OBIEE 12c MS Active Directory Integration Does Not Work

ilhan_ercan · Aug 12, 2017 6:16PM

Hi Everyone

I have done OBIEE 10g,11g,12c MS Active Directıry Integration many times before but this time it does not work. I have tried almost everything but noway.

My OBIEE version 12.2.1.2.0

What I did is;

I have created a new Provider under myrealm with type ActiveDirectoryAuthenticator.

Settings are

Host: mydom.com

Port:389

Principal:CN=Oracle BI,CN=Users,DC=mydom,DC=com

SSLEnabled:False

User Base DN:CN=Users,DC=mydom,DC=com

All Users Filter:(&(sAMAccountName=*)(objectclass=user))

User From Name Filter:(&(cn=%u)(objectclass=user))

User Name Attribute:sAMAccountName

User Object Class:user

Group Base Dn: OU=GROUPS,DC=mydom,DC=com

Static Group Name Attribute:cn

Static Group Object Class:group

Static Member DN Attribute:member

Static Group DNs from Member DN Filter:(&(member=%M)(objectclass=group))

And changed DefaultAuthenticator from REQUIRED to SUFFICENT and set this option to SUFFICENT for new MS AD Proived. Reorderd the Providers. DefaultAuthenticator first, MSAD second or vice versa.(no effect)

After restarting weblogic , i can see AD users and groups in weblogic User/Groups tab

And In EM console I add virtualize=true from Weblogic Domain>Security> Security Provider Configuration->Identity Store Configuration

An ın EM Application Roles section i did not any changes. So by default, BIConsumer role has a member named "authenticated-role" I am expecting that, unleess i did not change this setting, all authenticxated users should login to BI as consumer.

After restart weblogic logins for Active Directory users doest not work.

I have tried for many AD users but none of them worked!

The only point here is, all the users i tried to authenticate are not AD Admins. they are simple domian users. But with Active Directory Explorer tool i can see all users and groups by lunching app with these AD Users information.

Here are the logs

in obis1-diagnostic.log file

[2017-08-13T00:52:27.601+03:00] [OBIS] [ERROR:1] [] [] [ecid: ] [sik: ssi] [tid: 18ec] [nQSError: 13057] Error From BI Security Service: oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid.. [[

********** Task: 1. Running for (mls): 62 **********

Description: Authenticate

RPID: ssi; user: oraclebi2; AppType: ; Offline: false

in bi_server1-diagnostic.log file

[2017-08-13T00:52:27.598+03:00] [bi_server1] [ERROR] [] [oracle.webservices.service] [tid: [ACTIVE].ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 883e3554-f7c3-4f31-8c6b-67dbfeedbed8-00008407,0] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SI-Key: ssi] oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid.[[

at oracle.j2ee.ws.server.jaxws.JAXWSRuntimeDelegate.processMessage(JAXWSRuntimeDelegate.java:513)

at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:1355)

at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:1397)

at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessingPhaseTwo(ProviderProcessor.java:711)

at oracle.j2ee.ws.server.WebServiceProcessor.doRequestProcessing(WebServiceProcessor.java:691)

at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:248)

at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:212)

at oracle.j2ee.ws.server.WebServiceServlet.doService(WebServiceServlet.java:696)

at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:534)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:286)

at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:260)

at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:137)

at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:350)

at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)

at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)

at oracle.bi.security.filter.BISecuritySOAPFilter.doFilter(BISecuritySOAPFilter.java:69)

at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)

at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:141)

at java.security.AccessController.doPrivileged(Native Method)

at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)

at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:650)

at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:124)

at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:232)

at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:94)

at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)

at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:248)

at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)

at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3683)

at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3649)

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)

at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)

at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)

at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)

at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2433)

at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)

at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)

at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1691)

at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1651)

at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)

at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)

at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)

at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)

at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)

at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)

at weblogic.work.ExecuteThread.run(ExecuteThread.java:346)

Caused by: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid.

at oracle.bi.security.handler.ServiceAuthorizationHandler.checkCredentialsHeader(ServiceAuthorizationHandler.java:283)

at oracle.bi.security.handler.ServiceAuthorizationHandler.handleMessage(ServiceAuthorizationHandler.java:147)

at oracle.bi.security.handler.ServiceAuthorizationHandler.handleMessage(ServiceAuthorizationHandler.java:66)

at oracle.j2ee.ws.common.handlers.HandlerChainInvoker.callProtocolHandlers(HandlerChainInvoker.java:771)

at oracle.j2ee.ws.common.handlers.HandlerChainInvoker.internalCallHandlers(HandlerChainInvoker.java:478)

at oracle.j2ee.ws.common.handlers.HandlerChainInvoker.callHandlers(HandlerChainInvoker.java:403)

at oracle.j2ee.ws.server.jaxws.ServiceEndpointRuntime.processMessage(ServiceEndpointRuntime.java:210)

at oracle.j2ee.ws.server.jaxws.JAXWSRuntimeDelegate.processMessage(JAXWSRuntimeDelegate.java:498)

... 47 more

Caused by: javax.security.auth.login.LoginException: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied

at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:82)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at oracle.bi.security.subject.SubjectAuthenticator.authenticateUserCredentials(SubjectAuthenticator.java:80)

at oracle.bi.security.handler.ServiceAuthorizationHandler.lambda$authenticate$32(ServiceAuthorizationHandler.java:301)

at java.security.AccessController.doPrivileged(Native Method)

at oracle.bi.security.handler.ServiceAuthorizationHandler.authenticate(ServiceAuthorizationHandler.java:302)

at oracle.bi.security.handler.ServiceAuthorizationHandler.checkCredentialsHeader(ServiceAuthorizationHandler.java:265)

... 54 more

Caused by: oracle.security.jps.internal.jaas.module.AuthenticationException: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied

at oracle.security.jps.wls.jaas.module.authentication.WlsUserAuthenticator.authenticate(WlsUserAuthenticator.java:120)

at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:73)

... 70 more

Caused by: javax.security.auth.login.FailedLoginException: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied

at com.bea.common.security.utils.ExceptionHandler.throwFailedLoginException(ExceptionHandler.java:62)

at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:380)

at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:117)

at java.security.AccessController.doPrivileged(Native Method)

at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:114)

at sun.reflect.GeneratedMethodAccessor749.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)

at sun.reflect.GeneratedMethodAccessor747.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)

at com.sun.proxy.$Proxy75.login(Unknown Source)

at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:92)

at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:83)

at sun.reflect.GeneratedMethodAccessor760.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:64)

at com.sun.proxy.$Proxy94.authenticate(Unknown Source)

at weblogic.security.service.WLSJAASAuthenticationServiceWrapper.authenticate(WLSJAASAuthenticationServiceWrapper.java:40)

at weblogic.security.service.PrincipalAuthenticatorImpl.authenticate(PrincipalAuthenticatorImpl.java:351)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at weblogic.security.service.ServiceHandler.invoke(ServiceHandler.java:55)

at com.sun.proxy.$Proxy105.authenticate(Unknown Source)

at weblogic.security.services.Authentication.doLogin(Authentication.java:140)

at weblogic.security.services.Authentication.login(Authentication.java:75)

at weblogic.security.services.Authentication.login(Authentication.java:51)

at oracle.security.jps.wls.jaas.module.authentication.WlsUserAuthenticator.authenticate(WlsUserAuthenticator.java:115)

... 71 more

]]

[2017-08-13T00:52:27.600+03:00] [bi_server1] [ERROR] [] [oracle.webservices.service] [tid: [ACTIVE].ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 883e3554-f7c3-4f31-8c6b-67dbfeedbed8-00008407,0] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] [SI-Key: ssi] An error occurred for port: {http://oracle/bi/security/ws/}SecurityWebServicePort: oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid..

[2017-08-13T00:53:58.172+03:00] [bi_server1] [NOTIFICATION] [OBI-SEC-00020] [oracle.bi.security.authentication] [tid: [ACTIVE].ExecuteThread: '38' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 883e3554-f7c3-4f31-8c6b-67dbfeedbed8-0000842b,0] [APP: bi-security] [partition-name: DOMAIN] [tenant-name: GLOBAL] [J2EE_APP.name: bi-security] [J2EE_MODULE.name: bi-security] [WEBSERVICE.name: SecurityWebService] [WEBSERVICE_PORT.name: SecurityWebServicePort] [SI-Key: ssi] The specified user credentials could not be authenticated.[[

javax.security.auth.login.LoginException: [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied