUnlocker     Connection with id of 'WebDAVUnlocker.95' is removed from active connections with key of 'WebDAVUnlocker'.
    systemdatabase/6     03.26 20:45:16.966     WebDAVUnlocker     release pool connection
    userstorage/6     03.26 20:45:22.616     IdcServer-122     At enter, user storage access count is 1
    userstorage/6     03.26 20:45:22.616     IdcServer-122     Retrieving user data (isLoadAttributes=true, credentialData is not null) for u-er-o-r
    userstorage/6     03.26 20:45:22.616     IdcServer-122     Debug dump of current call stack intradoc.data.DataException: Exception manufactured to capture current stack trace.
    userstorage/6     03.26 20:45:22.616     IdcServer-122     at intradoc.server.UserStorageImplementor.retrieveUserDatabaseProfileDataImplement(UserStorageImplementor.java:101)
    userstorage/6     03.26 20:45:22.616     IdcServer-122     at intradoc.server.UserStorage.retrieveUserDatabaseProfileDataEx(UserStorage.java:159)
    userstorage/6     03.26 20:45:22.616     IdcServer-122     at intradoc.server.UserStorageUtils.loadUserData(UserStorageUtils.java:88)
    ...
    userstorage/6     03.26 20:45:22.616     IdcServer-122     ... 35 more
    userstorage/7     03.26 20:45:22.621     IdcServer-122     Start user storage query for user u-er-o-r.
    userstorage/6     03.26 20:45:22.621     IdcServer-122     Created user object for user u-er-o-r
    userstorage/6     03.26 20:45:22.621     IdcServer-122     Finished user name determination, user=u-er-o-r, expired=false, isNewUser=true, hasAttributesLoaded=false, authtype=null
    systemdatabase/7     03.26 20:45:22.621     IdcServer-122     assigning connection
    systemdatabase/6     03.26 20:45:22.621     IdcServer-122     Reusing connection retrieved from external pool.
    systemdatabase/6     03.26 20:45:22.621     IdcServer-122     !csMonitorActiveDbConnections,1
    systemdatabase/6     03.26 20:45:22.621     IdcServer-122     Connection with last id of WebDAVUnlocker.95 is added to active connections with key of '[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)''.
    systemdatabase/6     03.26 20:45:22.621     IdcServer-122     Assigned connection to this thread, took 0.41 ms. connect
    systemdatabase/6     03.26 20:45:22.621     IdcServer-122     Preparing connection for use, id initialized as IdcServer-122([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95
    systemdatabase/7     03.26 20:45:22.622     IdcServer-122     (start) SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')
    systemdatabase/6     03.26 20:45:22.624     IdcServer-122     2.30 ms. SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')[Executed. Returned row(s): false]
    userstorage/6     03.26 20:45:22.624     IdcServer-122     Creating new entry for database (fromProvider=false) for u-er-o-r
    userstorage/7     03.26 20:45:22.624     IdcServer-122     Load attributes from database for u-er-o-r
    userstorage/6     03.26 20:45:22.624     IdcServer-122     Database->Roles=guest Accounts=#0023none for u-er-o-r
    userstorage/7     03.26 20:45:22.624     IdcServer-122     Check state of attributes (isLoadAttributes=true)
    userstorage/6     03.26 20:45:22.624     IdcServer-122     No attributes loaded for u-er-o-r
    userstorage/6     03.26 20:45:22.625     IdcServer-122     Updating shared cached copy for user u-er-o-r
    systemdatabase/6     03.26 20:45:22.625     IdcServer-122     Closing active result set
    systemdatabase/6     03.26 20:45:22.625     IdcServer-122     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:22.625     IdcServer-122     (start) SELECT * FROM UserExtendedAttributes WHERE UPPER(dUserName)=UPPER('u-er-o-r')
    systemdatabase/6     03.26 20:45:22.627     IdcServer-122     1.86 ms. SELECT * FROM UserExtendedAttributes WHERE UPPER(dUserName)=UPPER('u-er-o-r')[Executed. Returned row(s): false]
    userstorage/6     03.26 20:45:22.627     IdcServer-122     UserTempCache updated with user data for u-er-o-r
    userstorage/6     03.26 20:45:22.627     IdcServer-122     Retrieved Roles=guest,authenticated Accounts=#0023none for u-er-o-r
    userstorage/7     03.26 20:45:22.627     IdcServer-122     Query of info required 6 milliseconds.
    userstorage/6     03.26 20:45:22.627     IdcServer-122     At exit, user storage access count is 0
    userstorage/6     03.26 20:45:22.627     IdcServer-122     Caller assigned Roles=guest,authenticated Accounts=#0023none for u-er-o-r
    userstorage/7     03.26 20:45:22.627     IdcServer-122     stoareUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=false
    userstorage/6     03.26 20:45:22.627     IdcServer-122     Value changed for dUserAuthType, curVal=null, newVal=EXTERNAL
    userstorage/6     03.26 20:45:22.627     IdcServer-122     Value changed for dUserOrgPath, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserSourceOrgPath, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserSourceFlags, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserType, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserLocale, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserTimeZone, setting empty by default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Value changed for dUserArriveDate, supplied current date as default
    userstorage/6     03.26 20:45:22.628     IdcServer-122     Doing update hasChanged=true, copyAll=false, alwaysSave=false, userDataFromDb=false
    systemdatabase/6     03.26 20:45:22.628     IdcServer-122     Closing active result set
    systemdatabase/6     03.26 20:45:22.628     IdcServer-122     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:22.628     IdcServer-122     (start) SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')
    systemdatabase/6     03.26 20:45:22.630     IdcServer-122     1.95 ms. SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')[Executed. Returned row(s): false]
    userstorage/6     03.26 20:45:22.630     IdcServer-122     Inserting database user entry for u-er-o-r
    systemdatabase/6     03.26 20:45:22.630     IdcServer-122     Closing active result set
    systemdatabase/6     03.26 20:45:22.630     IdcServer-122     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:22.630     IdcServer-122     (start) insert into Users (dName, dPassword, dPasswordEncoding, dUserAuthType, dUserOrgPath, dUserSourceOrgPath, dUserSourceFlags, dUserArriveDate, dUserChangeDate, dFullName, dEmail, dUserType, dUserLocale, dUserTimeZone) values('u-er-o-r', '*', 'SHA1-CB', 'EXTERNAL', '', '', 0, {ts '2013-03-26 20:45:22.628'}, {ts '2013-03-26 20:45:22.628'}, '', '', '', '', '')
    systemdatabase/6     03.26 20:45:22.637     IdcServer-122     6.36 ms. insert into Users (dName, dPassword, dPasswordEncoding, dUserAuthType, dUserOrgPath, dUserSourceOrgPath, dUserSourceFlags, dUserArriveDate, dUserChangeDate, dFullName, dEmail, dUserType, dUserLocale, dUserTimeZone) values('u-er-o-r', '*', 'SHA1-CB', 'EXTERNAL', '', '', 0, {ts '2013-03-26 20:45:22.628'}, {ts '2013-03-26 20:45:22.628'}, '', '', '', '', '')[Executed. 1 row(s) affected.]
    (internal)/6     03.26 20:45:22.637     IdcServer-122     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - Action = GetTemplatePage
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - IdcService = GET_DOC_PAGE
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - dUser = u-er-o-r
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - Page = HOME_PAGE
    services/3     03.26 20:45:22.638     IdcServer-122     !csUserEventMessage,u-er-o-r,erdocuat.cn.ca!$ intradoc.common.ServiceException: !csUserInsufficientAccess,u-er-o-r
    services/3     03.26 20:45:22.638     IdcServer-122     at intradoc.server.ServiceRequestImplementor.buildServiceException(ServiceRequestImplementor.java:2115)
    services/3     03.26 20:45:22.638     IdcServer-122     at intradoc.server.Service.buildServiceException(Service.java:2260)
    ...
    services/3     03.26 20:45:22.638     IdcServer-122     ... 35 more
    systemdatabase/6     03.26 20:45:22.687     IdcServer-122     !csMonitorActiveDbConnections,0
    systemdatabase/6     03.26 20:45:22.687     IdcServer-122     Connection with id of 'IdcServer-122([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95' is removed from active connections with key of '[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)''.
    systemdatabase/6     03.26 20:45:22.687     IdcServer-122     release pool connection
    requestaudit/6     03.26 20:45:22.687     IdcServer-122     GET_DOC_PAGE [Page=HOME_PAGE][dUser=u-er-o-r][StatusCode=-18][StatusMessage=User 'u-er-o-r' does not have sufficient privileges.] 0.07295800000429153(secs)
    userstorage/6     03.26 20:45:22.789     IdcServer-123     At enter, user storage access count is 1
    userstorage/6     03.26 20:45:22.789     IdcServer-123     Retrieving user data (isLoadAttributes=true, credentialData is not null) for u-er-o-r
    userstorage/6     03.26 20:45:22.789     IdcServer-123     Debug dump of current call stack intradoc.data.DataException: Exception manufactured to capture current stack trace.
    userstorage/6     03.26 20:45:22.789     IdcServer-123     at intradoc.server.UserStorageImplementor.retrieveUserDatabaseProfileDataImplement(UserStorageImplementor.java:101)
    userstorage/6     03.26 20:45:22.789     IdcServer-123     at intradoc.server.UserStorage.retrieveUserDatabaseProfileDataEx(UserStorage.java:159)
    ...
    userstorage/6     03.26 20:45:22.789     IdcServer-123     ... 35 more
    userstorage/7     03.26 20:45:22.790     IdcServer-123     Start user storage query for user u-er-o-r.
    userstorage/6     03.26 20:45:22.790     IdcServer-123     Created user object for user u-er-o-r
    userstorage/6     03.26 20:45:22.790     IdcServer-123     Finished user name determination, user=u-er-o-r, expired=false, isNewUser=true, hasAttributesLoaded=false, authtype=null
    systemdatabase/7     03.26 20:45:22.790     IdcServer-123     assigning connection
    systemdatabase/6     03.26 20:45:22.791     IdcServer-123     Reusing connection retrieved from external pool.
    systemdatabase/6     03.26 20:45:22.791     IdcServer-123     !csMonitorActiveDbConnections,1
    systemdatabase/6     03.26 20:45:22.791     IdcServer-123     Connection with last id of IdcServer-122([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95 is added to active connections with key of '[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)''.
    systemdatabase/6     03.26 20:45:22.791     IdcServer-123     Assigned connection to this thread, took 0.31 ms. connect
    systemdatabase/6     03.26 20:45:22.791     IdcServer-123     Preparing connection for use, id initialized as IdcServer-123([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95
    systemdatabase/7     03.26 20:45:22.791     IdcServer-123     (start) SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')
    systemdatabase/6     03.26 20:45:22.794     IdcServer-123     2.77 ms. SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')[Executed. Returned row(s): true]
    userstorage/6     03.26 20:45:22.794     IdcServer-123     Loaded record from database for u-er-o-r
    userstorage/6     03.26 20:45:22.794     IdcServer-123     Retrieving attributes (type=EXTERNAL) for u-er-o-r
    userstorage/6     03.26 20:45:22.794     IdcServer-123     User not found in default/preferred provider
    userstorage/6     03.26 20:45:22.794     IdcServer-123     Adding JpsUserProvider
    userstorage/6     03.26 20:45:22.794     IdcServer-123     Returning 1 results
    userstorage/7     03.26 20:45:22.794     IdcServer-123     Checking UserProvider JpsUserProvider
    jps/6     03.26 20:45:22.795     IdcServer-123     authenticateUser: false
    jps/6     03.26 20:45:22.795     IdcServer-123     User is new to this provider.
    jps/6     03.26 20:45:22.795     IdcServer-123     Begin search for user
    jps/6     03.26 20:45:22.795     IdcServer-123     IdStore: oracle.security.idm.providers.ad.ADIdentityStore@6d936d93
    jps/6     03.26 20:45:22.795     IdcServer-123     Search Filter: (samaccountname=u-er-o-r)
    jps/6     03.26 20:45:23.021     IdcServer-123     Search Response: oracle.security.idm.providers.stdldap.LDSearchResponse@3e863e86
    jps/6     03.26 20:45:23.022     IdcServer-123     Loading extended info for oracle.security.idm.providers.ad.ADUser@7644f3e3
    jps/6     03.26 20:45:23.260     IdcServer-123     Mapping attributes using map: 'BUSINESS_EMAIL:dEmail;DISPLAY_NAME:dFullName;EMPLOYEE_TYPE:dUserType'
    jps/6     03.26 20:45:23.260     IdcServer-123     Looking for : 'BUSINESS_EMAIL'
    jps/6     03.26 20:45:23.260     IdcServer-123     setting: 'dEmail' = ''
    jps/6     03.26 20:45:23.260     IdcServer-123     Looking for : 'DISPLAY_NAME'
    jps/6     03.26 20:45:23.260     IdcServer-123     Getting values
    jps/6     03.26 20:45:23.260     IdcServer-123     Found value: 'u-er-o-r'
    jps/6     03.26 20:45:23.261     IdcServer-123     setting: 'dFullName' = 'u-er-o-r'
    jps/6     03.26 20:45:23.261     IdcServer-123     Looking for : 'EMPLOYEE_TYPE'
    jps/6     03.26 20:45:23.261     IdcServer-123     setting: 'dUserType' = ''
    jps/6     03.26 20:45:23.261     IdcServer-123     Loading Attributes for user u-er-o-r
    jps/6     03.26 20:45:23.261     IdcServer-123     Loading security information for u-er-o-r
    jps/6     03.26 20:45:23.490     IdcServer-123     UseFullGroupName false
    jps/6     03.26 20:45:23.490     IdcServer-123     UseGroupFilter false
    jps/6     03.26 20:45:23.491     IdcServer-123     Checking RoleManager.
    jps/6     03.26 20:45:23.491     IdcServer-123     Found roles.
    jps/6     03.26 20:45:23.491     IdcServer-123     Add role: Stellent-ERDOCUAT-ER-Officer_R
    jps/6     03.26 20:45:23.494     IdcServer-123     Found roles.
    jps/6     03.26 20:45:23.495     IdcServer-123     Add role: Stellent-ERDOCDEV-ER-Officer_R
    jps/6     03.26 20:45:23.498     IdcServer-123     Found roles.
    jps/6     03.26 20:45:23.498     IdcServer-123     Add role: Generic Accounts
    jps/6     03.26 20:45:23.505     IdcServer-123     Found roles.
    jps/6     03.26 20:45:23.506     IdcServer-123     Add role: SRA-Users_Deny
    jps/6     03.26 20:45:23.727     IdcServer-123     Closing search response.
    jps/6     03.26 20:45:23.727     IdcServer-123     Adding default network account '#0023none" to u-er-o-r
    jps/6     03.26 20:45:23.727     IdcServer-123     Adding default network role 'guest" to u-er-o-r
    userstorage/6     03.26 20:45:23.727     IdcServer-123     Setting dUserSourceOrgPath to jpsuser
    userstorage/7     03.26 20:45:23.727     IdcServer-123     Checked credentials (isLoadAttributes=true) for u-er-o-r
    userstorage/7     03.26 20:45:23.727     IdcServer-123     Provider->Roles=ER_Officer_R Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:23.728     IdcServer-123     Check state of attributes (isLoadAttributes=true)
    userstorage/7     03.26 20:45:23.728     IdcServer-123     Check that user attributes are fully loaded.
    userstorage/7     03.26 20:45:23.728     IdcServer-123     User attributes are fully loaded.
    userstorage/6     03.26 20:45:23.728     IdcServer-123     Updating shared cached copy for user u-er-o-r
    systemdatabase/6     03.26 20:45:23.728     IdcServer-123     Closing active result set
    systemdatabase/6     03.26 20:45:23.728     IdcServer-123     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:23.728     IdcServer-123     (start) SELECT * FROM UserExtendedAttributes WHERE UPPER(dUserName)=UPPER('u-er-o-r')
    systemdatabase/6     03.26 20:45:23.730     IdcServer-123     2.20 ms. SELECT * FROM UserExtendedAttributes WHERE UPPER(dUserName)=UPPER('u-er-o-r')[Executed. Returned row(s): false]
    userstorage/6     03.26 20:45:23.731     IdcServer-123     UserTempCache updated with user data for u-er-o-r
    userstorage/6     03.26 20:45:23.731     IdcServer-123     Retrieved Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:23.731     IdcServer-123     Query of info, provider required 941 milliseconds.
    userstorage/6     03.26 20:45:23.731     IdcServer-123     At exit, user storage access count is 0
    userstorage/6     03.26 20:45:23.731     IdcServer-123     Caller assigned Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:23.733     IdcServer-123     stoareUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
    userstorage/6     03.26 20:45:23.733     IdcServer-123     Value changed for dFullName, curVal=, newVal=u-er-o-r
    userstorage/6     03.26 20:45:23.733     IdcServer-123     Value changed for dUserLocale, curVal=, newVal=English-US
    userstorage/6     03.26 20:45:23.733     IdcServer-123     Doing update hasChanged=true, copyAll=false, alwaysSave=false, userDataFromDb=true
    systemdatabase/6     03.26 20:45:23.733     IdcServer-123     Closing active result set
    systemdatabase/6     03.26 20:45:23.733     IdcServer-123     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:23.733     IdcServer-123     (start) SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')
    systemdatabase/6     03.26 20:45:23.736     IdcServer-123     2.66 ms. SELECT * FROM Users     WHERE LOWER(dName) = LOWER('u-er-o-r')[Executed. Returned row(s): true]
    userstorage/6     03.26 20:45:23.736     IdcServer-123     Updating database user entry for u-er-o-r
    systemdatabase/6     03.26 20:45:23.736     IdcServer-123     Closing active result set
    systemdatabase/6     03.26 20:45:23.737     IdcServer-123     Closing statement in closing internals
    systemdatabase/7     03.26 20:45:23.737     IdcServer-123     (start) UPDATE/*+ INDEX (Users PK_Users)*/ Users SET dPassword='*', dPasswordEncoding='SHA1-CB', dUserAuthType='EXTERNAL', dUserOrgPath='', dUserSourceOrgPath='', dUserSourceFlags=0, dUserArriveDate={ts '2013-03-26 20:45:22.628'}, dUserChangeDate={ts '2013-03-26 20:45:23.733'}, dFullName = 'u-er-o-r', dEmail = '', dUserType = '', dUserLocale = 'English-US', dUserTimeZone = '' WHERE dName = 'u-er-o-r'
    systemdatabase/6     03.26 20:45:23.743     IdcServer-123     5.59 ms. UPDATE/*+ INDEX (Users PK_Users)*/ Users SET dPassword='*', dPasswordEncoding='SHA1-CB', dUserAuthType='EXTERNAL', dUserOrgPath='', dUserSourceOrgPath='', dUserSourceFlags=0, dUserArriveDate={ts '2013-03-26 20:45:22.628'}, dUserChangeDate={ts '2013-03-26 20:45:23.733'}, dFullName = 'u-er-o-r', dEmail = '', dUserType = '', dUserLocale = 'English-US', dUserTimeZone = '' WHERE dName = 'u-er-o-r'[Executed. 1 row(s) affected.]
    (internal)/6     03.26 20:45:23.743     IdcServer-123     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:23.743     IdcServer-123     - cacheKey = 4D819881B0254DA6DB717E3C4E112BD4
    (internal)/6     03.26 20:45:23.743     IdcServer-123     - IdcService = GET_PERSONALIZED_JAVASCRIPT
    (internal)/6     03.26 20:45:23.743     IdcServer-123     - lang = en
    (internal)/6     03.26 20:45:23.743     IdcServer-123     - dUser = u-er-o-r
    systemdatabase/6     03.26 20:45:23.744     IdcServer-123     !csMonitorActiveDbConnections,0
    systemdatabase/6     03.26 20:45:23.745     IdcServer-123     Connection with id of 'IdcServer-123([ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)').95' is removed from active connections with key of '[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)''.
    systemdatabase/6     03.26 20:45:23.745     IdcServer-123     release pool connection
    requestaudit/6     03.26 20:45:23.772     IdcServer-123     GET_PERSONALIZED_JAVASCRIPT [dUser=u-er-o-r] 0.9855459928512573(secs)
    userstorage/6     03.26 20:45:27.555     IdcServer-125     At enter, user storage access count is 1
    userstorage/6     03.26 20:45:27.555     IdcServer-125     Retrieving user data (isLoadAttributes=true, credentialData is not null) for u-er-o-r
    userstorage/6     03.26 20:45:27.555     IdcServer-125     Debug dump of current call stack intradoc.data.DataException: Exception manufactured to capture current stack trace.
    userstorage/6     03.26 20:45:27.555     IdcServer-125     at intradoc.server.UserStorageImplementor.retrieveUserDatabaseProfileDataImplement(UserStorageImplementor.java:101)
    userstorage/6     03.26 20:45:27.555     IdcServer-125     at intradoc.server.UserStorage.retrieveUserDatabaseProfileDataEx(UserStorage.java:159)
    ...
    userstorage/6     03.26 20:45:27.555     IdcServer-125     ... 35 more
    userstorage/7     03.26 20:45:27.557     IdcServer-125     Start user storage query for user u-er-o-r.
    userstorage/6     03.26 20:45:27.557     IdcServer-125     Finished user name determination, user=u-er-o-r, expired=false, isNewUser=false, hasAttributesLoaded=true, authtype=EXTERNAL
    userstorage/7     03.26 20:45:27.557     IdcServer-125     Check state of attributes (isLoadAttributes=true)
    userstorage/7     03.26 20:45:27.557     IdcServer-125     Check that user attributes are fully loaded.
    userstorage/7     03.26 20:45:27.557     IdcServer-125     User attributes are fully loaded.
    userstorage/6     03.26 20:45:27.557     IdcServer-125     Retrieved Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:27.557     IdcServer-125     Query of cache required 0 milliseconds.
    userstorage/6     03.26 20:45:27.557     IdcServer-125     At exit, user storage access count is 0
    userstorage/6     03.26 20:45:27.557     IdcServer-125     Caller assigned Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:27.557     IdcServer-125     stoareUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
    (internal)/6     03.26 20:45:27.557     IdcServer-125     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:27.557     IdcServer-125     - Action = GetTemplatePage
    (internal)/6     03.26 20:45:27.557     IdcServer-125     - IdcService = GET_DOC_PAGE
    (internal)/6     03.26 20:45:27.557     IdcServer-125     - dUser = u-er-o-r
    (internal)/6     03.26 20:45:27.557     IdcServer-125     - Page = HOME_PAGE
    requestaudit/6     03.26 20:45:27.586     IdcServer-125     GET_DOC_PAGE [Page=HOME_PAGE][dUser=u-er-o-r] 0.032072000205516815(secs)
    userstorage/6     03.26 20:45:27.682     IdcServer-131     At enter, user storage access count is 1
    userstorage/6     03.26 20:45:27.682     IdcServer-131     Retrieving user data (isLoadAttributes=true, credentialData is not null) for u-er-o-r
    userstorage/6     03.26 20:45:27.682     IdcServer-131     Debug dump of current call stack intradoc.data.DataException: Exception manufactured to capture current stack trace.
    userstorage/6     03.26 20:45:27.682     IdcServer-131     at intradoc.server.UserStorageImplementor.retrieveUserDatabaseProfileDataImplement(UserStorageImplementor.java:101)
    userstorage/6     03.26 20:45:27.682     IdcServer-131     at intradoc.server.UserStorage.retrieveUserDatabaseProfileDataEx(UserStorage.java:159)
    ...
    userstorage/6     03.26 20:45:27.682     IdcServer-131     ... 35 more
    userstorage/7     03.26 20:45:27.683     IdcServer-131     Start user storage query for user u-er-o-r.
    userstorage/6     03.26 20:45:27.683     IdcServer-131     Finished user name determination, user=u-er-o-r, expired=false, isNewUser=false, hasAttributesLoaded=true, authtype=EXTERNAL
    userstorage/7     03.26 20:45:27.683     IdcServer-131     Check state of attributes (isLoadAttributes=true)
    userstorage/7     03.26 20:45:27.683     IdcServer-131     Check that user attributes are fully loaded.
    userstorage/7     03.26 20:45:27.683     IdcServer-131     User attributes are fully loaded.
    userstorage/6     03.26 20:45:27.684     IdcServer-131     Retrieved Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:27.684     IdcServer-131     Query of cache required 1 milliseconds.
    userstorage/6     03.26 20:45:27.684     IdcServer-131     At exit, user storage access count is 0
    userstorage/6     03.26 20:45:27.684     IdcServer-131     Caller assigned Roles=ER_Officer_R,authenticated Accounts= for u-er-o-r
    userstorage/7     03.26 20:45:27.684     IdcServer-131     stoareUserDatabaseProfileData copyAll=false, doAdminFields=false, alwaysSave=false, userDataFromDb=true
    (internal)/6     03.26 20:45:27.684     IdcServer-131     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:27.684     IdcServer-131     - cacheKey = 4D819881B0254DA6DB717E3C4E112BD4
    (internal)/6     03.26 20:45:27.684     IdcServer-131     - IdcService = GET_PERSONALIZED_JAVASCRIPT
    (internal)/6     03.26 20:45:27.684     IdcServer-131     - lang = en
    (internal)/6     03.26 20:45:27.684     IdcServer-131     - dUser = u-er-o-r
    requestaudit/6     03.26 20:45:27.710     IdcServer-131     GET_PERSONALIZED_JAVASCRIPT [dUser=u-er-o-r] 0.029405999928712845(secs)
    (internal)/6     03.26 20:45:31.457     IdcServer-142     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:31.457     IdcServer-142     - Logout = 1
    (internal)/6     03.26 20:45:31.457     IdcServer-142     - IdcService = LOGOUT
    (internal)/6     03.26 20:45:31.457     IdcServer-142     - dUser = anonymous
  • 7. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi Jay ,

    jps/6     03.26 20:45:22.795     IdcServer-123     Search Filter: (samaccountname=u-er-o-r)
    On WLS can you please check what is the Security provider setting ?

    Please post the following details from WLS Console - Security - myrealms - Providers - AD Provider - Provider Specific :

    User Base DN:

    User From Name Filter:

    User Name Attribute:

    User Object Class:

    Group Base DN:

    Group From Name Filter:

    Static Group Name Attribute:

    Static Group Object Class:

    Static Member DN Attribute:

    Static Group DNs from Member DN Filter:

    GUID Attribute:

    Apart from that can you test this after applying latest PS4 Opatch ?

    Link for the patch is : https://support.oracle.com/epmos/faces/PatchDetail?patchId=16341013

    Password to access it is : YfiIzNmn

    Let me know the results post patching .

    Thanks,
    Srinath
  • 8. Re: External User roles are not retrieved the first time only
    Jerome.Dubois Newbie
    Currently Being Moderated
    Hi Srinath,


    Here's the informations you asked:

    User Base DN: OU=Users,OU=Production,DC=CN,DC=CA
    User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
    User Name Attribute: sAMAccountName
    User Object Class: user
    Group Base DN: OU=Application Groups,OU=Production,DC=CN,DC=CA
    Group From Name Filter: (&(cn=Stellent-ERDOC*)(objectclass=group))
    Static Group Name Attribute: cn
    Static Group Object Class: group
    Static Member DN Attribute: member
    Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
    GUID Attribute: objectguid

    And about the patch you suggested, well, it won't be possible because of the timing with our go-live date... :(



    Thanks,

    Jay.
  • 9. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi Jay ,

    I am trying to see if the same could be replicated in-house test environment . Honestly I have not seen this kind of a scenario till now .

    Will keep you posted with details .

    In the mean time can you post the exact version details of WCC server from Administration - Configuration Information - Version ? Copy the entire version tag and update the post .

    Thanks,
    Srinath

    Edited by: Srinath Menon on Apr 1, 2013 8:25 AM

    Edited by: Srinath Menon on Apr 1, 2013 10:26 AM
  • 10. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi Jay,

    Tested this whole set up with AD and using the same provider settings which have been provided in the previous post , but logging in with AD user is not showing the permissions related issue .

    Here are the settings for provider :

    User Base DN: OU=Users,OU=oracle,OU=com,DC=ecm2008,DC=idc,DC=oracle,DC=com
    User From Name Filter: (&(sAMAccountName=%u)(objectclass=user))
    User Name Attribute: sAMAccountName
    User Object Class: user
    Group Base DN: OU=Groups,OU=oracle,OU=com,DC=ecm2008,DC=idc,DC=oracle,DC=com
    Group From Name Filter: (&(cn=Stellent-ERDOC*)(objectclass=group))
    Static Group Name Attribute: cn
    Static Group Object Class: group
    Static Member DN Attribute: member
    Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))
    GUID Attribute: objectguid

    With this set up created a new group Stellent-ERDOC on AD , then 2 more groups grp1 and grp2 were created which were then added to Stellent-ERDOC.

    Created 2 new users user1 and user2 and assigned user1 to grp1 & user2 to grp2 .

    Logged in with user1 and home page showed up without any permissions issue . Checked the profile page and there the grp1 and Stellent-ERDOC shows up correctly .

    Version of WCC server is : 11gR1-11.1.1.5.0-idcprod1-121129T072216 (Build:7.3.2.182)

    AD 2008 used for creation of users and groups .

    Is there any difference in your test case and the one provided here ?

    Thanks,
    Srinath

    Edited by: Srinath Menon on Apr 1, 2013 10:26 AM
  • 11. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi ,


    From your test logging :
    systemdatabase/6     03.26 20:45:22.637     IdcServer-122     6.36 ms. insert into Users (dName, dPassword, dPasswordEncoding, dUserAuthType, dUserOrgPath, dUserSourceOrgPath, >dUserSourceFlags, dUserArriveDate, dUserChangeDate, dFullName, dEmail, dUserType, dUserLocale, dUserTimeZone) values('u-er-o-r', '*', 'SHA1-CB', 'EXTERNAL', '', '', 0, {ts '2013-?>03-26 20:45:22.628'}, {ts '2013-03-26 20:45:22.628'}, '', '', '', '', '')[Executed. 1 row(s) affected.]
    (internal)/6     03.26 20:45:22.637     IdcServer-122     staticDocSecurityFilter Binder Contents
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - Action = GetTemplatePage
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - IdcService = GET_DOC_PAGE
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - dUser = u-er-o-r
    (internal)/6     03.26 20:45:22.637     IdcServer-122     - Page = HOME_PAGE
    services/3     03.26 20:45:22.638     IdcServer-122     !csUserEventMessage,u-er-o-r,erdocuat.cn.ca!$ intradoc.common.ServiceException: !csUserInsufficientAccess,u-er-o-r
    From my test logging :
    systemdatabase/6     04.01 10:06:09.458     IdcServer-222     1.02 ms. insert into Users (dName, dPassword, dPasswordEncoding, dUserAuthType, dUserOrgPath, >dUserSourceOrgPath, dUserSourceFlags, dUserArriveDate, dUserChangeDate, dFullName, dEmail, dUserType, dUserLocale, dUserTimeZone, uSupplementalMarkings, >uClassifiedMarkings, RmaAlternateReviewer, uWorkspaceType, uWorkspaceLocation, uWorkspaceParameters, uRmaShareFavorites, uCategoryScreeningFields, >uFolderScreeningFields, uRetStepsScreeningFields, uTaskpanelHomePageRemove) values('subuser2', '*', 'SHA1-CB', 'EXTERNAL', '', '', 0, {ts '2013-04-01 10:06:09.456'}, {ts '2013->04-01 10:06:09.456'}, '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '')[Executed. 1 row(s) affected.]
    systemdatabase/6     04.01 10:06:09.458     IdcServer-222     begin tran - soft (default forced by beginTranEx())
    systemdatabase/7     04.01 10:06:09.458     IdcServer-222     (start) DELETE/*+ INDEX (UserSecurityAttributes PK_UserSecurityAttributes)*/ FROM UserSecurityAttributes where >dUserName='subuser2'
    systemdatabase/6     04.01 10:06:09.459     IdcServer-222     0.31 ms. DELETE/*+ INDEX (UserSecurityAttributes PK_UserSecurityAttributes)*/ FROM UserSecurityAttributes where >dUserName='subuser2'[Executed. 0 row(s) affected.]
    systemdatabase/7     04.01 10:06:09.459     IdcServer-222     (start) INSERT INTO UserSecurityAttributes
    systemdatabase/7     04.01 10:06:09.459     IdcServer-222               (dUserName, dAttributeName, dAttributeType, dAttributePrivilege)
    systemdatabase/7     04.01 10:06:09.459     IdcServer-222               values('subuser2', '#0023none', 'account', 15)
    .
    .
    .
    .
    .
    .
    requestaudit/6     04.01 10:06:09.469     IdcServer-222     LOGIN [Page=HOME_PAGE][dUser=subuser2][StatusMessage=You are logged in as 'subuser2'.] 0.01859400048851967(secs)
    If you observe the difference in the two logs after the insert to user table in your case it is trying to call a security filter and then shows the insufficient access error message . Where as in the other log it proceeds to insert the user in UserSecurityAttribute table (this can be skipped I think) and then proceeds with the successful login .


    This I believe is because of the difference in some settings related to JPS Provider on WCC .

    Can you please send screenshots for the following 2 configuration pages on my mail ?

    1. AD Provider - Provider Specific (full page)

    2. WCC - Administration - Providers - JPS Provider - Edit (Full page)

    It looks to be something in the server / configuration / provider set up that is causing this issue .

    Maybe a issue that could have been resolved with one of the later patch as well .

    Thanks,
    Srinath

    Edited by: Srinath Menon on Apr 1, 2013 10:39 AM
  • 12. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi ,

    One more question -

    Are you going through http://hostname:port/cs and then logging in ? Or is it using the following custom login or something like this :

    http://hostname:port/cs/idcplg?IdcService=GET_DOC_PAGE&Action=GetTemplatePage&Page=HOME_PAGE&Auth=Internet

    From the logs it is calling the GET_DOC_PAGE service where as if it was the former way then it would shows IdcService as Login . I believe you have a custom login form which is directly launching the Home page .

    Thanks,
    Srinath
  • 13. Re: External User roles are not retrieved the first time only
    Jerome.Dubois Newbie
    Currently Being Moderated
    Hi Srinath,


    As requested, here's the version of WCC: 11gR1-11.1.1.5.0-idcprod1-110413T184243 (Build:7.3.2.182)

    To what I can see, your test case seems very loyal to the situation we have.

    Yes, the user accesses the application by the URL http://hostname:port/cs, where he is invited to logon. After that, after a successful authentication, the user is redirected to the http://hostname:port/cs/idcplg?IdcService=GET_DOC_PAGE&Action=GetTemplatePage&Page=HOME_PAGE&Auth=Internet, where the error "no privileges" is displayed when the user logs in for the first time. If he refreshs that same page, he is now able to accesses the system as normally.


    And by the way, thanks for your help. It's really appreciated.

    Jay.
  • 14. Re: External User roles are not retrieved the first time only
    Srinath Menon Guru
    Currently Being Moderated
    Hi Jay ,

    After going through the screenshots and details I don't see any difference in terms of set up for AD .

    My suggestion would still be to install the latest PS4 Opatch on this environment and then test so that if there was any issues , those fixes would be applied .

    Thanks,
    Srinath

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points