This discussion is archived
11 Replies Latest reply: Aug 15, 2011 10:18 AM by user637881 RSS

Unable to login to OBIEE 11g after integrating with MS Active Directory

user346948 Newbie
Currently Being Moderated
Hello Gurus,

I am trying to integrate OBIEE 11.1.1.5 SampleAppLite with two Authentication Providers (MS Active Directory and the defaultAuthenticator(WLS LDAP)).

My objective is to configure MS Active Directory (MSAD) as a new 'Authentication Provider' along with the defaultAuthenticator (WLS LDAP). So basically two Authentication providers. The MSAD Authenticator for all the business users in the company directory and the default WLS LDAP for Technology dept users like Developer1, QA1 etc.

After following the instructions mentioned in Oracle DOcumentation and also useful info from RittmanMead Blog, none of the users are able to login to OBIEE. Even the default 'weblogic' user cannot login.

At a high level I did the following.

1. Installed 11.1.1.5 with the SampleAppLite RPD.
2. Weblogic user is able to login to OBIEE and everything working as expected.
3. Created the new MSAD Authenticator Provider in WLS. Changed the CONTROL_FLAG field to SUFFICIENT for this Authenticator
3. For the 'defaultAuthenticator' I Changed the CONTROL_FLAG field to SUFFICIENT
4. Re-ordered the Authentication providers so that MSAD comes at the top.
5. I am able to see all the MSAD users as well as the 'defaultAuthenticator' users like Dev1 etc in the 'Users and Groups' tab under 'myrealm'
6.*I deleted the BISystemUser in WLS* and wanted to make an existing user in MSAD (say OBI_ADMIN) as the new 'Trusted User' (OBI_ADMIN already exists in the MSAD)
7. I now logged onto ENterprise Manager->Expanded WebLogic Domain->Right-clicked on bifoundation_domain to reach Security->Credentials
8.I edited the system.user key with values for OBI_ADMIN (Since OBI_ADMIN is going to be the Trusted User - replacement for BISystemUser)
9.Then I Right-clicked on bifoundation_domain to reach Security-> Security Provider Configuration. In the Identity store provider I added two properties user.login.attr and username.attr. I assigned them values sAMAccountName
10.Then I Right-clicked on bifoundation_domain to reach Security->Application Roles and added OBI_ADMIN to the Application Role 'BISystem'. Though I deleted the BISystemUser (step 6), I was still able to see BISystemUser under the Role 'BISystem'. Not sure why.
11. Next as mentioned in the Oracle Docs (http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI) Section 3.2.6 ->Step 11, I added the OBI_Admin user to the Admin Global Role
12. I also updated the new trusted user credentials in WebLogic Console, select - Services - Messaging - JMS Modules.(as mentioned in the above link)
13. Restarted all the components.

None of the users are able to login.

Any help would be highly appreciated.

References:
1. http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI
2. http://www.rittmanmead.com/2010/11/oracle-bi-ee-11g-security-integration-with-microsoft-active-directory/
  • 1. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    AmithY Expert
    Currently Being Moderated
    Have you assigned the user from MS AD to BISystemrole ?
  • 2. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user346948 Newbie
    Currently Being Moderated
    Thanks for the response.

    Yes I have. Please see step 10 in my original post

    Joe
  • 3. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    867935 Newbie
    Currently Being Moderated
    Try Regenerating the user GUIDS

    Follow the step in Section: 3.2.7 Regenerating User GUIDs in the link below

    http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543/privileges.htm#CIHIDCHI

    Thanks,
    PRM
  • 4. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user346948 Newbie
    Currently Being Moderated
    OK. I will try that.

    While trying out many options to get this working, I un-checked Use WebLogic Authentication Provider Configuration under the Identity store configuration in Enterprise Manager. AFter this I am not able to start the WebLogic Server. So I un-installed and I am installing it fresh.

    Is there a way to back up all your configurations after a fresh install.?

    Joe
  • 5. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    876921 Newbie
    Currently Being Moderated
    OBIEE Backup:-

    http://download.oracle.com/docs/cd/E14571_01/core.1111/e10105/br_intro.htm#ASADM11238

    Weblogic Backup:-

    http://download.oracle.com/docs/cd/E14571_01/core.1111/e10105/br_intro.htm#CHDEBJIC

    Hope this helps..

    I am also planning to integrate AD with 11.1.1.5, let's see how it goes...

    Edited by: 873918 on Aug 4, 2011 1:51 AM
  • 6. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user346948 Newbie
    Currently Being Moderated
    Awesome Thanks.

    Please post your story once you integrate AD with OBIEE. I even tried creating an user called BISystemUser in AD and still was not able to get this up and running. !
  • 7. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user637881 Explorer
    Currently Being Moderated
    I finally got this working on AIX. I following all of the steps in chapter 3 of the Security Guide for OBIEE, http://download.oracle.com/docs/cd/E21764_01/bi.1111/e10543.pdf. The cause of my problem turned out to be the virtualize=true setting in the Identify Store Provider configuration in EM. Section 3.2.3.3 says you need this if you have multiple authenticaiton providers. I thought, siince I had MSAD and the DefaultAuthenticator, but the DefaultAuthenticator doesn't count in this case. Once I removed virtualize=true and restarted ManagedWebLogic and OBIEE I was able to login with my MSAD userid.

    There are still questions about the virtualize attribute. Oracle Support isn't sure why that was causing me a problem. It may not be an issue in your environment...

    BISystemUser exists in both MSAD and the DefaultAuthenticator. The password is the same in both. The MSAD id is not a member of any MSAD groups. The DefaultAuthenticator id is a member of the Administrators group. I assigned BISystemUser to the BISystem role in EM.

    Jerry
  • 8. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user346948 Newbie
    Currently Being Moderated
    Hi Jerry, Thanks for your reply. Couple of Questions.

    Did you mean to say that you have BISystemUser in both DefaultAuthenticator as well as in MSAD? How did you make sure the passwords of both BISystemUser users are the same.?

    Joe
  • 9. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user637881 Explorer
    Currently Being Moderated
    I changed the password in the DefaultAuthenticator to what it is in MSAD. And I changed the password in EM.

    Also, if you change your User Name Attribute (we use sAMAccountName), you also need to change it in the All Users Filter and the User From Name Filter. The docs mention these two but they don't tell you explicitly what to do. And an area that the docs don't cover is changing cn in the All Groups Filter, Groups From Name Filter, Static Group Name Attribute and Dynamic Group Name Attribute.

    Jerry
  • 10. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user346948 Newbie
    Currently Being Moderated
    Thanks Jerry. That was helpful. I got it working now. I created BISytemUser in MSAD and updated the WLS BISystemUser's password to match the MSAD one.
    This is a much easier way rather than trying to create a new TrustedUser to replace BISystemUser. The only thing different I did was I used virtualize=true to get both types of Authentication working. Please see my below blog for more details.

    http://bimetrics.wordpress.com/2011/08/12/integrating-ms-active-directory-with-obiee-11g-in-weblogic-server/

    --Joe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
  • 11. Re: Unable to login to OBIEE 11g after integrating with MS Active Directory
    user637881 Explorer
    Currently Being Moderated
    You probably installed OBIEE on Windows or Linux. Setting virtualize=true works on those platforms. It doesn't work on AIX. I'm still working with Oracle Support to figure out why. The update I got this past Friday points to a possible bug in the IBM JVM.

    Jerry

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points