Unknown User Principal found: authenticated-role — Oracle Analytics

Oracle Analytics Cloud and Server

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Unknown User Principal found: authenticated-role

Received Response
31
Views
1
Comments
Chet Justice
Chet Justice Rank 2 - Community Beginner

OBIEE: 12.2.1.3.0 (Build BIPS-20170820114118 64-bit)

OS: Linux 3.10.0-862.11.6.el7.x86_64 #1 SMP x86_64 x86_64 x86_64 GNU/Linux (i.e. RHEL 7)

Out-of-place upgrade from 11.1.1.7.180417

I can log in directly to OBIEE at http://server.com:9502/analytics

However, as I'm now behind an F5 and all the attendant VIPs and Pools, I get OBIEE's equivalent of the blue screen of death:

"You are not currently signed in to the Oracle BI Server..."

In the bi_server1.log I can see my username and various groups returned from my BISQLGroupProvider. I can see 2 header values that are set as irules in the F5/Pool thingy coming through correctly as well. I've determined that the system recognizes me, but the "error" persists.

Stepping over to bi_server1.out I found my errors referenced in the subject line:

<Nov 8, 2018 1:56:09,526 PM EST> <Warning> <oracle.bi.tech.model.ModelProvider> <BEA-000000> <model map does not exist in TLS ???>

<Nov 8, 2018 1:56:09,531 PM EST> <Warning> <oracle.bi.tech.model.ModelProvider> <BEA-000000> <model map does not exist in TLS ???>

<Nov 8, 2018 1:56:09,922 PM EST> <Error> <oracle.bi.security.service> <BEA-000000> <Unknown User Principal type found: authenticated-role>

<Nov 8, 2018 1:56:09,923 PM EST> <Warning> <oracle.webservices.jaxws> <BEA-000000> <Exception while executing the business logic: Unknown User Principal found: authenticated-role>

In the bi_server1-diagnostic.log:

[2018-11-08T14:57:36.525-05:00] [bi_server1] [NOTIFICATION] [] [oracle.bi.security.service] [tid: [ACTIVE].ExecuteThread: '16' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 633ed8f6-4c99-4c36-bdc7-0bd9508ded9a-000000e4,0:121:1:6:1] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] [J2EE_APP.name: bi-security] [J2EE_MODULE.name: bi-security] [WEBSERVICE.name: SecurityWebService] [WEBSERVICE_PORT.name: SecurityWebServicePort] [SI-Key: ssi] Unknown User Principal found: authenticated-role[[

java.lang.RuntimeException: Unknown User Principal found: authenticated-role

at oracle.bi.security.subject.SubjectParser.getUserPrincipalForSubject(SubjectParser.java:108)

at oracle.bi.security.model.basic.BasicUserPrincipal.fromSubject(BasicUserPrincipal.java:56)

at oracle.bi.security.centaurus.BISubjectInternal.<init>(BISubjectInternal.java:47)

at oracle.bi.security.centaurus.AssertUserAction.execute(AssertUserAction.java:46)

at oracle.bi.security.centaurus.CentaurusService.assertUser(CentaurusService.java:83)

at oracle.bi.security.ws.runtime.ImpersonateUserAction.execute(ImpersonateUserAction.java:87)

...snip

at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)

at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)

at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)

From my understanding the "authenticated-role" is a default OOTB role. Searching for this error on MOS or The Google returns nothing useful.

**Added 11/9 after further research:
From the OBIPS logs (and verified by the ECID, this error happens before the other 2, so they're likely a red-herring):

[2018-11-08T17:00:05-05:00] [OBIPS] [ERROR:31] [] [saw.connectionPool.getConnection] [ecid: 633ed8f6-4c99-4c36-bdc7-0bd9508ded9a-00000acb,0:13:1] [tid: 986949376] [SI-Name: ] [IDD-Name: ] [IDD-GUID: ] [userId: ] Authentication Failure.

Odbc driver returned an error (SQLDriverConnectW).

State: 08004.  Code: 10018.  [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.

(08004) State: HY000.  Code: 43113.  [nQSError: 43113] Message returned from OBIS.

(HY000) State: HY000.  Code: 43126.  [nQSError: 43126] Authentication failed: invalid user/password. (HY000)[[

File:connection.cpp

Line:486

Location:

saw.connectionPool.getConnection

saw.securitysubsystem.checkauthentication.runimpl

saw.threadpool.asynclogon

saw.threads

]]

I've tested the datasources, they all connect fine. There's no information as to what connection is failing.


One other change that may be relevant, but not directly related: this (and another, possibly related login performance issue) only began after the import of the 11g content.

**END: Added 11/9 after further research

I'm sure this has to be a pretty basic configuration thing, but I can't for the life of me figure out what it would be.

My security realm is a copy of our currently working environment. The only difference is the new (for 12c) Trust Service Identity Asserter which hasn't been configured.

Anyone have any thoughts or pointers?

Message was edited by: Chet Justice

Answers

  • Chet Justice
    Chet Justice Rank 2 - Community Beginner

    Found it.

    In a search to find more information on the DefaultIdentityAsserter and what exactly it does, I found this lovely PDF, Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Business Intelligence

    In it, were these instructions:

    Screenshot 2018-11-13 15.24.36.png

    I had copied the 11g configuration straight. Here's what I had:
    BISQLGroupProvider, OPTIONAL
    OAMIdentityAsserter, SUFFICIENT
    OVDAuthenticator, SUFFICIENT

    DefaultAuthenticator, OPTIONAL

    DefaultIdentityAsserter, <no flag set>

    In 12c:

    BISQLGroupProvider, OPTIONAL
    OAMIdentityAsserter, SUFFICIENT
    OVDAuthenticator, SUFFICIENT

    DefaultAuthenticator, OPTIONAL

    DefaultIdentityAsserter, <no flag available>

    TrustIdentityAsserter, <no flag available>


    I moved TrustIdentityAsserter up one and changed OAMIdentityAsserter from SUFFICIENT to REQUIRED.

    I haven't seen those instructions above anywhere else (doesn't mean they don't exist though) but the PDF linked above.