11 Replies Latest reply: Aug 15, 2011 12:18 PM by user637881 RSS

    Unable to login to OBIEE 11g after integrating with MS Active Directory

    user346948
      Hello Gurus,

      I am trying to integrate OBIEE 11.1.1.5 SampleAppLite with two Authentication Providers (MS Active Directory and the defaultAuthenticator(WLS LDAP)).

      My objective is to configure MS Active Directory (MSAD) as a new 'Authentication Provider' along with the defaultAuthenticator (WLS LDAP). So basically two Authentication providers. The MSAD Authenticator for all the business users in the company directory and the default WLS LDAP for Technology dept users like Developer1, QA1 etc.

      After following the instructions mentioned in Oracle DOcumentation and also useful info from RittmanMead Blog, none of the users are able to login to OBIEE. Even the default 'weblogic' user cannot login.

      At a high level I did the following.

      1. Installed 11.1.1.5 with the SampleAppLite RPD.
      2. Weblogic user is able to login to OBIEE and everything working as expected.
      3. Created the new MSAD Authenticator Provider in WLS. Changed the CONTROL_FLAG field to SUFFICIENT for this Authenticator
      3. For the 'defaultAuthenticator' I Changed the CONTROL_FLAG field to SUFFICIENT
      4. Re-ordered the Authentication providers so that MSAD comes at the top.
      5. I am able to see all the MSAD users as well as the 'defaultAuthenticator' users like Dev1 etc in the 'Users and Groups' tab under 'myrealm'
      6.*I deleted the BISystemUser in WLS* and wanted to make an existing user in MSAD (say OBI_ADMIN) as the new 'Trusted User' (OBI_ADMIN already exists in the MSAD)
      7. I now logged onto ENterprise Manager->Expanded WebLogic Domain->Right-clicked on bifoundation_domain to reach Security->Credentials
      8.I edited the system.user key with values for OBI_ADMIN (Since OBI_ADMIN is going to be the Trusted User - replacement for BISystemUser)
      9.Then I Right-clicked on bifoundation_domain to reach Security-> Security Provider Configuration. In the Identity store provider I added two properties user.login.attr and username.attr. I assigned them values sAMAccountName
      10.Then I Right-clicked on bifoundation_domain to reach Security->Application Roles and added OBI_ADMIN to the Application Role 'BISystem'. Though I deleted the BISystemUser (step 6), I was still able to see BISystemUser under the Role 'BISystem'. Not sure why.
      11. Next as mentioned in the Oracle Docs (http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI) Section 3.2.6 ->Step 11, I added the OBI_Admin user to the Admin Global Role
      12. I also updated the new trusted user credentials in WebLogic Console, select - Services - Messaging - JMS Modules.(as mentioned in the above link)
      13. Restarted all the components.

      None of the users are able to login.

      Any help would be highly appreciated.

      References:
      1. http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI
      2. http://www.rittmanmead.com/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/
        • 1. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
          Amith Y
          Have you assigned the user from MS AD to BISystemrole ?
          • 2. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
            user346948
            Thanks for the response.

            Yes I have. Please see step 10 in my original post

            Joe
            • 3. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
              867935
              Try Regenerating the user GUIDS

              Follow the step in Section: 3.2.7 Regenerating User GUIDs in the link below

              http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI

              Thanks,
              PRM
              • 4. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                user346948
                OK. I will try that.

                While trying out many options to get this working, I un-checked Use WebLogic Authentication Provider Configuration under the Identity store configuration in Enterprise Manager. AFter this I am not able to start the WebLogic Server. So I un-installed and I am installing it fresh.

                Is there a way to back up all your configurations after a fresh install.?

                Joe
                • 5. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                  876921
                  OBIEE Backup:-

                  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10105/br_intro.htm#ASADM11238

                  Weblogic Backup:-

                  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10105/br_intro.htm#CHDEBJIC

                  Hope this helps..

                  I am also planning to integrate AD with 11.1.1.5, let's see how it goes...

                  Edited by: 873918 on Aug 4, 2011 1:51 AM
                  • 6. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                    user346948
                    Awesome Thanks.

                    Please post your story once you integrate AD with OBIEE. I even tried creating an user called BISystemUser in AD and still was not able to get this up and running. !
                    • 7. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                      user637881
                      I finally got this working on AIX. I following all of the steps in chapter 3 of the Security Guide for OBIEE, http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543.pdf. The cause of my problem turned out to be the virtualize=true setting in the Identify Store Provider configuration in EM. Section 3.2.3.3 says you need this if you have multiple authenticaiton providers. I thought, siince I had MSAD and the DefaultAuthenticator, but the DefaultAuthenticator doesn't count in this case. Once I removed virtualize=true and restarted ManagedWebLogic and OBIEE I was able to login with my MSAD userid.

                      There are still questions about the virtualize attribute. Oracle Support isn't sure why that was causing me a problem. It may not be an issue in your environment...

                      BISystemUser exists in both MSAD and the DefaultAuthenticator. The password is the same in both. The MSAD id is not a member of any MSAD groups. The DefaultAuthenticator id is a member of the Administrators group. I assigned BISystemUser to the BISystem role in EM.

                      Jerry
                      • 8. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                        user346948
                        Hi Jerry, Thanks for your reply. Couple of Questions.

                        Did you mean to say that you have BISystemUser in both DefaultAuthenticator as well as in MSAD? How did you make sure the passwords of both BISystemUser users are the same.?

                        Joe
                        • 9. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                          user637881
                          I changed the password in the DefaultAuthenticator to what it is in MSAD. And I changed the password in EM.

                          Also, if you change your User Name Attribute (we use sAMAccountName), you also need to change it in the All Users Filter and the User From Name Filter. The docs mention these two but they don't tell you explicitly what to do. And an area that the docs don't cover is changing cn in the All Groups Filter, Groups From Name Filter, Static Group Name Attribute and Dynamic Group Name Attribute.

                          Jerry
                          • 10. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                            user346948
                            Thanks Jerry. That was helpful. I got it working now. I created BISytemUser in MSAD and updated the WLS BISystemUser's password to match the MSAD one.
                            This is a much easier way rather than trying to create a new TrustedUser to replace BISystemUser. The only thing different I did was I used virtualize=true to get both types of Authentication working. Please see my below blog for more details.

                            http://bimetrics.wordpress.com/2011/08/12/integrating-ms-active-directory-with-obiee-11g-in-weblogic-server/

                            --Joe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
                            • 11. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
                              user637881
                              You probably installed OBIEE on Windows or Linux. Setting virtualize=true works on those platforms. It doesn't work on AIX. I'm still working with Oracle Support to figure out why. The update I got this past Friday points to a possible bug in the IBM JVM.

                              Jerry