Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 15 Oracle Analytics Lounge
- 208 Oracle Analytics News
- 41 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 76 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Unknown User Principal found: authenticated-role
OBIEE: 12.2.1.3.0 (Build BIPS-20170820114118 64-bit)
OS: Linux 3.10.0-862.11.6.el7.x86_64 #1 SMP x86_64 x86_64 x86_64 GNU/Linux (i.e. RHEL 7)
Out-of-place upgrade from 11.1.1.7.180417
I can log in directly to OBIEE at http://server.com:9502/analytics
However, as I'm now behind an F5 and all the attendant VIPs and Pools, I get OBIEE's equivalent of the blue screen of death:
"You are not currently signed in to the Oracle BI Server..."
In the bi_server1.log I can see my username and various groups returned from my BISQLGroupProvider. I can see 2 header values that are set as irules in the F5/Pool thingy coming through correctly as well. I've determined that the system recognizes me, but the "error" persists.
Stepping over to bi_server1.out I found my errors referenced in the subject line:
<Nov 8, 2018 1:56:09,526 PM EST> <Warning> <oracle.bi.tech.model.ModelProvider> <BEA-000000> <model map does not exist in TLS ???>
<Nov 8, 2018 1:56:09,531 PM EST> <Warning> <oracle.bi.tech.model.ModelProvider> <BEA-000000> <model map does not exist in TLS ???>
<Nov 8, 2018 1:56:09,922 PM EST> <Error> <oracle.bi.security.service> <BEA-000000> <Unknown User Principal type found: authenticated-role>
<Nov 8, 2018 1:56:09,923 PM EST> <Warning> <oracle.webservices.jaxws> <BEA-000000> <Exception while executing the business logic: Unknown User Principal found: authenticated-role>
In the bi_server1-diagnostic.log:
[2018-11-08T14:57:36.525-05:00] [bi_server1] [NOTIFICATION] [] [oracle.bi.security.service] [tid: [ACTIVE].ExecuteThread: '16' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 633ed8f6-4c99-4c36-bdc7-0bd9508ded9a-000000e4,0:121:1:6:1] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] [J2EE_APP.name: bi-security] [J2EE_MODULE.name: bi-security] [WEBSERVICE.name: SecurityWebService] [WEBSERVICE_PORT.name: SecurityWebServicePort] [SI-Key: ssi] Unknown User Principal found: authenticated-role[[
java.lang.RuntimeException: Unknown User Principal found: authenticated-role
at oracle.bi.security.subject.SubjectParser.getUserPrincipalForSubject(SubjectParser.java:108)
at oracle.bi.security.model.basic.BasicUserPrincipal.fromSubject(BasicUserPrincipal.java:56)
at oracle.bi.security.centaurus.BISubjectInternal.<init>(BISubjectInternal.java:47)
at oracle.bi.security.centaurus.AssertUserAction.execute(AssertUserAction.java:46)
at oracle.bi.security.centaurus.CentaurusService.assertUser(CentaurusService.java:83)
at oracle.bi.security.ws.runtime.ImpersonateUserAction.execute(ImpersonateUserAction.java:87)
...snip
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
From my understanding the "authenticated-role" is a default OOTB role. Searching for this error on MOS or The Google returns nothing useful.
**Added 11/9 after further research:
From the OBIPS logs (and verified by the ECID, this error happens before the other 2, so they're likely a red-herring):
[2018-11-08T17:00:05-05:00] [OBIPS] [ERROR:31] [] [saw.connectionPool.getConnection] [ecid: 633ed8f6-4c99-4c36-bdc7-0bd9508ded9a-00000acb,0:13:1] [tid: 986949376] [SI-Name: ] [IDD-Name: ] [IDD-GUID: ] [userId: ] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
(08004) State: HY000. Code: 43113. [nQSError: 43113] Message returned from OBIS.
(HY000) State: HY000. Code: 43126. [nQSError: 43126] Authentication failed: invalid user/password. (HY000)[[
File:connection.cpp
Line:486
Location:
saw.connectionPool.getConnection
saw.securitysubsystem.checkauthentication.runimpl
saw.threadpool.asynclogon
saw.threads
]]
I've tested the datasources, they all connect fine. There's no information as to what connection is failing.
One other change that may be relevant, but not directly related: this (and another, possibly related login performance issue) only began after the import of the 11g content.
**END: Added 11/9 after further research
I'm sure this has to be a pretty basic configuration thing, but I can't for the life of me figure out what it would be.
My security realm is a copy of our currently working environment. The only difference is the new (for 12c) Trust Service Identity Asserter which hasn't been configured.
Anyone have any thoughts or pointers?
Message was edited by: Chet Justice
Answers
-
Found it.
In a search to find more information on the DefaultIdentityAsserter and what exactly it does, I found this lovely PDF, Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence
In it, were these instructions:
I had copied the 11g configuration straight. Here's what I had:
BISQLGroupProvider, OPTIONAL
OAMIdentityAsserter, SUFFICIENT
OVDAuthenticator, SUFFICIENTDefaultAuthenticator, OPTIONAL
DefaultIdentityAsserter, <no flag set>
In 12c:
BISQLGroupProvider, OPTIONAL
OAMIdentityAsserter, SUFFICIENT
OVDAuthenticator, SUFFICIENTDefaultAuthenticator, OPTIONAL
DefaultIdentityAsserter, <no flag available>
TrustIdentityAsserter, <no flag available>
I moved TrustIdentityAsserter up one and changed OAMIdentityAsserter from SUFFICIENT to REQUIRED.I haven't seen those instructions above anywhere else (doesn't mean they don't exist though) but the PDF linked above.
0