Forum Stats

  • 3,851,947 Users
  • 2,264,053 Discussions
  • 7,904,914 Comments

Discussions

In EPM 11.1.2.1 Has anyone sucessfully configured the SSODiag web app

Robert Armstrong
Robert Armstrong Member Posts: 143 Blue Ribbon
edited Sep 13, 2011 3:57PM in EPM System Infrastructure
Hi All, we are installing and configuring Oracle EPM 11.1.2.1 with Foundation services running on a Windows 2008 R2 Standard server. Our users have been waiting for us to provide single sign-on for the Web applications (we are currently on 9.3.3). We installed and configured Foundation services and started the config for SSO using Kerberos and Active Directory.

We have performed the following :
1) setup the active directory user to use as the Kerberos principle
2) usign SETSPN, KTPASS configured the principle user and had the keytab file generated using:

ktpass -out SVC_ORACLEEPM.keytab -mapuser SVC_ORACLEEPM -crypto DES-CBC-CRC -princ HTTP/[email protected] -pass PASSWORD -ptype KRB5_NT_PRINCIPAL

3) copied the keytab file copied to the Foundation Services server (DEVEMP01) and placed in "C:\Oracle\Middleware\user_projects\domains\EPMSystem"
4) Verified the keytab using the java kinit commands

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t C:\Oracle\Middleware\user_projects\domains\EPMSystem\SVC_ORACLEEPM.keytab HTTP/[email protected]

was able to get the kerberos ticket cached successfully:

--- KrbAsRep cons in KrbAsReq.getReply HTTP/devepm01.domain.com
--- New ticket is stored in cache file C:\Users\svc_oracleepm\krb5cc_SVC_ORACLEEPM

5) configured the Active Directory provider in Weblogic (can retreive all users including my service account)
6) configured the Negotiate Identity provider
7) installed and configured the SSODiag web application per the 11.1.2.0 document "http://www.oracle.com/technetwork/middleware/bi-foundation/config-epm-foundation-kerberos-303841.pdf " as the 11.1.2.1 document is incomplete. I also found some missing steps in the 11.1.2.0 doc, but was able to get it.
8) service account is used to log onto the Windows server and is used to starte the FoundationServices service and weblogic admin console.

in the above - the "DOMAIN.COM" is the Kerberos domain

The problems now are the SSODiag app is not authenticating the user. All our active directory users authenticate to MS Sharepoint through Kerberos, so the browsers and users are setup properly, I did double check the browser settings just in case.

I also have an open support ticket with Oracle support, but wanted to find out if anyone out there has sucessfully configured SSODiag and has it working with Kerberos, Active Directory and Weblogic 10.3.x included with EPM 11.1.2.1.

Any assistance is appreciated.

Rob Armstrong

** Updated to add #8

Edited by: Robert Armstrong on Jul 13, 2011 8:47 AM
M Moeller3013267

Answers

  • Robert Armstrong
    Robert Armstrong Member Posts: 143 Blue Ribbon
    For anyone interested, we were finally able to configure SSO. Working with Oracle support and a web conf with the developers was needed.

    The documentation is lacking all the instructions to make a sucessful connection and has incorrect information as well. The SSODiag app was working for all XP and IE6/IE7 machines, my Windows 7 and IE8 machine would not work and is still an outstanding issue with development.
    3013267
This discussion has been closed.